0x00 sql注入
在owasp的年度top10安全问题中,注入高居榜首。SQL注入攻击是指通过构建特殊的输入作为参数传入web应用程序,而这些输入大多都是SQL语法中的一些组合,通过执行SQL语句而执行攻击者所要的操作,其主要原因是程序没有细致的过滤用户输入的数据,致使非法数据侵入系统。
1.对web应用而言,用户的核心数据存储在数据库中,例如MySQL,SQL sever,oracle;
2.通过SQL注入攻击,可以获取,修改,删除数据库信息,并且通过提权来控制web服务器等其他操作;
3.SQL注入即攻击者通过构造特殊的SQL语句,入侵目标系统,致使后台数据库泄露数据的过程;
4.因为SQL注入漏洞造成的严重危害性所以,常年稳居owasp top10的榜首。
0x01 SQL注入的危害
1.脱库导致用户数据泄露;
2.危害web等应用的安全;
3.失去操作系统的控制权;
4.用户信息被非法买卖;
5.危害企业及国家的安全;
0x02 SQL基础知识回顾
环境:OWASP
表1:dvwa.user
表2:wordpress.wp_users
表3: mysql.user
登录
mysql -uroot -p
root@owaspbwa:~# mysql -uroot -p Enter password: Welcome to the MySQL monitor. Commands end with ; or g. Your MySQL connection id is 579 Server version: 5.1.41-3ubuntu12.6-log (Ubuntu) Type ‘help;‘ or ‘h‘ for help. Type ‘c‘ to clear the current input statement. mysql>
显示数据库
mysql> show databases; -------------------- | Database | -------------------- | information_schema | | .svn | | bricks | | bwapp | | citizens | | cryptomg | | dvwa | | gallery2 | | getboo | | ghost | | gtd-php | | hex | | isp | | joomla | | mutillidae | | mysql | | nowasp | | orangehrm | | personalblog | | peruggia | | phpbb | | phpmyadmin | | proxy | | rentnet | | sqlol | | tikiwiki | | vicnum | | wackopicko | | wavsepdb | | webcal | | webgoat_coins | | wordpress | | wraithlogin | | yazd | -------------------- 34 rows in set (0.56 sec)
返回所在的库
mysql> select database(); ------------ | database() | ------------ | NULL | ------------
返回当前用户
mysql> select user(); ---------------- | user() | ---------------- | root@localhost | ----------------
返回当前时间
mysql> select now(); --------------------- | now() | --------------------- | 2020-01-17 05:26:10 | ---------------------
进入或切换一个数据库
mysql> use dvwa; Reading table information for completion of table and column names You can turn off this feature to get a quicker startup with -A Database changed
现在再查看当前的库:
mysql> select database(); ------------ | database() | ------------ | dvwa | ------------
查看表
mysql> show tables; ---------------- | Tables_in_dvwa | ---------------- | guestbook | | users | ----------------
查看具体表的结构
mysql> desc users; ------------ ------------- ------ ----- --------- ------- | Field | Type | Null | Key | Default | Extra | ------------ ------------- ------ ----- --------- ------- | user_id | int(6) | NO | PRI | 0 | | | first_name | varchar(15) | YES | | NULL | | | last_name | varchar(15) | YES | | NULL | | | user | varchar(15) | YES | | NULL | | | password | varchar(32) | YES | | NULL | | | avatar | varchar(70) | YES | | NULL | | ------------ ------------- ------ ----- --------- -------
DESC DESCRIBE mysql> DESCRIBE users; ------------ ------------- ------ ----- --------- ------- | Field | Type | Null | Key | Default | Extra | ------------ ------------- ------ ----- --------- ------- | user_id | int(6) | NO | PRI | 0 | | | first_name | varchar(15) | YES | | NULL | | | last_name | varchar(15) | YES | | NULL | | | user | varchar(15) | YES | | NULL | | | password | varchar(32) | YES | | NULL | | | avatar | varchar(70) | YES | | NULL | | ------------ ------------- ------ ----- --------- -------
Field :字段,通常指的是我们所说的列;例如上表就有六个字段;user_id等等
Type : 字段的类型和长度
