zoukankan      html  css  js  c++  java
  • Mysql数据库的mysql Schema 究竟有哪些东西& 手工注入的基础要领

    #查看数据库版本号
    mysql> select @@version;
    +------------+
    | @@version  |
    +------------+
    | 5.5.16-log |
    +------------+
    1 row in set (0.00 sec)

    mysql> select * from information_schema.schemata; # 保存了系统的全部的数据库名 ,关键的字段是schema_name
    # 2 rows in set (0.04 sec)表示仅仅有2个数据库
    +--------------+--------------------+----------------------------+------------------------+----------+
    | catalog_name | schema_name        | default_character_set_name | default_collation_name | sql_path |
    +--------------+--------------------+----------------------------+------------------------+----------+
    | def          | information_schema | utf8                       | utf8_general_ci        | null     |
    | def          | test               | gb2312                     | gb2312_chinese_ci      | null     |
    +--------------+--------------------+----------------------------+------------------------+----------+

    mysql> select * from information_schema.columns;  #


    # 关键的字段是table_name & column_name  411 rows in set (0.05 sec)

    +---------------+--------------------+---------------------------------------+-------------------------------+------------------

    | table_catalog | table_schema       | table_name                            | column_name                   | ordinal_position | column_default      | is_nullable | data_type | 


    character_maximum_length | character_octet_length | numeric_precision | numeric_scale | character_set_name | collation_name    | column_type         | column_key | extra    


          | privileges                      | column_comment |

    +---------------+--------------------+---------------------------------------+-------------------------------+------------------


    mysql> select * from information_schema.tables;   # 包括全部的表名 ,38 rows in set (0.09 sec) 表示有38张表

    mysql> select count(*) from information_schema.tables;  # count(*)返回一共同拥有多少行(就是多少条记录)

    +----------+
    | count(*) |
    +----------+
    |       38 |
    +----------+
    1 row in set (0.00 sec)


    #关键的字段是table_column & table_name 

    +---------------+--------------------+---------------------------------------+-------------+--------+---------+------------+--

    | table_catalog | table_schema       | table_name                            | table_type  | engine | version | row_format | table_rows | avg_row_length | data_length | 


    max_data_length | index_length | data_free | auto_increment | create_time         | update_time         | check_time | table_collation   | checksum | create_options  | 


    table_comment |
    +---------------+--------------------+---------------------------------------+-------------+--------+---------+------------+--

    mysql> select * from information_schema.tables where table_schema="test";


    # keyword是table_name和table_schema  (数据库名) 
    +---------------+--------------+------------+------------+--------+---------+------------+------------+----------------+-----

    | table_catalog | table_schema | table_name | table_type | engine | version | row_format | table_rows | avg_row_length | data_length | max_data_length | index_length | 


    data_free | auto_increment | create_time         | update_time | check_time | table_collation   | checksum | create_options | table_comment |
    +---------------+--------------+------------+------------+--------+---------+------------+------------+----------------+-----

    | def           | test         | t_users    | base table | innodb |      10 | compact    |          0 |              0 |       16384 |               0 |        16384 |   9437184 |              1 | 2012-10


    -06 12:21:23 | null        | null       | gb2312_chinese_ci |     null |                |               |
    +---------------+--------------+------------+------------+--------+---------+------------+------------+----------------+-----

    1 row in set (0.00 sec)


    mysql> select * from information_schema.columns where table_name="t_users";


    # 关键是得到 column_name


    +---------------+--------------+------------+-------------+------------------+----------------+-------------+-----------+----

    | table_catalog | table_schema | table_name | column_name | ordinal_position | column_default | is_nullable | data_type | character_maximum_length | 


    character_octet_length | numeric_precision | numeric_scale | character_set_name | collation_name    | column_type | column_key | extra          | privileges                      | 


    column_comment |
    +---------------+--------------+------------+-------------+------------------+----------------+-------------+-----------+----

    | def           | test         | t_users    | id          |                1 | null           | no          | int       |                     null |                   null |                10 |             0 | null               | 


    null              | int(11)     | pri        | auto_increment | select,insert,update,references |                |
    | def           | test         | t_users    | name        |                2 | null           | no          | text      |                    65535 |                  65535 |              null |          null | gb2312   


              | gb2312_chinese_ci | text        |            |                | select,insert,update,references |                |
    | def           | test         | t_users    | password    |                3 | null           | no          | text      |                    65535 |                  65535 |              null |          null | gb2312 


                | gb2312_chinese_ci | text        |            |                | select,insert,update,references |                |
    +---------------+--------------+------------+-------------+------------------+----------------+-------------+-----------+----

