3_SQL注入攻击_1

眉间皱痕 提交于 2020-01-17 22:05:47

0x00 sql注入
  在owasp的年度top10安全问题中,注入高居榜首。SQL注入攻击是指通过构建特殊的输入作为参数传入web应用程序,而这些输入大多都是SQL语法中的一些组合,通过执行SQL语句而执行攻击者所要的操作,其主要原因是程序没有细致的过滤用户输入的数据,致使非法数据侵入系统。
1.对web应用而言,用户的核心数据存储在数据库中,例如MySQL,SQL sever,oracle;
2.通过SQL注入攻击,可以获取,修改,删除数据库信息,并且通过提权来控制web服务器等其他操作;
3.SQL注入即攻击者通过构造特殊的SQL语句,入侵目标系统,致使后台数据库泄露数据的过程;
4.因为SQL注入漏洞造成的严重危害性所以,常年稳居owasp top10的榜首。

 

0x01 SQL注入的危害

 1.脱库导致用户数据泄露;

 2.危害web等应用的安全;

 3.失去操作系统的控制权;

 4.用户信息被非法买卖;

 5.危害企业及国家的安全;

0x02 SQL基础知识回顾

  环境:OWASP

  表1:dvwa.user

  表2:wordpress.wp_users

  表3: mysql.user

登录

mysql -uroot -p
root@owaspbwa:~# mysql -uroot -p
Enter password: 
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 579
Server version: 5.1.41-3ubuntu12.6-log (Ubuntu)

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> 

显示数据库

mysql> show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| .svn               |
| bricks             |
| bwapp              |
| citizens           |
| cryptomg           |
| dvwa               |
| gallery2           |
| getboo             |
| ghost              |
| gtd-php            |
| hex                |
| isp                |
| joomla             |
| mutillidae         |
| mysql              |
| nowasp             |
| orangehrm          |
| personalblog       |
| peruggia           |
| phpbb              |
| phpmyadmin         |
| proxy              |
| rentnet            |
| sqlol              |
| tikiwiki           |
| vicnum             |
| wackopicko         |
| wavsepdb           |
| webcal             |
| webgoat_coins      |
| wordpress          |
| wraithlogin        |
| yazd               |
+--------------------+
34 rows in set (0.56 sec)

返回所在的库

mysql> select database();
+------------+
| database() |
+------------+
| NULL       |
+------------+

返回当前用户

mysql> select user();
+----------------+
| user()         |
+----------------+
| root@localhost |
+----------------+

返回当前时间

mysql> select now();
+---------------------+
| now()               |
+---------------------+
| 2020-01-17 05:26:10 |
+---------------------+

进入或切换一个数据库

mysql> use dvwa;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed

  现在再查看当前的库: 

mysql> select database();
+------------+
| database() |
+------------+
| dvwa       |
+------------+

查看表

mysql> show tables;
+----------------+
| Tables_in_dvwa |
+----------------+
| guestbook      |
| users          |
+----------------+

查看具体表的结构

mysql> desc users;
+------------+-------------+------+-----+---------+-------+
| Field      | Type        | Null | Key | Default | Extra |
+------------+-------------+------+-----+---------+-------+
| user_id    | int(6)      | NO   | PRI | 0       |       |
| first_name | varchar(15) | YES  |     | NULL    |       |
| last_name  | varchar(15) | YES  |     | NULL    |       |
| user       | varchar(15) | YES  |     | NULL    |       |
| password   | varchar(32) | YES  |     | NULL    |       |
| avatar     | varchar(70) | YES  |     | NULL    |       |
+------------+-------------+------+-----+---------+-------+
DESC      DESCRIBE  
mysql> DESCRIBE users;
+------------+-------------+------+-----+---------+-------+
| Field      | Type        | Null | Key | Default | Extra |
+------------+-------------+------+-----+---------+-------+
| user_id    | int(6)      | NO   | PRI | 0       |       |
| first_name | varchar(15) | YES  |     | NULL    |       |
| last_name  | varchar(15) | YES  |     | NULL    |       |
| user       | varchar(15) | YES  |     | NULL    |       |
| password   | varchar(32) | YES  |     | NULL    |       |
| avatar     | varchar(70) | YES  |     | NULL    |       |
+------------+-------------+------+-----+---------+-------+