Null :字段是否可以为空
Key :主键,外键,或者是索引
Default: 字段的默认值
Extra:附加的属性
显示创建表的结构
mysql> show create table usersG; *************************** 1. row *************************** Table: users Create Table: CREATE TABLE `users` ( `user_id` int(6) NOT NULL DEFAULT ‘0‘, `first_name` varchar(15) DEFAULT NULL, `last_name` varchar(15) DEFAULT NULL, `user` varchar(15) DEFAULT NULL, `password` varchar(32) DEFAULT NULL, `avatar` varchar(70) DEFAULT NULL, PRIMARY KEY (`user_id`) ) ENGINE=MyISAM DEFAULT CHARSET=latin1
查询表的记录
mysql> select * from users; --------- ------------ ----------- --------- ---------------------------------- -------------------------------------------------- | user_id | first_name | last_name | user | password | avatar | --------- ------------ ----------- --------- ---------------------------------- -------------------------------------------------- | 1 | admin | admin | admin | 21232f297a57a5a743894a0e4a801fc3 | http://127.0.0.1/dvwa/hackable/users/admin.jpg | | 2 | Gordon | Brown | gordonb | e99a18c428cb38d5f260853678922e03 | http://127.0.0.1/dvwa/hackable/users/gordonb.jpg | | 3 | Hack | Me | 1337 | 8d3533d75ae2c3966d7e0d4fcc69216b | http://127.0.0.1/dvwa/hackable/users/1337.jpg | | 4 | Pablo | Picasso | pablo | 0d107d09f5bbe40cade3de5c71e9e9b7 | http://127.0.0.1/dvwa/hackable/users/pablo.jpg | | 5 | Bob | Smith | smithy | 5f4dcc3b5aa765d61d8327deb882cf99 | http://127.0.0.1/dvwa/hackable/users/smithy.jpg | | 6 | user | user | user | ee11cbb19052e40b07aac0ca060c23ee | http://127.0.0.1/dvwa/hackable/users/1337.jpg | --------- ------------ ----------- --------- ---------------------------------- -------------------------------------------------- 6 rows in set (0.10 sec)
查询指定的字段
mysql> select user,user_id,password from users; --------- --------- ---------------------------------- | user | user_id | password | --------- --------- ---------------------------------- | admin | 1 | 21232f297a57a5a743894a0e4a801fc3 | | gordonb | 2 | e99a18c428cb38d5f260853678922e03 | | 1337 | 3 | 8d3533d75ae2c3966d7e0d4fcc69216b | | pablo | 4 | 0d107d09f5bbe40cade3de5c71e9e9b7 | | smithy | 5 | 5f4dcc3b5aa765d61d8327deb882cf99 | | user | 6 | ee11cbb19052e40b07aac0ca060c23ee | --------- --------- ----------------------------------
查询其他库
mysql> desc mysql.user; ----------------------- ----------------------------------- ------ ----- --------- ------- | Field | Type | Null | Key | Default | Extra | ----------------------- ----------------------------------- ------ ----- --------- ------- | Host | char(60) | NO | PRI | | | | User | char(16) | NO | PRI | | | | Password | char(41) | NO | | | | | Select_priv | enum(‘N‘,‘Y‘) | NO | | N | | | Insert_priv | enum(‘N‘,‘Y‘) | NO | | N | | | Update_priv | enum(‘N‘,‘Y‘) | NO | | N | | | Delete_priv | enum(‘N‘,‘Y‘) | NO | | N | | | Create_priv | enum(‘N‘,‘Y‘) | NO | | N | | | Drop_priv | enum(‘N‘,‘Y‘) | NO | | N | | | Reload_priv | enum(‘N‘,‘Y‘) | NO | | N | | | Shutdown_priv | enum(‘N‘,‘Y‘) | NO | | N | | | Process_priv | enum(‘N‘,‘Y‘) | NO | | N | | | File_priv | enum(‘N‘,‘Y‘) | NO | | N | | | Grant_priv | enum(‘N‘,‘Y‘) | NO | | N | | | References_priv | enum(‘N‘,‘Y‘) | NO | | N | | | Index_priv | enum(‘N‘,‘Y‘) | NO | | N | | | Alter_priv | enum(‘N‘,‘Y‘) | NO | | N | | | Show_db_priv | enum(‘N‘,‘Y‘) | NO | | N | | | Super_priv | enum(‘N‘,‘Y‘) | NO | | N | | | Create_tmp_table_priv | enum(‘N‘,‘Y‘) | NO | | N | | | Lock_tables_priv | enum(‘N‘,‘Y‘) | NO | | N | | | Execute_priv | enum(‘N‘,‘Y‘) | NO | | N | | | Repl_slave_priv | enum(‘N‘,‘Y‘) | NO | | N | | | Repl_client_priv | enum(‘N‘,‘Y‘) | NO | | N | | | Create_view_priv | enum(‘N‘,‘Y‘) | NO | | N | | | Show_view_priv | enum(‘N‘,‘Y‘) | NO | | N | | | Create_routine_priv | enum(‘N‘,‘Y‘) | NO | | N | | | Alter_routine_priv | enum(‘N‘,‘Y‘) | NO | | N | | | Create_user_priv | enum(‘N‘,‘Y‘) | NO | | N | | | Event_priv | enum(‘N‘,‘Y‘) | NO | | N | | | Trigger_priv | enum(‘N‘,‘Y‘) | NO | | N | | | ssl_type | enum(‘‘,‘ANY‘,‘X509‘,‘SPECIFIED‘) | NO | | | | | ssl_cipher | blob | NO | | NULL | | | x509_issuer | blob | NO | | NULL | | | x509_subject | blob | NO | | NULL | | | max_questions | int(11) unsigned | NO | | 0 | | | max_updates | int(11) unsigned | NO | | 0 | | | max_connections | int(11) unsigned | NO | | 0 | | | max_user_connections | int(11) unsigned | NO | | 0 | | ----------------------- ----------------------------------- ------ ----- --------- -------
mysql> select User,Password,Host from mysql.user; ------------------ ------------------------------------------- --------------- | User | Password | Host | ------------------ ------------------------------------------- --------------- | root | *73316569DAC7839C2A784FF263F5C0ABBC7086E2 | localhost | | root | *D5D9F81F5542DE067FFF5FF7A4CA4BDD322C578F | brokenwebapps | | root | *D5D9F81F5542DE067FFF5FF7A4CA4BDD322C578F | 127.0.0.1 | | debian-sys-maint | *75F15FF5C9F06A7221FEB017724554294E40A327 | localhost | | phpmyadmin | *D5D9F81F5542DE067FFF5FF7A4CA4BDD322C578F | localhost | | vicnum | *C7847100CDBE29050A338F78EA71F066D196ED98 | localhost | | wordpress | *C260A4F79FA905AF65142FFE0B9A14FE0E1519CC | % | | phpbb | *CA1F8B079BB2857835107EA008871B4691769547 | % | | dvwa | *D67B38CDCD1A55623ED5F55856A29B9654FF823D | % | | mutillidae | *E82A07F59B0D83BEF29F79E41FA0F8A042CE3DE4 | % | | yazd | *3758F91540524F48F92FE932883C54F6E802A13A | % | | personalblog | *3D118FD3FFC74F534A493C30ADC1F23A48510D9D | % | | yazd10 | *30B462BE16C04867D06113304F664BB9A5B573D8 | % | | peruggia | *5297BE816CC703E8CB686D205071E9CD9E8F08A4 | % | | ghost | *9AE953952D993ED69779E70E28193A1EB8DDF91C | % | | gtd-php | *C238B1FA6D14124C867DC9634DEB2CD731212094 | % | | getboo | *8FC7327502AA1203AAE881C4A5E2AA1CD6E46CE8 | % | | orangehrm | *82183BF1F275E47C2692B1CF81CB7A8FD16CE5EA | % | | webcal | *E2E1F0A3459647AACF63319694BCBD107231B10C | localhost | | gallery2 | *DF0F41B82DFDB4AA462186480FA9922EF4BBFCEB | localhost | | tikiwiki | *48529BB639EC6E4C2A6695C4B3D544A9E2A21D4C | localhost | | joomla | *F70658E9BDD2910AC33ACDA164605DFC1DA70A68 | localhost | | jotto | *6126D5A029ACE603DBF187A301C1CCEAEDCFE232 | % | | hex | *E5C4AA1177F0A69A9E124CDC2676D4ECCE01E347 | localhost | | webmaster | *ED2048BBC6AFD6E2186982869C7899A7EF38C066 | localhost | | kbloom | *10A99DBC0772291AA6AF9A1A9271945340E4E812 | localhost | | sendmail | *47A91042510E7E966EF4075A934A77A57A9E71FE | localhost | | undertaker | *02EAFACD13AEC2C2E139EA38903B9A84A165DF0B | localhost | | stealth | *0F44FA14B9DFBBFFBDF2F7692868DE1B997C66ED | localhost | | wraith | *93ADDFABFCD5A66C95E97C73240D373413A01275 | localhost | | citizens | *E0E85D302E82538A1FDA46B453F687F3964A99B4 | localhost | | wackopicko | *5FA5F4C9ACD2CA5C1EB9E0EC80175D5FCAA0D7D6 | % | | wavsep | *8028371417372EDAD5755F9653E93D7C1E87564C | localhost | | sqlol | *1DB6D61428C07B8E8D6876CC60ECAD01D2CE844A | % | | cryptomg | *2132873552FEDF6780E8060F927DD5101759C4DE | % | | webgoat.net | *4BA609A0C9C18D80985519932BAC08C604119234 | % | | bricks | *255195939290DC6D228944BCC682D2427DA57E21 | % | | bwapp | *63C3CE60C4AC4F87F321E54F290A4867684A96C4 | % | ------------------ ------------------------------------------- ---------------
mysql> desc wordpress.wp_users; --------------------- --------------------- ------ ----- --------------------- ---------------- | Field | Type | Null | Key | Default | Extra | --------------------- --------------------- ------ ----- --------------------- ---------------- | ID | bigint(20) unsigned | NO | PRI | NULL | auto_increment | | user_login | varchar(60) | NO | MUL | | | | user_pass | varchar(64) | NO | | | | | user_nicename | varchar(50) | NO | | | | | user_email | varchar(100) | NO | | | | | user_url | varchar(100) | NO | | | | | user_registered | datetime | NO | | 0000-00-00 00:00:00 | | | user_activation_key | varchar(60) | NO | | | | | user_status | int(11) | NO | | 0 | | | display_name | varchar(250) | NO | | | | --------------------- --------------------- ------ ----- --------------------- ----------------
mysql> select ID,user_login,user_pass from wordpress.wp_users; ---- ------------ ---------------------------------- | ID | user_login | user_pass | ---- ------------ ---------------------------------- | 1 | admin | 21232f297a57a5a743894a0e4a801fc3 | | 2 | user | ee11cbb19052e40b07aac0ca060c23ee | ---- ------------ ----------------------------------
条件查询
mysql> select user,password,Host from mysql.user where user="root"; ------ ------------------------------------------- --------------- | user | password | Host | ------ ------------------------------------------- --------------- | root | *73316569DAC7839C2A784FF263F5C0ABBC7086E2 | localhost | | root | *D5D9F81F5542DE067FFF5FF7A4CA4BDD322C578F | brokenwebapps | | root | *D5D9F81F5542DE067FFF5FF7A4CA4BDD322C578F | 127.0.0.1 | ------ ------------------------------------------- ---------------
mysql> select user,password,Host from mysql.user where user="root" and Host="localhost"; ------ ------------------------------------------- ----------- | user | password | Host | ------ ------------------------------------------- ----------- | root | *73316569DAC7839C2A784FF263F5C0ABBC7086E2 | localhost | ------ ------------------------------------------- -----------
