MySQL 很重要的库 - 信息字典

在做owasp SQL 注入的时候,有个很重要的库,那就是 信息库:

这个库就是: information_schema; (准确的说,数据字典)

mysql> show databases;

+--------------------+

| Database           |

+--------------------+

| information_schema |

下面区这个库里面看看table:

mysql> select * from TABLES\G

*************************** 680. row ***************************

  TABLE_CATALOG: NULL

   TABLE_SCHEMA: yazd

库名

     TABLE_NAME: yazduserprop

     TABLE_TYPE: BASE TABLE

         ENGINE: MyISAM

        VERSION: 10

     ROW_FORMAT: Dynamic

     TABLE_ROWS: 13

 AVG_ROW_LENGTH: 30

    DATA_LENGTH: 392

MAX_DATA_LENGTH: 281474976710655

   INDEX_LENGTH: 2048

      DATA_FREE: 0

 AUTO_INCREMENT: NULL

    CREATE_TIME: 2012-07-13 16:21:01

    UPDATE_TIME: 2012-07-13 16:26:26

     CHECK_TIME: 2012-07-13 16:26:26

TABLE_COLLATION: latin1_swedish_ci

       CHECKSUM: NULL

 CREATE_OPTIONS:

  TABLE_COMMENT:

680 rows in set (0.07 sec)

上面可以列出所有的库名,还有表名。

-

可以先看一个table:

mysql> select * from TABLES limit=1\G

ERROR 1064 (42000): You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '=1' at line 1

mysql> select * from TABLES limit 1\G

*************************** 1. row ***************************

  TABLE_CATALOG: NULL

   TABLE_SCHEMA: information_schema

     TABLE_NAME: CHARACTER_SETS

     TABLE_TYPE: SYSTEM VIEW

         ENGINE: MEMORY

        VERSION: 10

     ROW_FORMAT: Fixed

     TABLE_ROWS: NULL

 AVG_ROW_LENGTH: 384

    DATA_LENGTH: 0

MAX_DATA_LENGTH: 16604160

   INDEX_LENGTH: 0

      DATA_FREE: 0

 AUTO_INCREMENT: NULL

    CREATE_TIME: NULL

    UPDATE_TIME: NULL

     CHECK_TIME: NULL

TABLE_COLLATION: utf8_general_ci

       CHECKSUM: NULL

 CREATE_OPTIONS: max_rows=43690

  TABLE_COMMENT:

1 row in set (0.07 sec)

查询所有的库名:

mysql> select DISTINCT TABLE_SCHEMA  from TABLES;

+--------------------+

| TABLE_SCHEMA       |

+--------------------+

| information_schema |

| bricks             |

| bwapp              |

| citizens           |

| cryptomg           |

| dvwa               |

| gallery2           |

| getboo             |

| ghost              |

| gtd-php            |

| hex                |

| isp                |

| joomla             |

| mutillidae         |

| mysql              |

| nowasp             |

| orangehrm          |

| personalblog       |

| peruggia           |

| phpbb              |

| phpmyadmin         |

| proxy              |

| rentnet            |

| sqlol              |

| tikiwiki           |

| vicnum             |

| wackopicko         |

| wavsepdb           |

| webcal             |

| webgoat_coins      |

| wordpress          |

| wraithlogin        |

| yazd               |

+--------------------+

33 rows in set (0.00 sec)

--

下面查询某库里面的表:

mysql> select TABLE_NAME from information_schema.tables where TABLE_SCHEMA='wordpress';

+-------------------+

| TABLE_NAME        |

+-------------------+

| wp_categories     |

| wp_comments       |

| wp_linkcategories |

| wp_links          |

| wp_mygallery      |

| wp_mygprelation   |

| wp_mypictures     |

| wp_options        |

| wp_post2cat       |

| wp_postmeta       |

| wp_posts          |

| wp_spreadsheet    |

| wp_usermeta       |

| wp_users          |

+-------------------+

14 rows in set (0.00 sec)

