Table of contents
Second, the temporary table generation scenario:
3. Advanced use of temporary table and union:
1. What is a temporary table:
- It is a table created in the system temporary folder;
- Only visible in the current connection, when the connection is closed, MySQL will automatically delete the table and release all space;
- If other MySQL client programs are used to connect to the MySQL database server to create temporary tables, the temporary tables will only be destroyed when the client program is closed
Second, the temporary table generation scenario:
The original table for this experiment is:
Nature 1:
When we query a piece of information that does not exist, a temporary table will be returned. If the table in the query statement does not exist or the table to be queried is not specified, then the column names in the temporary table are also the information to be queried, that is to say The column name and field content are the same, as follows
Nature 2:
If the search statement contains a table name and the table exists, then querying information that does not exist will return a complete table, as follows
Nature 3:
If the query statement has a where constraint, but the constraint is false, an empty table with only column names will be returned, as follows
3. Advanced use of temporary table and union:
We can use the query statement with where, when the constraint statement behind it is false, that is, when the constraint condition does not exist, the table with only the column name is returned, so as to perform sql injection to create a table we want surface
The example sentence is select * from zw where tool='fff' union select 5,5;
In the tool column of the table, there is no "fff" data, so it will only return an empty table with only column names, but there is a union function behind it
The nature of the union function is: merge the queried tables into one table in turn , and do not retain the column names of other tables except the first table, but append the data of other tables to the first table in turn , all tables = share the column names of the first table
When the first table only has column names, the second statement searches for non-existent data and returns the data itself, that is, the column names of the first table are used to subtly modify the returned content.
4. Use scenarios:
Suppose there is a landing page
The verification mechanism of this page is to query the account password from the database for verification
The query statement is
select user,password from users where user="input";
This statement looks up the corresponding user name and password in the database according to the user we entered, and then compares it with the user name and password we entered
Here we can use the union function to construct a new table to bypass
Here is the initial table used for experimentation:
We can see that under normal circumstances, we need the user name to be admin and the password to be 123456 to log in successfully.
But we use the following statement
select user,password from users where user="6666" union select "admin","admin";
Construct a temporary table with username and password both admin to bypass
The execution result is:
For more related content, please check the author's blog http://blog.byzhb.top/