mysql> select user,password,Host from mysql.user where user="root" or Host="localhost"; ------------------ ------------------------------------------- --------------- | user | password | Host | ------------------ ------------------------------------------- --------------- | root | *73316569DAC7839C2A784FF263F5C0ABBC7086E2 | localhost | | root | *D5D9F81F5542DE067FFF5FF7A4CA4BDD322C578F | brokenwebapps | | root | *D5D9F81F5542DE067FFF5FF7A4CA4BDD322C578F | 127.0.0.1 | | debian-sys-maint | *75F15FF5C9F06A7221FEB017724554294E40A327 | localhost | | phpmyadmin | *D5D9F81F5542DE067FFF5FF7A4CA4BDD322C578F | localhost | | vicnum | *C7847100CDBE29050A338F78EA71F066D196ED98 | localhost | | webcal | *E2E1F0A3459647AACF63319694BCBD107231B10C | localhost | | gallery2 | *DF0F41B82DFDB4AA462186480FA9922EF4BBFCEB | localhost | | tikiwiki | *48529BB639EC6E4C2A6695C4B3D544A9E2A21D4C | localhost | | joomla | *F70658E9BDD2910AC33ACDA164605DFC1DA70A68 | localhost | | hex | *E5C4AA1177F0A69A9E124CDC2676D4ECCE01E347 | localhost | | webmaster | *ED2048BBC6AFD6E2186982869C7899A7EF38C066 | localhost | | kbloom | *10A99DBC0772291AA6AF9A1A9271945340E4E812 | localhost | | sendmail | *47A91042510E7E966EF4075A934A77A57A9E71FE | localhost | | undertaker | *02EAFACD13AEC2C2E139EA38903B9A84A165DF0B | localhost | | stealth | *0F44FA14B9DFBBFFBDF2F7692868DE1B997C66ED | localhost | | wraith | *93ADDFABFCD5A66C95E97C73240D373413A01275 | localhost | | citizens | *E0E85D302E82538A1FDA46B453F687F3964A99B4 | localhost | | wavsep | *8028371417372EDAD5755F9653E93D7C1E87564C | localhost | ------------------ ------------------------------------------- ---------------
mysql> desc dvwa.users; ------------ ------------- ------ ----- --------- ------- | Field | Type | Null | Key | Default | Extra | ------------ ------------- ------ ----- --------- ------- | user_id | int(6) | NO | PRI | 0 | | | first_name | varchar(15) | YES | | NULL | | | last_name | varchar(15) | YES | | NULL | | | user | varchar(15) | YES | | NULL | | | password | varchar(32) | YES | | NULL | | | avatar | varchar(70) | YES | | NULL | | ------------ ------------- ------ ----- --------- -------
mysql> select user_id,password from dvwa.users where user="art"; Empty set (0.00 sec)
mysql> select user_id,password from dvwa.users where user="art" and 1=1; Empty set (0.00 sec)
mysql> select user_id,password from dvwa.users where user="art" or 1=1; --------- ---------------------------------- | user_id | password | --------- ---------------------------------- | 1 | 21232f297a57a5a743894a0e4a801fc3 | | 2 | e99a18c428cb38d5f260853678922e03 | | 3 | 8d3533d75ae2c3966d7e0d4fcc69216b | | 4 | 0d107d09f5bbe40cade3de5c71e9e9b7 | | 5 | 5f4dcc3b5aa765d61d8327deb882cf99 | | 6 | ee11cbb19052e40b07aac0ca060c23ee | --------- ----------------------------------
联合查询
mysql> select user,password from mysql.user union select user_login,user_pass from wordpress.wp_users; ------------------ ------------------------------------------- | user | password | ------------------ ------------------------------------------- | root | *73316569DAC7839C2A784FF263F5C0ABBC7086E2 | | root | *D5D9F81F5542DE067FFF5FF7A4CA4BDD322C578F | | debian-sys-maint | *75F15FF5C9F06A7221FEB017724554294E40A327 | | phpmyadmin | *D5D9F81F5542DE067FFF5FF7A4CA4BDD322C578F | | vicnum | *C7847100CDBE29050A338F78EA71F066D196ED98 | | wordpress | *C260A4F79FA905AF65142FFE0B9A14FE0E1519CC | | phpbb | *CA1F8B079BB2857835107EA008871B4691769547 | | dvwa | *D67B38CDCD1A55623ED5F55856A29B9654FF823D | | mutillidae | *E82A07F59B0D83BEF29F79E41FA0F8A042CE3DE4 | | yazd | *3758F91540524F48F92FE932883C54F6E802A13A | | personalblog | *3D118FD3FFC74F534A493C30ADC1F23A48510D9D | | yazd10 | *30B462BE16C04867D06113304F664BB9A5B573D8 | | peruggia | *5297BE816CC703E8CB686D205071E9CD9E8F08A4 | | ghost | *9AE953952D993ED69779E70E28193A1EB8DDF91C | | gtd-php | *C238B1FA6D14124C867DC9634DEB2CD731212094 | | getboo | *8FC7327502AA1203AAE881C4A5E2AA1CD6E46CE8 | | orangehrm | *82183BF1F275E47C2692B1CF81CB7A8FD16CE5EA | | webcal | *E2E1F0A3459647AACF63319694BCBD107231B10C | | gallery2 | *DF0F41B82DFDB4AA462186480FA9922EF4BBFCEB | | tikiwiki | *48529BB639EC6E4C2A6695C4B3D544A9E2A21D4C | | joomla | *F70658E9BDD2910AC33ACDA164605DFC1DA70A68 | | jotto | *6126D5A029ACE603DBF187A301C1CCEAEDCFE232 | | hex | *E5C4AA1177F0A69A9E124CDC2676D4ECCE01E347 | | webmaster | *ED2048BBC6AFD6E2186982869C7899A7EF38C066 | | kbloom | *10A99DBC0772291AA6AF9A1A9271945340E4E812 | | sendmail | *47A91042510E7E966EF4075A934A77A57A9E71FE | | undertaker | *02EAFACD13AEC2C2E139EA38903B9A84A165DF0B | | stealth | *0F44FA14B9DFBBFFBDF2F7692868DE1B997C66ED | | wraith | *93ADDFABFCD5A66C95E97C73240D373413A01275 | | citizens | *E0E85D302E82538A1FDA46B453F687F3964A99B4 | | wackopicko | *5FA5F4C9ACD2CA5C1EB9E0EC80175D5FCAA0D7D6 | | wavsep | *8028371417372EDAD5755F9653E93D7C1E87564C | | sqlol | *1DB6D61428C07B8E8D6876CC60ECAD01D2CE844A | | cryptomg | *2132873552FEDF6780E8060F927DD5101759C4DE | | webgoat.net | *4BA609A0C9C18D80985519932BAC08C604119234 | | bricks | *255195939290DC6D228944BCC682D2427DA57E21 | | bwapp | *63C3CE60C4AC4F87F321E54F290A4867684A96C4 | | admin | 21232f297a57a5a743894a0e4a801fc3 | | user | ee11cbb19052e40b07aac0ca060c23ee | ------------------ ------------------------------------------- 39 rows in set (0.11 sec)
union查询的前后字段必须相同,不足时可以用数字来代替;
mysql> select user,password from mysql.user union select user_login,user_pass from wordpress.wp_users limit 5; ------------------ ------------------------------------------- | user | password | ------------------ ------------------------------------------- | root | *73316569DAC7839C2A784FF263F5C0ABBC7086E2 | | root | *D5D9F81F5542DE067FFF5FF7A4CA4BDD322C578F | | debian-sys-maint | *75F15FF5C9F06A7221FEB017724554294E40A327 | | phpmyadmin | *D5D9F81F5542DE067FFF5FF7A4CA4BDD322C578F | | vicnum | *C7847100CDBE29050A338F78EA71F066D196ED98 | ------------------ ------------------------------------------- 5 rows in set (0.00 sec)
mysql> select user,password from mysql.user where 1=2 union select user_login,user_pass from wordpress.wp_users limit 5; ------- ---------------------------------- | user | password | ------- ---------------------------------- | admin | 21232f297a57a5a743894a0e4a801fc3 | | user | ee11cbb19052e40b07aac0ca060c23ee | ------- ----------------------------------
猜字段