--

关于某些表的里面特殊字段,想列出的话,desc table_name;

举个例子:

mysql> desc wordpress.wp_users;

+---------------------+---------------------+------+-----+---------------------+----------------+

| Field               | Type                | Null | Key | Default             | Extra          |

+---------------------+---------------------+------+-----+---------------------+----------------+

| ID                  | bigint(20) unsigned | NO   | PRI | NULL                | auto_increment |

| user_login          | varchar(60)         | NO   | MUL |                     |                |

| user_pass           | varchar(64)         | NO   |     |                     |                |

| user_nicename       | varchar(50)         | NO   |     |                     |                |

| user_email          | varchar(100)        | NO   |     |                     |                |

| user_url            | varchar(100)        | NO   |     |                     |                |

| user_registered     | datetime            | NO   |     | 0000-00-00 00:00:00 |                |

| user_activation_key | varchar(60)         | NO   |     |                     |                |

| user_status         | int(11)             | NO   |     | 0                   |                |

| display_name        | varchar(250)        | NO   |     |                     |                |

+---------------------+---------------------+------+-----+---------------------+----------------+

10 rows in set (0.00 sec)

但是在union 里面是不能加DESC 的,所以sql 注入的时候,要想其他办法。

其实,另外一个是information_schema 里面的columns 这个table.

注意: columns 是复数,有"s" 的。

mysql> desc information_schema.columns;

+--------------------------+---------------------+------+-----+---------+-------+

| Field                    | Type                | Null | Key | Default | Extra |

+--------------------------+---------------------+------+-----+---------+-------+

| TABLE_CATALOG            | varchar(512)        | YES  |     | NULL    |       |

| TABLE_SCHEMA             | varchar(64)         | NO   |     |         |       |

| TABLE_NAME               | varchar(64)         | NO   |     |         |       |

| COLUMN_NAME              | varchar(64)         | NO   |     |         |       |

| ORDINAL_POSITION         | bigint(21) unsigned | NO   |     | 0       |       |

| COLUMN_DEFAULT           | longtext            | YES  |     | NULL    |       |

| IS_NULLABLE              | varchar(3)          | NO   |     |         |       |

| DATA_TYPE                | varchar(64)         | NO   |     |         |       |

| CHARACTER_MAXIMUM_LENGTH | bigint(21) unsigned | YES  |     | NULL    |       |

| CHARACTER_OCTET_LENGTH   | bigint(21) unsigned | YES  |     | NULL    |       |

| NUMERIC_PRECISION        | bigint(21) unsigned | YES  |     | NULL    |       |

| NUMERIC_SCALE            | bigint(21) unsigned | YES  |     | NULL    |       |

| CHARACTER_SET_NAME       | varchar(32)         | YES  |     | NULL    |       |

| COLLATION_NAME           | varchar(32)         | YES  |     | NULL    |       |

| COLUMN_TYPE              | longtext            | NO   |     | NULL    |       |

| COLUMN_KEY               | varchar(3)          | NO   |     |         |       |

| EXTRA                    | varchar(27)         | NO   |     |         |       |

| PRIVILEGES               | varchar(80)         | NO   |     |         |       |

| COLUMN_COMMENT           | varchar(255)        | NO   |     |         |       |

+--------------------------+---------------------+------+-----+---------+-------+

19 rows in set (0.00 sec)

以下是查询proxy.logs这个表的column信息:

TABLE_SCHEMA='proxy' 库 and TABLE_NAME='logs' 表;

mysql> select COLUMN_NAME from information_schema.columns where TABLE_SCHEMA='proxy' and TABLE_NAME='logs';

+-------------+

| COLUMN_NAME |

+-------------+

| userid      |

| source      |

| target      |

| timestamp   |

+-------------+

4 rows in set (0.00 sec)
 

参考文献: 12.SQL注入攻击_哔哩哔哩_bilibili

上一篇:搭建k8s集群


下一篇:Pytorch使用教程(12)-如何进行并行训练?