Mysql数据库的mysql Schema 究竟有哪些东西& 手工注入的基础要领

zoukankan html css js c++ java

Mysql数据库的mysql Schema 究竟有哪些东西& 手工注入的基础要领

#查看数据库版本号
mysql> select @@version;
+------------+
| @@version |
+------------+
| 5.5.16-log |
+------------+
1 row in set (0.00 sec)

mysql> select * from information_schema.schemata; # 保存了系统的全部的数据库名，关键的字段是schema_name
# 2 rows in set (0.04 sec)表示仅仅有2个数据库
+--------------+--------------------+----------------------------+------------------------+----------+
| catalog_name | schema_name | default_character_set_name | default_collation_name | sql_path |
+--------------+--------------------+----------------------------+------------------------+----------+
| def | information_schema | utf8 | utf8_general_ci | null |
| def | test | gb2312 | gb2312_chinese_ci | null |
+--------------+--------------------+----------------------------+------------------------+----------+

mysql> select * from information_schema.columns; #

# 关键的字段是table_name & column_name 411 rows in set (0.05 sec)

+---------------+--------------------+---------------------------------------+-------------------------------+------------------

| table_catalog | table_schema | table_name | column_name | ordinal_position | column_default | is_nullable | data_type |

character_maximum_length | character_octet_length | numeric_precision | numeric_scale | character_set_name | collation_name | column_type | column_key | extra

| privileges | column_comment |

+---------------+--------------------+---------------------------------------+-------------------------------+------------------

mysql> select * from information_schema.tables; # 包括全部的表名，38 rows in set (0.09 sec) 表示有38张表

mysql> select count(*) from information_schema.tables; # count(*)返回一共同拥有多少行（就是多少条记录）

+----------+
| count(*) |
+----------+
| 38 |
+----------+
1 row in set (0.00 sec)

#关键的字段是table_column & table_name

+---------------+--------------------+---------------------------------------+-------------+--------+---------+------------+--

| table_catalog | table_schema | table_name | table_type | engine | version | row_format | table_rows | avg_row_length | data_length |

max_data_length | index_length | data_free | auto_increment | create_time | update_time | check_time | table_collation | checksum | create_options |

table_comment |
+---------------+--------------------+---------------------------------------+-------------+--------+---------+------------+--

mysql> select * from information_schema.tables where table_schema="test";

# keyword是table_name和table_schema (数据库名)
+---------------+--------------+------------+------------+--------+---------+------------+------------+----------------+-----

| table_catalog | table_schema | table_name | table_type | engine | version | row_format | table_rows | avg_row_length | data_length | max_data_length | index_length |

data_free | auto_increment | create_time | update_time | check_time | table_collation | checksum | create_options | table_comment |
+---------------+--------------+------------+------------+--------+---------+------------+------------+----------------+-----

| def | test | t_users | base table | innodb | 10 | compact | 0 | 0 | 16384 | 0 | 16384 | 9437184 | 1 | 2012-10

-06 12:21:23 | null | null | gb2312_chinese_ci | null | | |
+---------------+--------------+------------+------------+--------+---------+------------+------------+----------------+-----

1 row in set (0.00 sec)

mysql> select * from information_schema.columns where table_name="t_users";

# 关键是得到 column_name

+---------------+--------------+------------+-------------+------------------+----------------+-------------+-----------+----

| table_catalog | table_schema | table_name | column_name | ordinal_position | column_default | is_nullable | data_type | character_maximum_length |

character_octet_length | numeric_precision | numeric_scale | character_set_name | collation_name | column_type | column_key | extra | privileges |

column_comment |
+---------------+--------------+------------+-------------+------------------+----------------+-------------+-----------+----

| def | test | t_users | id | 1 | null | no | int | null | null | 10 | 0 | null |

null | int(11) | pri | auto_increment | select,insert,update,references | |
| def | test | t_users | name | 2 | null | no | text | 65535 | 65535 | null | null | gb2312

| gb2312_chinese_ci | text | | | select,insert,update,references | |
| def | test | t_users | password | 3 | null | no | text | 65535 | 65535 | null | null | gb2312

| gb2312_chinese_ci | text | | | select,insert,update,references | |
+---------------+--------------+------------+-------------+------------------+----------------+-------------+-----------+----