mysql> select * from dvwa.users union select 1; ERROR 1222 (21000): The used SELECT statements have a different number of columns mysql> select * from dvwa.users union select 1,2; ERROR 1222 (21000): The used SELECT statements have a different number of columns mysql> select * from dvwa.users union select 1,2,3; ERROR 1222 (21000): The used SELECT statements have a different number of columns mysql> select * from dvwa.users union select 1,2,3,4; ERROR 1222 (21000): The used SELECT statements have a different number of columns mysql> select * from dvwa.users union select 1,2,3,4,5; ERROR 1222 (21000): The used SELECT statements have a different number of columns mysql> select * from dvwa.users union select 1,2,3,4,5,6; --------- ------------ ----------- --------- ---------------------------------- -------------------------------------------------- | user_id | first_name | last_name | user | password | avatar | --------- ------------ ----------- --------- ---------------------------------- -------------------------------------------------- | 1 | admin | admin | admin | 21232f297a57a5a743894a0e4a801fc3 | http://127.0.0.1/dvwa/hackable/users/admin.jpg | | 2 | Gordon | Brown | gordonb | e99a18c428cb38d5f260853678922e03 | http://127.0.0.1/dvwa/hackable/users/gordonb.jpg | | 3 | Hack | Me | 1337 | 8d3533d75ae2c3966d7e0d4fcc69216b | http://127.0.0.1/dvwa/hackable/users/1337.jpg | | 4 | Pablo | Picasso | pablo | 0d107d09f5bbe40cade3de5c71e9e9b7 | http://127.0.0.1/dvwa/hackable/users/pablo.jpg | | 5 | Bob | Smith | smithy | 5f4dcc3b5aa765d61d8327deb882cf99 | http://127.0.0.1/dvwa/hackable/users/smithy.jpg | | 6 | user | user | user | ee11cbb19052e40b07aac0ca060c23ee | http://127.0.0.1/dvwa/hackable/users/1337.jpg | | 1 | 2 | 3 | 4 | 5 | 6 | --------- ------------ ----------- --------- ---------------------------------- -------------------------------------------------- 7 rows in set (0.00 sec)
mysql> select * from dvwa.users where 1=2 union select user_login,user_pass,3,4,5,6 from wordpress.wp_users; --------- ---------------------------------- ----------- ------ ---------- -------- | user_id | first_name | last_name | user | password | avatar | --------- ---------------------------------- ----------- ------ ---------- -------- | admin | 21232f297a57a5a743894a0e4a801fc3 | 3 | 4 | 5 | 6 | | user | ee11cbb19052e40b07aac0ca060c23ee | 3 | 4 | 5 | 6 | --------- ---------------------------------- ----------- ------ ---------- --------
information_schema
--------------------------------------- | Tables_in_information_schema | --------------------------------------- | CHARACTER_SETS | | COLLATIONS | | COLLATION_CHARACTER_SET_APPLICABILITY | | COLUMNS | | COLUMN_PRIVILEGES | | ENGINES | | EVENTS | | FILES | | GLOBAL_STATUS | | GLOBAL_VARIABLES | | KEY_COLUMN_USAGE | | PARTITIONS | | PLUGINS | | PROCESSLIST | | PROFILING | | REFERENTIAL_CONSTRAINTS | | ROUTINES | | SCHEMATA | | SCHEMA_PRIVILEGES | | SESSION_STATUS | | SESSION_VARIABLES | | STATISTICS | | TABLES | | TABLE_CONSTRAINTS | | TABLE_PRIVILEGES | | TRIGGERS | | USER_PRIVILEGES | | VIEWS | ---------------------------------------
查看内存和负载信息
free
root@owaspbwa:~# uptime 07:21:00 up 3:57, 2 users, load average: 0.00, 0.00, 0.00
卸载
a:~# umount /proc -l 不管忙不忙,只管卸载
root@owaspbwa:~# free Cannot find /proc/version - is /proc mounted?