Field :字段,通常指的是我们所说的列;例如上表就有六个字段;user_id等等

Type :   字段的类型和长度

Null :字段是否可以为空

Key :主键,外键,或者是索引

Default: 字段的默认值

Extra:附加的属性

 

显示创建表的结构

mysql> show create table users\G;
*************************** 1. row ***************************
       Table: users
Create Table: CREATE TABLE `users` (
  `user_id` int(6) NOT NULL DEFAULT '0',
  `first_name` varchar(15) DEFAULT NULL,
  `last_name` varchar(15) DEFAULT NULL,
  `user` varchar(15) DEFAULT NULL,
  `password` varchar(32) DEFAULT NULL,
  `avatar` varchar(70) DEFAULT NULL,
  PRIMARY KEY (`user_id`)
) ENGINE=MyISAM DEFAULT CHARSET=latin1

查询表的记录

mysql> select * from users;
+---------+------------+-----------+---------+----------------------------------+--------------------------------------------------+
| user_id | first_name | last_name | user    | password                         | avatar                                           |
+---------+------------+-----------+---------+----------------------------------+--------------------------------------------------+
|       1 | admin      | admin     | admin   | 21232f297a57a5a743894a0e4a801fc3 | http://127.0.0.1/dvwa/hackable/users/admin.jpg   |
|       2 | Gordon     | Brown     | gordonb | e99a18c428cb38d5f260853678922e03 | http://127.0.0.1/dvwa/hackable/users/gordonb.jpg |
|       3 | Hack       | Me        | 1337    | 8d3533d75ae2c3966d7e0d4fcc69216b | http://127.0.0.1/dvwa/hackable/users/1337.jpg    |
|       4 | Pablo      | Picasso   | pablo   | 0d107d09f5bbe40cade3de5c71e9e9b7 | http://127.0.0.1/dvwa/hackable/users/pablo.jpg   |
|       5 | Bob        | Smith     | smithy  | 5f4dcc3b5aa765d61d8327deb882cf99 | http://127.0.0.1/dvwa/hackable/users/smithy.jpg  |
|       6 | user       | user      | user    | ee11cbb19052e40b07aac0ca060c23ee | http://127.0.0.1/dvwa/hackable/users/1337.jpg    |
+---------+------------+-----------+---------+----------------------------------+--------------------------------------------------+
6 rows in set (0.10 sec)

查询指定的字段

mysql> select user,user_id,password from users;
+---------+---------+----------------------------------+
| user    | user_id | password                         |
+---------+---------+----------------------------------+
| admin   |       1 | 21232f297a57a5a743894a0e4a801fc3 |
| gordonb |       2 | e99a18c428cb38d5f260853678922e03 |
| 1337    |       3 | 8d3533d75ae2c3966d7e0d4fcc69216b |
| pablo   |       4 | 0d107d09f5bbe40cade3de5c71e9e9b7 |
| smithy  |       5 | 5f4dcc3b5aa765d61d8327deb882cf99 |
| user    |       6 | ee11cbb19052e40b07aac0ca060c23ee |
+---------+---------+----------------------------------+

