SQL注⼊及bypass思路(1)前⾔
⼩tip固然有⽤,但是掌握通⽤⽅法才能在特殊环境下柳暗花明,举⼀反三
整篇博客从为基础出发,讨论SQL注⼊和bypass技巧思路(⼤部分都是直接照搬的hhh)
MySQL数据库简单操作
建⽴数据库
mysql> create database sqlvul;
Query OK, 1 row affected (0.00 sec)
查询所有数据库
mysql> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| autumnwater |
| dedecmsv57utf8sp2 |
| miku_cms |
| my_demo |
| mysql |
c语言fact函数如何调用| performance_schema |
| qqfishing |
| sqlvul |
| szhescan |
| test |
+--------------------+
11 rows in set (0.00 sec)
红框中是我们刚才创建的
使⽤数据库sqlvul 新建⼀个user表
mysql> use sqlvul;
Database changed
mysql> create table user (id int,username varchar(255),password varchar(255));
Query OK, 0 rows affected (0.04 sec)
查看数据库表
mysql> show tables;
+------------------+
| Tables_in_sqlvul |
+------------------+
| user |
+------------------+
1 row in set (0.00 sec)
查看数据库表结构
mysql> desc user;
+----------+--------------+------+-----+---------+-------+
| Field | Type | Null | Key | Default | Extra |
+----------+--------------+------+-----+---------+-------+
left join 过滤条件| id | int(11) | YES | | NULL | |
| username | varchar(255) | YES | | NULL | |
| password | varchar(255) | YES | | NULL | |
+----------+--------------+------+-----+---------+-------+
3 rows in set (0.01 sec)
插⼊数据
mysql> insert into user (id,username,password) values (1,"admin","admin");
Query OK, 1 row affected (0.00 sec)
查询user表数据
mysql> select * from user;
+------+----------+----------+
| id | username | password |
+------+----------+----------+
| 1 | admin | admin |
+------+----------+----------+
1 row in set (0.00 sec)
where条件查询
mysql> select * from user where id=1;
+------+----------+----------+
| id | username | password |
+------+----------+----------+
| 1 | admin | admin |
+------+----------+----------+
1 row in set (0.00 sec)
有了这些基础知识并进⾏⼿动操作后,我们可以先在本地搭建⼀个拥有上述数据库的漏洞环境,漏洞代码test.php为<?php
if($_GET['id']){
$id= $_GET['id'];
$conn = mysql_connect('127.0.0.1','root','root');
mysql_select_db('sqlvul',$conn);
$sql = "select * from user where id=$id";
$result = mysql_query($sql);
while($row = mysql_fetch_array($result)){
echo "id: ".$row['id']."</br>";
echo "username: ".$row['username']."</br>";
echo "password: ".$row['password']."</br>";
}
mysql_close($conn);
mysql面试题集合echo "</br>"."sql :".$sql;
}else{
echo "id,get,懂?";
}
>
这样⼀个简单的漏洞环境就搭建好了
127.0.0.1/test.php?id=1
默认表名解读
之前某公司的⾯试题⾥有:
mysql5以上和以下有什么区别?