mount proc -t proc /proc
查询数据库名,表名 information_schema.tables
*************************** 638. row *************************** TABLE_CATALOG: NULL TABLE_SCHEMA: webcal TABLE_NAME: webcal_view TABLE_TYPE: BASE TABLE ENGINE: MyISAM VERSION: 10 ROW_FORMAT: Dynamic TABLE_ROWS: 0 AVG_ROW_LENGTH: 0 DATA_LENGTH: 0 MAX_DATA_LENGTH: 281474976710655 INDEX_LENGTH: 1024 DATA_FREE: 0 AUTO_INCREMENT: NULL CREATE_TIME: 2011-04-17 13:11:41 UPDATE_TIME: 2011-04-17 13:11:41 CHECK_TIME: NULL TABLE_COLLATION: latin1_swedish_ci CHECKSUM: NULL CREATE_OPTIONS: TABLE_COMMENT:
上面是information_schema.TABLES表的部分内容,记录了表的一些信息;
mysql> select DISTINCT TABLE_SCHEMA from TABLES; 相当于show databases; -------------------- | TABLE_SCHEMA | -------------------- | information_schema | | bricks | | bwapp | | citizens | | cryptomg | | dvwa | | gallery2 | | getboo | | ghost | | gtd-php | | hex | | isp | | joomla | | mutillidae | | mysql | | nowasp | | orangehrm | | personalblog | | peruggia | | phpbb | | phpmyadmin | | proxy | | rentnet | | sqlol | | tikiwiki | | vicnum | | wackopicko | | wavsepdb | | webcal | | webgoat_coins | | wordpress | | wraithlogin | | yazd | --------------------
mysql> select TABLE_SCHEMA,TABLE_NAME from TABLES limit 5; -------------------- --------------------------------------- | TABLE_SCHEMA | TABLE_NAME | -------------------- --------------------------------------- | information_schema | CHARACTER_SETS | | information_schema | COLLATIONS | | information_schema | COLLATION_CHARACTER_SET_APPLICABILITY | | information_schema | COLUMNS | | information_schema | COLUMN_PRIVILEGES | -------------------- ---------------------------------------
mysql> select TABLE_SCHEMA,GROUP_CONCAT(TABLE_NAME) from TABLES group by TABLE_SCHEMA G ; *************************** 1. row *************************** TABLE_SCHEMA: bricks GROUP_CONCAT(TABLE_NAME): users *************************** 2. row *************************** TABLE_SCHEMA: bwapp GROUP_CONCAT(TABLE_NAME): blog,users,movies,heroes
mysql> select TABLE_NAME from TABLES where TABLE_SCHEMA=‘dvwa‘; ------------ | TABLE_NAME | ------------ | guestbook | | users | ------------
查询数据库名,表名,字段名 information_schema.columns
************************** 4682. row *************************** TABLE_CATALOG: NULL TABLE_SCHEMA: yazd 库名 TABLE_NAME: yazduserprop 表名 COLUMN_NAME: propValue 字段名 ORDINAL_POSITION: 3 COLUMN_DEFAULT: NULL IS_NULLABLE: NO DATA_TYPE: varchar CHARACTER_MAXIMUM_LENGTH: 255 CHARACTER_OCTET_LENGTH: 255 NUMERIC_PRECISION: NULL NUMERIC_SCALE: NULL CHARACTER_SET_NAME: latin1 COLLATION_NAME: latin1_swedish_ci COLUMN_TYPE: varchar(255) COLUMN_KEY: EXTRA: PRIVILEGES: select,insert,update,references COLUMN_COMMENT:
mysql> select COLUMN_NAME from information_schema.columns G; 查询所有的字段名
mysql> select COLUMN_NAME from information_schema.columns where table_schema="yazd" and table_name="yazduserprop"; ------------- | COLUMN_NAME | ------------- | userID | | name | | propValue | -------------
?