查询其他库

mysql> desc mysql.user;
+-----------------------+-----------------------------------+------+-----+---------+-------+
| Field                 | Type                              | Null | Key | Default | Extra |
+-----------------------+-----------------------------------+------+-----+---------+-------+
| Host                  | char(60)                          | NO   | PRI |         |       |
| User                  | char(16)                          | NO   | PRI |         |       |
| Password              | char(41)                          | NO   |     |         |       |
| Select_priv           | enum('N','Y')                     | NO   |     | N       |       |
| Insert_priv           | enum('N','Y')                     | NO   |     | N       |       |
| Update_priv           | enum('N','Y')                     | NO   |     | N       |       |
| Delete_priv           | enum('N','Y')                     | NO   |     | N       |       |
| Create_priv           | enum('N','Y')                     | NO   |     | N       |       |
| Drop_priv             | enum('N','Y')                     | NO   |     | N       |       |
| Reload_priv           | enum('N','Y')                     | NO   |     | N       |       |
| Shutdown_priv         | enum('N','Y')                     | NO   |     | N       |       |
| Process_priv          | enum('N','Y')                     | NO   |     | N       |       |
| File_priv             | enum('N','Y')                     | NO   |     | N       |       |
| Grant_priv            | enum('N','Y')                     | NO   |     | N       |       |
| References_priv       | enum('N','Y')                     | NO   |     | N       |       |
| Index_priv            | enum('N','Y')                     | NO   |     | N       |       |
| Alter_priv            | enum('N','Y')                     | NO   |     | N       |       |
| Show_db_priv          | enum('N','Y')                     | NO   |     | N       |       |
| Super_priv            | enum('N','Y')                     | NO   |     | N       |       |
| Create_tmp_table_priv | enum('N','Y')                     | NO   |     | N       |       |
| Lock_tables_priv      | enum('N','Y')                     | NO   |     | N       |       |
| Execute_priv          | enum('N','Y')                     | NO   |     | N       |       |
| Repl_slave_priv       | enum('N','Y')                     | NO   |     | N       |       |
| Repl_client_priv      | enum('N','Y')                     | NO   |     | N       |       |
| Create_view_priv      | enum('N','Y')                     | NO   |     | N       |       |
| Show_view_priv        | enum('N','Y')                     | NO   |     | N       |       |
| Create_routine_priv   | enum('N','Y')                     | NO   |     | N       |       |
| Alter_routine_priv    | enum('N','Y')                     | NO   |     | N       |       |
| Create_user_priv      | enum('N','Y')                     | NO   |     | N       |       |
| Event_priv            | enum('N','Y')                     | NO   |     | N       |       |
| Trigger_priv          | enum('N','Y')                     | NO   |     | N       |       |
| ssl_type              | enum('','ANY','X509','SPECIFIED') | NO   |     |         |       |
| ssl_cipher            | blob                              | NO   |     | NULL    |       |
| x509_issuer           | blob                              | NO   |     | NULL    |       |
| x509_subject          | blob                              | NO   |     | NULL    |       |
| max_questions         | int(11) unsigned                  | NO   |     | 0       |       |
| max_updates           | int(11) unsigned                  | NO   |     | 0       |       |
| max_connections       | int(11) unsigned                  | NO   |     | 0       |       |
| max_user_connections  | int(11) unsigned                  | NO   |     | 0       |       |
+-----------------------+-----------------------------------+------+-----+---------+-------+
mysql> select User,Password,Host from mysql.user;
+------------------+-------------------------------------------+---------------+
| User             | Password                                  | Host          |
+------------------+-------------------------------------------+---------------+
| root             | *73316569DAC7839C2A784FF263F5C0ABBC7086E2 | localhost     |
| root             | *D5D9F81F5542DE067FFF5FF7A4CA4BDD322C578F | brokenwebapps |
| root             | *D5D9F81F5542DE067FFF5FF7A4CA4BDD322C578F | 127.0.0.1     |
| debian-sys-maint | *75F15FF5C9F06A7221FEB017724554294E40A327 | localhost     |
