博客
关于我
强烈建议你试试无所不能的chatGPT,快点击我
Mysql数据库的mysql Schema 究竟有哪些东西& 手工注入的基础要领
阅读量:5171 次
发布时间:2019-06-13

本文共 7561 字,大约阅读时间需要 25 分钟。

#查看数据库版本号
mysql> select @@version;
+------------+
| @@version  |
+------------+
| 5.5.16-log |
+------------+
1 row in set (0.00 sec)
mysql> select * from information_schema.schemata; # 保存了系统的全部的数据库名 ,关键的字段是schema_name
# 2 rows in set (0.04 sec)表示仅仅有2个数据库
+--------------+--------------------+----------------------------+------------------------+----------+
| catalog_name | schema_name        | default_character_set_name | default_collation_name | sql_path |
+--------------+--------------------+----------------------------+------------------------+----------+
| def          | information_schema | utf8                       | utf8_general_ci        | null     |
| def          | test               | gb2312                     | gb2312_chinese_ci      | null     |
+--------------+--------------------+----------------------------+------------------------+----------+
mysql> select * from information_schema.columns;  #
# 关键的字段是table_name & column_name  411 rows in set (0.05 sec)
+---------------+--------------------+---------------------------------------+-------------------------------+------------------
| table_catalog | table_schema       | table_name                            | column_name                   | ordinal_position | column_default      | is_nullable | data_type | 
character_maximum_length | character_octet_length | numeric_precision | numeric_scale | character_set_name | collation_name    | column_type         | column_key | extra    
      | privileges                      | column_comment |

+---------------+--------------------+---------------------------------------+-------------------------------+------------------

mysql> select * from information_schema.tables;   # 包括全部的表名 。38 rows in set (0.09 sec) 表示有38张表
mysql> select count(*) from information_schema.tables;  # count(*)返回一共同拥有多少行(就是多少条记录)
+----------+
| count(*) |
+----------+
|       38 |
+----------+
1 row in set (0.00 sec)
#关键的字段是table_column & table_name 
+---------------+--------------------+---------------------------------------+-------------+--------+---------+------------+--
| table_catalog | table_schema       | table_name                            | table_type  | engine | version | row_format | table_rows | avg_row_length | data_length | 
max_data_length | index_length | data_free | auto_increment | create_time         | update_time         | check_time | table_collation   | checksum | create_options  | 
table_comment |
+---------------+--------------------+---------------------------------------+-------------+--------+---------+------------+--
mysql> select * from information_schema.tables where table_schema="test";
# keyword是table_name和table_schema  (数据库名) 
+---------------+--------------+------------+------------+--------+---------+------------+------------+----------------+-----
| table_catalog | table_schema | table_name | table_type | engine | version | row_format | table_rows | avg_row_length | data_length | max_data_length | index_length | 
data_free | auto_increment | create_time         | update_time | check_time | table_collation   | checksum | create_options | table_comment |
+---------------+--------------+------------+------------+--------+---------+------------+------------+----------------+-----
| def           | test         | t_users    | base table | innodb |      10 | compact    |          0 |              0 |       16384 |               0 |        16384 |   9437184 |              1 | 2012-10
-06 12:21:23 | null        | null       | gb2312_chinese_ci |     null |                |               |
+---------------+--------------+------------+------------+--------+---------+------------+------------+----------------+-----
1 row in set (0.00 sec)
mysql> select * from information_schema.columns where table_name="t_users";
# 关键是得到 column_name
+---------------+--------------+------------+-------------+------------------+----------------+-------------+-----------+----
| table_catalog | table_schema | table_name | column_name | ordinal_position | column_default | is_nullable | data_type | character_maximum_length | 
character_octet_length | numeric_precision | numeric_scale | character_set_name | collation_name    | column_type | column_key | extra          | privileges                      | 
column_comment |
+---------------+--------------+------------+-------------+------------------+----------------+-------------+-----------+----
| def           | test         | t_users    | id          |                1 | null           | no          | int       |                     null |                   null |                10 |             0 | null               | 
null              | int(11)     | pri        | auto_increment | select,insert,update,references |                |
| def           | test         | t_users    | name        |                2 | null           | no          | text      |                    65535 |                  65535 |              null |          null | gb2312   
          | gb2312_chinese_ci | text        |            |                | select,insert,update,references |                |
| def           | test         | t_users    | password    |                3 | null           | no          | text      |                    65535 |                  65535 |              null |          null | gb2312 
            | gb2312_chinese_ci | text        |            |                | select,insert,update,references |                |
+---------------+--------------+------------+-------------+------------------+----------------+-------------+-----------+----
3 rows in set (0.01 sec)
mysql> select "id","password" from information_schema.columns where table_name="t_users";
# 注意当要查询的变量是常数的时候就是空查询。返回的一定就是你的查询常量,通常是在union的查询里确定
显示位置而用的
+----+----------+
| id | password |
+----+----------+
| id | password |
| id | password |
| id | password |
+----+----------+
3 rows in set (0.02 sec)
mysql> use test;  #使用该数据库
database changed
mysql> select * from test;
error 1146 (42s02): table 'test.test' doesn't exist
mysql> select * from t_users;
empty set (0.00 sec)
这样就不须要再猜username与password啦
insert into `t_users`(`id`, `name`, `password`) values (001,'张三疯','123456');
#插入一条记录之后
mysql> select * from t_users;
+----+--------+----------+
| id | name   | password |
+----+--------+----------+
|  1 | 张三疯 | 123456   |
+----+--------+----------+
1 row in set (0.00 sec)
#假设没有权限加入,就仅仅有逐位猜值啦
mysql> select count(*) from t_users where len(password)=12;
error 1305 (42000): function test.len does not exist
mysql>
# 二分查找法
#这里报错啦,该函数不存在。在mysql是length()在access里是len();
mysql> select count(*) from t_users where length(password)=12;
error 1305 (42000): function test.len does not exist
#首先确定了密码的长度
mysql> select password from t_users where length(password)<6;
empty set (0.00 sec)
mysql> select password from t_users where length(password)>6;
empty set (0.00 sec)
mysql> select password from t_users where length(password)=6;
+----------+
| password |
+----------+
| 123456   |
+----------+
1 row in set (0.00 sec)
#再进行逐位猜值
 select * from t_users where asc(left(password,1))>0;
 
