SQL注入：联合查询与注入逻辑

联合查询

默认去重

select * from tableName1
union
select * from tableName2

显示所有

select * from tableName1
union all
select * from tableName2

联合查询与注入报错|联合查询与取代逻辑

#正常逻辑语句
variable=value
mysql databaseName -e "select * from tableName where columnName='$variable'"

#攻击语句
variable=-1' union select columnName1,columnName2...'
mysql databaseName -e "select * from tableName where columnName='$variable'"

#结果 两个select的字段个数要一致 ， 否则会发生错误 （第二个select结果取代第一个select所显示）
mysql databaseName -e "select * from tableName where columnName='-1' union select columnName1,columnName2...''"