其中⼀个明显区别就是information_schema
这个表(视图)是在MySQL5以后的才有的,现在MySQL4应该是很少了,所以后⾯的例⼦都围绕着MyS
QL5来讲解,information_schema是⽤于存储数据库元数据的表,它保存了数据库名,表名,列名等信息,让我们从爆破表名到了可以直接查询。
这⾥打住⼀下,如果不存在该表或者该表被禁⽤,我们可以使⽤布尔注⼊或者时间盲注来爆破表名
我们查询information_schema
mysql> use information_schema;
Database changed
mysql> show tables;
+---------------------------------------+
| Tables_in_information_schema |
+---------------------------------------+
| CHARACTER_SETS |
| COLLATIONS |
| COLLATION_CHARACTER_SET_APPLICABILITY | | COLUMNS |
| COLUMN_PRIVILEGES |
| ENGINES |
| EVENTS |
| FILES |
| GLOBAL_STATUS |
| GLOBAL_VARIABLES |
| KEY_COLUMN_USAGE |
| PARAMETERS |
| PARTITIONS |
| PLUGINS |
| PROCESSLIST |
| PROFILING |
| REFERENTIAL_CONSTRAINTS |
| ROUTINES |
| SCHEMATA |
| SCHEMA_PRIVILEGES |
| SESSION_STATUS |
| SESSION_VARIABLES |
| STATISTICS |
| TABLES |
| TABLESPACES |
| TABLE_CONSTRAINTS |
| TABLE_PRIVILEGES |
| TRIGGERS |
| USER_PRIVILEGES |
| VIEWS |
| INNODB_BUFFER_PAGE |
| INNODB_TRX |
| INNODB_BUFFER_POOL_STATS |
| INNODB_LOCK_WAITS |
| INNODB_CMPMEM |
| INNODB_CMP |
| INNODB_LOCKS |
| INNODB_CMPMEM_RESET |
| INNODB_CMP_RESET |
| INNODB_BUFFER_PAGE_LRU |
+---------------------------------------+
40 rows in set (0.00 sec)
我们经常⽤到的⼏个表:
schemata表:提供了当前mysql实例中所有数据库的信息
tables表:提供了关于数据库中的表的信息
columns表:提供了表中的列信息
schemata
少儿编程哪家机构最权威排行mysql> select * from information_schema.schemata;
+--------------+--------------------+----------------------------+------------------------+----------+
| CATALOG_NAME | SCHEMA_NAME | DEFAULT_CHARACTER_SET_NAME | DEFAULT_COLLATION_NAME | SQL_PATH | +--------------+--------------------+----------------------------+------------------------+----------+
| def | information_schema | utf8 | utf8_general_ci | NULL |
| def | autumnwater | utf8 | utf8_general_ci | NULL |
| def | dedecmsv57utf8sp2 | utf8 | utf8_general_ci | NULL |
| def | miku_cms | utf8 | utf8_general_ci | NULL |
| def | my_demo | utf8 | utf8_general_ci | NULL |
| def | mysql | utf8 | utf8_general_ci | NULL |
| def | performance_schema | utf8 | utf8_general_ci | NULL |
| def | qqfishing | utf8 | utf8_general_ci | NULL |
| def | sqlvul | utf8 | utf8_general_ci | NULL |
| def | szhescan | utf8 | utf8_general_ci | NULL |
| def | test | latin1 | latin1_swedish_ci | NULL |
+--------------+--------------------+----------------------------+------------------------+----------+
11 rows in set (0.00 sec)
tables (太多了只截了⼀部分
mysql> select table_name from information_schema.tables;
+----------------------------------------------+
| table_name |
+----------------------------------------------+
| CHARACTER_SETS |
| COLLATIONS |
| COLLATION_CHARACTER_SET_APPLICABILITY |
| COLUMNS |
| COLUMN_PRIVILEGES |
| ENGINES |
| EVENTS |
| FILES |
| GLOBAL_STATUS |
| GLOBAL_VARIABLES |
| KEY_COLUMN_USAGE |
| PARAMETERS |
| PARTITIONS |
| PLUGINS |
| PROCESSLIST |
| PROFILING |
| REFERENTIAL_CONSTRAINTS |
| ROUTINES |
| SCHEMATA |
| SCHEMA_PRIVILEGES |
| SESSION_STATUS |
| SESSION_VARIABLES |
全国2级c语言用什么软件| STATISTICS |
| TABLES |
| TABLESPACES |
| TABLE_CONSTRAINTS |
| TABLE_PRIVILEGES |
| TRIGGERS |
| USER_PRIVILEGES |
| VIEWS |
columns (太多了只截了⼀部分
mysql> select column_name from lumns;
+----------------------------------+
| column_name |
+----------------------------------+
| CHARACTER_SET_NAME |
| DEFAULT_COLLATE_NAME |
| DESCRIPTION |
| MAXLEN |bootstrap ui
| COLLATION_NAME |
| CHARACTER_SET_NAME |
| ID |
| IS_DEFAULT |
| IS_COMPILED |
| SORTLEN |
| COLLATION_NAME |
| CHARACTER_SET_NAME |
| TABLE_CATALOG |
| TABLE_SCHEMA |
| TABLE_NAME |
| COLUMN_NAME |
版权声明:本站内容均来自互联网,仅供演示用,请勿用于商业和其他非法用途。如果侵犯了您的权益请与我们联系QQ:729038198,我们将在24小时内删除。
发表评论