在做owasp SQL 注入的时候,有个很重要的库,那就是 信息库:
这个库就是: information_schema; (准确的说,数据字典)
mysql> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
下面区这个库里面看看table:
mysql> select * from TABLES\G
*************************** 680. row ***************************
TABLE_CATALOG: NULL
TABLE_SCHEMA: yazd |
库名 |
TABLE_NAME: yazduserprop |
TABLE_TYPE: BASE TABLE
ENGINE: MyISAM
VERSION: 10
ROW_FORMAT: Dynamic
TABLE_ROWS: 13
AVG_ROW_LENGTH: 30
DATA_LENGTH: 392
MAX_DATA_LENGTH: 281474976710655
INDEX_LENGTH: 2048
DATA_FREE: 0
AUTO_INCREMENT: NULL
CREATE_TIME: 2012-07-13 16:21:01
UPDATE_TIME: 2012-07-13 16:26:26
CHECK_TIME: 2012-07-13 16:26:26
TABLE_COLLATION: latin1_swedish_ci
CHECKSUM: NULL
CREATE_OPTIONS:
TABLE_COMMENT:
680 rows in set (0.07 sec)
上面可以列出所有的库名,还有表名。
-
可以先看一个table:
mysql> select * from TABLES limit=1\G
ERROR 1064 (42000): You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '=1' at line 1
mysql> select * from TABLES limit 1\G
*************************** 1. row ***************************
TABLE_CATALOG: NULL
TABLE_SCHEMA: information_schema
TABLE_NAME: CHARACTER_SETS
TABLE_TYPE: SYSTEM VIEW
ENGINE: MEMORY
VERSION: 10
ROW_FORMAT: Fixed
TABLE_ROWS: NULL
AVG_ROW_LENGTH: 384
DATA_LENGTH: 0
MAX_DATA_LENGTH: 16604160
INDEX_LENGTH: 0
DATA_FREE: 0
AUTO_INCREMENT: NULL
CREATE_TIME: NULL
UPDATE_TIME: NULL
CHECK_TIME: NULL
TABLE_COLLATION: utf8_general_ci
CHECKSUM: NULL
CREATE_OPTIONS: max_rows=43690
TABLE_COMMENT:
1 row in set (0.07 sec)
查询所有的库名:
mysql> select DISTINCT TABLE_SCHEMA from TABLES;
+--------------------+
| TABLE_SCHEMA |
+--------------------+
| information_schema |
| bricks |
| bwapp |
| citizens |
| cryptomg |
| dvwa |
| gallery2 |
| getboo |
| ghost |
| gtd-php |
| hex |
| isp |
| joomla |
| mutillidae |
| mysql |
| nowasp |
| orangehrm |
| personalblog |
| peruggia |
| phpbb |
| phpmyadmin |
| proxy |
| rentnet |
| sqlol |
| tikiwiki |
| vicnum |
| wackopicko |
| wavsepdb |
| webcal |
| webgoat_coins |
| wordpress |
| wraithlogin |
| yazd |
+--------------------+
33 rows in set (0.00 sec)
--
下面查询某库里面的表:
mysql> select TABLE_NAME from information_schema.tables where TABLE_SCHEMA='wordpress';
+-------------------+
| TABLE_NAME |
+-------------------+
| wp_categories |
| wp_comments |
| wp_linkcategories |
| wp_links |
| wp_mygallery |
| wp_mygprelation |
| wp_mypictures |
| wp_options |
| wp_post2cat |
| wp_postmeta |
| wp_posts |
| wp_spreadsheet |
| wp_usermeta |
| wp_users |
+-------------------+
14 rows in set (0.00 sec)
--
关于某些表的里面特殊字段,想列出的话,desc table_name;
举个例子:
mysql> desc wordpress.wp_users;
+---------------------+---------------------+------+-----+---------------------+----------------+
| Field | Type | Null | Key | Default | Extra |
+---------------------+---------------------+------+-----+---------------------+----------------+
| ID | bigint(20) unsigned | NO | PRI | NULL | auto_increment |
| user_login | varchar(60) | NO | MUL | | |
| user_pass | varchar(64) | NO | | | |
| user_nicename | varchar(50) | NO | | | |
| user_email | varchar(100) | NO | | | |
| user_url | varchar(100) | NO | | | |
| user_registered | datetime | NO | | 0000-00-00 00:00:00 | |
| user_activation_key | varchar(60) | NO | | | |
| user_status | int(11) | NO | | 0 | |
| display_name | varchar(250) | NO | | | |
+---------------------+---------------------+------+-----+---------------------+----------------+
10 rows in set (0.00 sec)
但是在union 里面是不能加DESC 的,所以sql 注入的时候,要想其他办法。
其实,另外一个是information_schema 里面的columns 这个table.
注意: columns 是复数,有"s" 的。
mysql> desc information_schema.columns;
+--------------------------+---------------------+------+-----+---------+-------+
| Field | Type | Null | Key | Default | Extra |
+--------------------------+---------------------+------+-----+---------+-------+
| TABLE_CATALOG | varchar(512) | YES | | NULL | |
| TABLE_SCHEMA | varchar(64) | NO | | | |
| TABLE_NAME | varchar(64) | NO | | | |
| COLUMN_NAME | varchar(64) | NO | | | |
| ORDINAL_POSITION | bigint(21) unsigned | NO | | 0 | |
| COLUMN_DEFAULT | longtext | YES | | NULL | |
| IS_NULLABLE | varchar(3) | NO | | | |
| DATA_TYPE | varchar(64) | NO | | | |
| CHARACTER_MAXIMUM_LENGTH | bigint(21) unsigned | YES | | NULL | |
| CHARACTER_OCTET_LENGTH | bigint(21) unsigned | YES | | NULL | |
| NUMERIC_PRECISION | bigint(21) unsigned | YES | | NULL | |
| NUMERIC_SCALE | bigint(21) unsigned | YES | | NULL | |
| CHARACTER_SET_NAME | varchar(32) | YES | | NULL | |
| COLLATION_NAME | varchar(32) | YES | | NULL | |
| COLUMN_TYPE | longtext | NO | | NULL | |
| COLUMN_KEY | varchar(3) | NO | | | |
| EXTRA | varchar(27) | NO | | | |
| PRIVILEGES | varchar(80) | NO | | | |
| COLUMN_COMMENT | varchar(255) | NO | | | |
+--------------------------+---------------------+------+-----+---------+-------+
19 rows in set (0.00 sec)
以下是查询proxy.logs这个表的column信息:
TABLE_SCHEMA='proxy' 库 and TABLE_NAME='logs' 表;
mysql> select COLUMN_NAME from information_schema.columns where TABLE_SCHEMA='proxy' and TABLE_NAME='logs';
+-------------+
| COLUMN_NAME |
+-------------+
| userid |
| source |
| target |
| timestamp |
+-------------+
4 rows in set (0.00 sec)
参考文献: 12.SQL注入攻击_哔哩哔哩_bilibili