3 rows in set (0.01 sec)

mysql> select "id","password" from information_schema.columns where table_name="t_users";

# 注意当要查询的变量是常数的时候就是空查询，返回的一定就是你的查询常量，通常是在union的查询里确定
显示位置而用的

+----+----------+
| id | password |
+----+----------+
| id | password |
| id | password |
| id | password |
+----+----------+
3 rows in set (0.02 sec)

mysql> use test; #使用该数据库

database changed
mysql> select * from test;
error 1146 (42s02): table 'test.test' doesn't exist
mysql> select * from t_users;
empty set (0.00 sec)

这样就不须要再猜username和password啦

insert into `t_users`(`id`, `name`, `password`) values (001,'张三疯','123456');
#插入一条记录之后

mysql> select * from t_users;
+----+--------+----------+
| id | name | password |
+----+--------+----------+
| 1 | 张三疯 | 123456 |
+----+--------+----------+
1 row in set (0.00 sec)

#假设没有权限加入，就仅仅有逐位猜值啦

mysql> select count(*) from t_users where len(password)=12;
error 1305 (42000): function test.len does not exist
mysql>

# 二分查找法

#这里报错啦，该函数不存在，在mysql是length()在access里是len();
mysql> select count(*) from t_users where length(password)=12;
error 1305 (42000): function test.len does not exist

#首先确定了password的长度

mysql> select password from t_users where length(password)<6;
empty set (0.00 sec)

mysql> select password from t_users where length(password)>6;
empty set (0.00 sec)

mysql> select password from t_users where length(password)=6;
+----------+
| password |
+----------+
| 123456 |
+----------+
1 row in set (0.00 sec)

#再进行逐位猜值

select * from t_users where asc(left(password,1))>0;

mysql> select password from t_users where left(password,1)<1;
empty set (0.00 sec)

mysql> select password from t_users where left(password,1)<2;
+----------+
| password |
+----------+
| 123456 |
+----------+
#函数运行并成功返回，说明第一位的值就是1

#或者直接查询password:

mysql> select password from t_users where length('password')>0;
+----------+
| password |
+----------+
| 123456 |
+----------+
1 row in set (0.00 sec)

mysql> select password from t_users where ascii(left(password,1))<2;
empty set (0.00 sec)

#在mysql里面什么函数都要写全啦，在acess里直接就是asc();

mysql> select password from t_users where ascii(left(password,1))=49;
+----------+
| password |
+----------+
| 123456 |

#能够直接擦每一位的值，也能够查acs值，可是直接查值是快些
#这样直到猜完length(password)位为止

#可是中文的名字不好猜啊，1个字，2个字节

>>> int("张")
traceback (most recent call last):
file "<stdin>", line 1, in <module>
valueerror: invalid literal for int() with base 10: 'xd6xec'
>>>
>>> chr(66)
'b'
>>>

#事实上还是能够查的

mysql> select password from t_users where left(name,1)="张";
+----------+
| password |
+----------+
| 123456 |
+----------+
1 row in set (0.00 sec)

mysql> select password from t_users where left(name,2)="张";
empty set (0.00 sec)

#记住left是返回的全部的左边的值哈
mysql> select password from t_users where left(name,2)="张三";
+----------+
| password |
+----------+
| 123456 |
+----------+

#mid(匹配的字段，从第几个開始，取几个);能够完毕逐位比較
mysql> select password from t_users where mid(name,2,1)="三";
+----------+
| password |
+----------+
| 123456 |
+----------+
1 row in set (0.00 sec)

查看全文

相关阅读:
基础JavaScript练习（一）总结
 零基础JavaScript编码（三）总结
 零基础JavaScript编码（二）
零基础JavaScript编码（一）
响应式网格（栅格化）布局总结
 实现常见的技术产品官网的页面架构及样式布局总结
 通过HTML及CSS模拟报纸排版总结
 任务四：定位和居中问题总结
 1. Two Sum
任务三：三栏式布局总结

原文地址：https://www.cnblogs.com/blfshiye/p/4041368.html

Mysql数据库的mysql Schema 究竟有哪些东西&amp; 手工注入的基础要领

Mysql数据库的mysql Schema 究竟有哪些东西& 手工注入的基础要领