mysql> select password from t_users where left(password,1)<1;
empty set (0.00 sec)
mysql> select password from t_users where left(password,1)<2;
+----------+
| password |
+----------+
| 123456   |
+----------+
#函数运行并成功返回,说明第一位的值就是1
#或者直接查询密码:
 
 mysql> select password from t_users where length('password')>0;
+----------+
| password |
+----------+
| 123456   |
+----------+
1 row in set (0.00 sec)
mysql> select password from t_users where ascii(left(password,1))<2;
empty set (0.00 sec)
#在mysql里面什么函数都要写全啦,在acess里直接就是asc();
mysql> select password from t_users where ascii(left(password,1))=49;
+----------+
| password |
+----------+
| 123456   |
#能够直接擦每一位的值。也能够查acs值。可是直接查值是快些
#这样直到猜完length(password)位为止
#可是中文的名字不好猜啊,1个字,2个字节
>>> int("张")
traceback (most recent call last):
  file "<stdin>", line 1, in <module>
valueerror: invalid literal for int() with base 10: '\xd6\xec'
>>>
>>> chr(66)
'b'
>>>
#事实上还是能够查的
mysql> select password from t_users where left(name,1)="张";
+----------+
| password |
+----------+
| 123456   |
+----------+
1 row in set (0.00 sec)
mysql> select password from t_users where left(name,2)="张";
empty set (0.00 sec)
#记住left是返回的全部的左边的值哈
mysql> select password from t_users where left(name,2)="张三";
+----------+
| password |
+----------+
| 123456   |
+----------+
#mid(匹配的字段,从第几个開始,取几个);能够完毕逐位比較
mysql> select password from t_users where mid(name,2,1)="三";
+----------+
| password |
+----------+
| 123456   |
+----------+
1 row in set (0.00 sec)

转载于:https://www.cnblogs.com/mqxnongmin/p/10548116.html

你可能感兴趣的文章
软件工程--第十六周学习进度
查看>>
yii2 ActiveRecord多表关联以及多表关联搜索的实现
查看>>
搜狗输入法安装--ubuntu
查看>>
ps/2接口键盘的输入及显示
查看>>
Swift———a Glance(极客学院)笔记
查看>>
【poj3294-不小于k个字符串中最长公共子串】后缀数组
查看>>
java如何获取其它用户登录的真是IP地址
查看>>
Jquery通过指定层次关系获取元素
查看>>
c# for 和 foreach 的区别
查看>>
docfx (一)
查看>>
HashMap底层实现原理/HashMap与HashTable区别/HashMap与HashSet区别
查看>>
深度学习之前馈神经网络(前向传播和误差反向传播)
查看>>
IEnumerable<T>和IQueryable<T>区别
查看>>
(转)MFC界面风格
查看>>
Centos7 tmux1.6 安装
查看>>
二叉树(三)
查看>>
linux加密文件系统 fsck 无法修复一例
查看>>
【linux配置】VMware安装Redhat6.5
查看>>
AI自主决策——有限状态机
查看>>
iframe父子窗口取值
查看>>