    3 rows in set (0.01 sec)


    mysql> select "id","password" from information_schema.columns where table_name="t_users";

    # 注意当要查询的变量是常数的时候就是空查询,返回的一定就是你的查询常量,通常是在union的查询里确定
    显示位置而用的

    +----+----------+
    | id | password |
    +----+----------+
    | id | password |
    | id | password |
    | id | password |
    +----+----------+
    3 rows in set (0.02 sec)

    mysql> use test;  #使用该数据库

    database changed
    mysql> select * from test;
    error 1146 (42s02): table 'test.test' doesn't exist
    mysql> select * from t_users;
    empty set (0.00 sec)

    这样就不须要再猜username和password啦

    insert into `t_users`(`id`, `name`, `password`) values (001,'张三疯','123456');
    #插入一条记录之后


    mysql> select * from t_users;
    +----+--------+----------+
    | id | name   | password |
    +----+--------+----------+
    |  1 | 张三疯 | 123456   |
    +----+--------+----------+
    1 row in set (0.00 sec)

    #假设没有权限加入,就仅仅有逐位猜值啦

    mysql> select count(*) from t_users where len(password)=12;
    error 1305 (42000): function test.len does not exist
    mysql>

    # 二分查找法

    #这里报错啦,该函数不存在,在mysql是length()在access里是len();
    mysql> select count(*) from t_users where length(password)=12;
    error 1305 (42000): function test.len does not exist

    #首先确定了password的长度

    mysql> select password from t_users where length(password)<6;
    empty set (0.00 sec)

    mysql> select password from t_users where length(password)>6;
    empty set (0.00 sec)

    mysql> select password from t_users where length(password)=6;
    +----------+
    | password |
    +----------+
    | 123456   |
    +----------+
    1 row in set (0.00 sec)

    #再进行逐位猜值

     select * from t_users where asc(left(password,1))>0;
     
    mysql> select password from t_users where left(password,1)<1;
    empty set (0.00 sec)

    mysql> select password from t_users where left(password,1)<2;
    +----------+
    | password |
    +----------+
    | 123456   |
    +----------+
    #函数运行并成功返回,说明第一位的值就是1

    #或者直接查询password:
     
     mysql> select password from t_users where length('password')>0;
    +----------+
    | password |
    +----------+
    | 123456   |
    +----------+
    1 row in set (0.00 sec)

    mysql> select password from t_users where ascii(left(password,1))<2;
    empty set (0.00 sec)

    #在mysql里面什么函数都要写全啦,在acess里直接就是asc();

    mysql> select password from t_users where ascii(left(password,1))=49;
    +----------+
    | password |
    +----------+
    | 123456   |

    #能够直接擦每一位的值,也能够查acs值,可是直接查值是快些
    #这样直到猜完length(password)位为止

    #可是中文的名字不好猜啊,1个字,2个字节

    >>> int("张")
    traceback (most recent call last):
      file "<stdin>", line 1, in <module>
    valueerror: invalid literal for int() with base 10: 'xd6xec'
    >>>
    >>> chr(66)
    'b'
    >>>

    #事实上还是能够查的

    mysql> select password from t_users where left(name,1)="张";
    +----------+
    | password |
    +----------+
    | 123456   |
    +----------+
    1 row in set (0.00 sec)

    mysql> select password from t_users where left(name,2)="张";
    empty set (0.00 sec)

    #记住left是返回的全部的左边的值哈
    mysql> select password from t_users where left(name,2)="张三";
    +----------+
    | password |
    +----------+
    | 123456   |
    +----------+

    #mid(匹配的字段,从第几个開始,取几个);能够完毕逐位比較
    mysql> select password from t_users where mid(name,2,1)="三";
    +----------+
    | password |
    +----------+
    | 123456   |
    +----------+
    1 row in set (0.00 sec)
  • 相关阅读:
    python基础之数值类型
    第一个python学习笔记
    入学潭州科技教育学习python语言
    Python 编码规范(Google)
    Python
    博客开通
    文件、异常、文件的输入输出
    内置函数,变量的作用域,闭包及递归
    序列类型各自的方法(1)
    函数基础
  • 原文地址:https://www.cnblogs.com/blfshiye/p/4041368.html
Copyright © 2011-2022 走看看