| phpmyadmin       | *D5D9F81F5542DE067FFF5FF7A4CA4BDD322C578F | localhost     |
| vicnum           | *C7847100CDBE29050A338F78EA71F066D196ED98 | localhost     |
| wordpress        | *C260A4F79FA905AF65142FFE0B9A14FE0E1519CC | %             |
| phpbb            | *CA1F8B079BB2857835107EA008871B4691769547 | %             |
| dvwa             | *D67B38CDCD1A55623ED5F55856A29B9654FF823D | %             |
| mutillidae       | *E82A07F59B0D83BEF29F79E41FA0F8A042CE3DE4 | %             |
| yazd             | *3758F91540524F48F92FE932883C54F6E802A13A | %             |
| personalblog     | *3D118FD3FFC74F534A493C30ADC1F23A48510D9D | %             |
| yazd10           | *30B462BE16C04867D06113304F664BB9A5B573D8 | %             |
| peruggia         | *5297BE816CC703E8CB686D205071E9CD9E8F08A4 | %             |
| ghost            | *9AE953952D993ED69779E70E28193A1EB8DDF91C | %             |
| gtd-php          | *C238B1FA6D14124C867DC9634DEB2CD731212094 | %             |
| getboo           | *8FC7327502AA1203AAE881C4A5E2AA1CD6E46CE8 | %             |
| orangehrm        | *82183BF1F275E47C2692B1CF81CB7A8FD16CE5EA | %             |
| webcal           | *E2E1F0A3459647AACF63319694BCBD107231B10C | localhost     |
| gallery2         | *DF0F41B82DFDB4AA462186480FA9922EF4BBFCEB | localhost     |
| tikiwiki         | *48529BB639EC6E4C2A6695C4B3D544A9E2A21D4C | localhost     |
| joomla           | *F70658E9BDD2910AC33ACDA164605DFC1DA70A68 | localhost     |
| jotto            | *6126D5A029ACE603DBF187A301C1CCEAEDCFE232 | %             |
| hex              | *E5C4AA1177F0A69A9E124CDC2676D4ECCE01E347 | localhost     |
| webmaster        | *ED2048BBC6AFD6E2186982869C7899A7EF38C066 | localhost     |
| kbloom           | *10A99DBC0772291AA6AF9A1A9271945340E4E812 | localhost     |
| sendmail         | *47A91042510E7E966EF4075A934A77A57A9E71FE | localhost     |
| undertaker       | *02EAFACD13AEC2C2E139EA38903B9A84A165DF0B | localhost     |
| stealth          | *0F44FA14B9DFBBFFBDF2F7692868DE1B997C66ED | localhost     |
| wraith           | *93ADDFABFCD5A66C95E97C73240D373413A01275 | localhost     |
| citizens         | *E0E85D302E82538A1FDA46B453F687F3964A99B4 | localhost     |
| wackopicko       | *5FA5F4C9ACD2CA5C1EB9E0EC80175D5FCAA0D7D6 | %             |
| wavsep           | *8028371417372EDAD5755F9653E93D7C1E87564C | localhost     |
| sqlol            | *1DB6D61428C07B8E8D6876CC60ECAD01D2CE844A | %             |
| cryptomg         | *2132873552FEDF6780E8060F927DD5101759C4DE | %             |
| webgoat.net      | *4BA609A0C9C18D80985519932BAC08C604119234 | %             |
| bricks           | *255195939290DC6D228944BCC682D2427DA57E21 | %             |
| bwapp            | *63C3CE60C4AC4F87F321E54F290A4867684A96C4 | %             |
+------------------+-------------------------------------------+---------------+
mysql> desc wordpress.wp_users;
+---------------------+---------------------+------+-----+---------------------+----------------+
| Field               | Type                | Null | Key | Default             | Extra          |
+---------------------+---------------------+------+-----+---------------------+----------------+
| ID                  | bigint(20) unsigned | NO   | PRI | NULL                | auto_increment |
| user_login          | varchar(60)         | NO   | MUL |                     |                |
| user_pass           | varchar(64)         | NO   |     |                     |                |
| user_nicename       | varchar(50)         | NO   |     |                     |                |
| user_email          | varchar(100)        | NO   |     |                     |                |
| user_url            | varchar(100)        | NO   |     |                     |                |
| user_registered     | datetime            | NO   |     | 0000-00-00 00:00:00 |                |
| user_activation_key | varchar(60)         | NO   |     |                     |                |
| user_status         | int(11)             | NO   |     | 0                   |                |
| display_name        | varchar(250)        | NO   |     |                     |                |
+---------------------+---------------------+------+-----+---------------------+----------------+
mysql> select ID,user_login,user_pass from wordpress.wp_users;
+----+------------+----------------------------------+
| ID | user_login | user_pass                        |
+----+------------+----------------------------------+
|  1 | admin      | 21232f297a57a5a743894a0e4a801fc3 |
|  2 | user       | ee11cbb19052e40b07aac0ca060c23ee |
+----+------------+----------------------------------+

