Introduction to the Union operatorThe UNION operator is used to combine the result set of two or more SELECT statements. Note that the SELECT statement inside the UNION must have the same number of columns. The column must also have a similar data type. Also, the order of the columns in each SELECT statement must be the same.
SQL UNION Syntax
SELECT column_name (s) from table_name1
UNION
SELECT column_name (s) from table_name2
Note: By default, the UNION operator chooses a different value. If duplicate values are allowed, use UNION all.
SQL UNION All syntax
SELECT column_name (s) from table_name1
UNION All
SELECT column_name (s) from table_name2
In addition, the column name in the union result set is always equal to the column name in the first SELECT statement in the Union.
(6) Logical operations in SQL
Here I would like to say the question of logical operation.
Ask a question select * from users where id=1 and 1=1; Why is this statement able to choose the content of id=1, and 1=1 does it work? This is where the SQL statement execution sequence should be clear.
At the same time, we use the universal password when using it.
Select * from admin where username= ' admin ' and password= ' admin '
We can use ' or 1=1# as the password input. What is the reason?
Here is a logical operation, when using the so-called universal password, the composition of the SQL statement is:
Select * from admin where username= ' admin ' and password= ' or 1=1# '
Explain: When the above statement executes, we log in to the Admin user without knowing the password.
The reason is that after the WHERE clause, we can see three conditional statements username= ' admin' and password= 'or 1=1. three conditions are connected with and and OR. In SQL, our and's operations priority is greater than or of the meta-precedence. So you can see that the first condition (denoted by a) is true, the second condition (denoted by B) is false, A and B = false, the first condition and the second condition are false, and then the third condition or operation, because the third condition 1=1 is constant, so the result is true. So the above statement is the constancy of truth.
?
?
?
?
?
①Select * from users where id=1 and 1=1;
②Select * from users where id=1 && 1=1;
③Select * from users where id=1 & 1=1;
What is the difference between the three above? ① and ② are the same, meaning that id=1 conditions and 1=1 conditions are performed and calculated.
③ means that the id=1 condition and 1 perform a & bit operation, Id=1 is treated as true, with 1 for the & operation result or 1, then = action, 1=1, or 1 (ps:& priority is greater than =)
Ps: The bitwise operation performed here. We can convert the number to binary and then perform the operations with, or, non-, XOR, or the like. This method can be used to inject results when necessary. For example, after converting a character to an ASCII code, you can separate it with 1,2,4,8,16,32 .... And the operation, you can get each bit of value, stitching up is the ASCII code value. The character is then pushed back from the ASCII value. (Less use)
(7) Injection process
Our database stores data in the form of a database with a large number of data tables, with many columns in the data table and data stored in each column. The process we inject is to get the database name, get the data table under the current database, get the columns under the current data table, and finally get the data.
Now do some basic MySQL operations. Start MySQL, and then check the database through the query:
show?databases;
The database used for this experiment is called security, so we chose security to execute the command.
use?security;
We can see what tables are in this database
show?tables;
Now we can see that there are four tables here, and then let's look at the structure of the table.
desc?emails;
In the continuation of the foreground attack, we would like to discuss the system database, that is, information_schema. So we use it
use?information_schema
Let's take a look at the table.
show?tables;
Now, let's enumerate this table first.
desc?tables;
Now let's use this query:
select?table_name?from?information_schema.tables?where?table_schema?=?"security";
Using this query, we can download to the table name.
MySQL has a system database INFORMATION_SCHEMA, which stores all the relevant information of the database, in general, we use the table can be a complete injection. The following is a general process.
Guess database
Select Schema_name from Information_schema.schemata
Guess the data table of a library
Select table_name from information_schema.tables where table_schema= ' xxxxx '
Guess all the columns of a table
Select column_name from Information_schema.columns where table_name= ' xxxxx '
Get the contents of a column
Select * * * * FROM * * *
The above knowledge reference use case: LESS1-LESS4