条件查询

mysql> select user,password,Host from mysql.user where user="root";
+------+-------------------------------------------+---------------+
| user | password                                  | Host          |
+------+-------------------------------------------+---------------+
| root | *73316569DAC7839C2A784FF263F5C0ABBC7086E2 | localhost     |
| root | *D5D9F81F5542DE067FFF5FF7A4CA4BDD322C578F | brokenwebapps |
| root | *D5D9F81F5542DE067FFF5FF7A4CA4BDD322C578F | 127.0.0.1     |
+------+-------------------------------------------+---------------+
mysql> select user,password,Host from mysql.user where user="root" and Host="localhost";
+------+-------------------------------------------+-----------+
| user | password                                  | Host      |
+------+-------------------------------------------+-----------+
| root | *73316569DAC7839C2A784FF263F5C0ABBC7086E2 | localhost |
+------+-------------------------------------------+-----------+

 

mysql> select user,password,Host from mysql.user where user="root" or Host="localhost";
+------------------+-------------------------------------------+---------------+
| user             | password                                  | Host          |
+------------------+-------------------------------------------+---------------+
| root             | *73316569DAC7839C2A784FF263F5C0ABBC7086E2 | localhost     |
| root             | *D5D9F81F5542DE067FFF5FF7A4CA4BDD322C578F | brokenwebapps |
| root             | *D5D9F81F5542DE067FFF5FF7A4CA4BDD322C578F | 127.0.0.1     |
| debian-sys-maint | *75F15FF5C9F06A7221FEB017724554294E40A327 | localhost     |
| phpmyadmin       | *D5D9F81F5542DE067FFF5FF7A4CA4BDD322C578F | localhost     |
| vicnum           | *C7847100CDBE29050A338F78EA71F066D196ED98 | localhost     |
| webcal           | *E2E1F0A3459647AACF63319694BCBD107231B10C | localhost     |
| gallery2         | *DF0F41B82DFDB4AA462186480FA9922EF4BBFCEB | localhost     |
| tikiwiki         | *48529BB639EC6E4C2A6695C4B3D544A9E2A21D4C | localhost     |
| joomla           | *F70658E9BDD2910AC33ACDA164605DFC1DA70A68 | localhost     |
| hex              | *E5C4AA1177F0A69A9E124CDC2676D4ECCE01E347 | localhost     |
| webmaster        | *ED2048BBC6AFD6E2186982869C7899A7EF38C066 | localhost     |
| kbloom           | *10A99DBC0772291AA6AF9A1A9271945340E4E812 | localhost     |
| sendmail         | *47A91042510E7E966EF4075A934A77A57A9E71FE | localhost     |
| undertaker       | *02EAFACD13AEC2C2E139EA38903B9A84A165DF0B | localhost     |
| stealth          | *0F44FA14B9DFBBFFBDF2F7692868DE1B997C66ED | localhost     |
| wraith           | *93ADDFABFCD5A66C95E97C73240D373413A01275 | localhost     |
| citizens         | *E0E85D302E82538A1FDA46B453F687F3964A99B4 | localhost     |
| wavsep           | *8028371417372EDAD5755F9653E93D7C1E87564C | localhost     |
+------------------+-------------------------------------------+---------------+
mysql> desc dvwa.users;
+------------+-------------+------+-----+---------+-------+
| Field      | Type        | Null | Key | Default | Extra |
+------------+-------------+------+-----+---------+-------+
| user_id    | int(6)      | NO   | PRI | 0       |       |
| first_name | varchar(15) | YES  |     | NULL    |       |
| last_name  | varchar(15) | YES  |     | NULL    |       |
| user       | varchar(15) | YES  |     | NULL    |       |
| password   | varchar(32) | YES  |     | NULL    |       |
| avatar     | varchar(70) | YES  |     | NULL    |       |
+------------+-------------+------+-----+---------+-------+
mysql> select user_id,password from dvwa.users where user="art";
Empty set (0.00 sec)
mysql> select user_id,password from dvwa.users where user="art" and 1=1;
Empty set (0.00 sec)
mysql> select user_id,password from dvwa.users where user="art" or 1=1;
+---------+----------------------------------+
| user_id | password                         |
+---------+----------------------------------+
|       1 | 21232f297a57a5a743894a0e4a801fc3 |
|       2 | e99a18c428cb38d5f260853678922e03 |
|       3 | 8d3533d75ae2c3966d7e0d4fcc69216b |
|       4 | 0d107d09f5bbe40cade3de5c71e9e9b7 |
|       5 | 5f4dcc3b5aa765d61d8327deb882cf99 |
|       6 | ee11cbb19052e40b07aac0ca060c23ee |
+---------+----------------------------------+

联合查询

mysql> select user,password from mysql.user union select user_login,user_pass from wordpress.wp_users;
+------------------+-------------------------------------------+
| user             | password                                  |
+------------------+-------------------------------------------+
| root             | *73316569DAC7839C2A784FF263F5C0ABBC7086E2 |
| root             | *D5D9F81F5542DE067FFF5FF7A4CA4BDD322C578F |
| debian-sys-maint | *75F15FF5C9F06A7221FEB017724554294E40A327 |
| phpmyadmin       | *D5D9F81F5542DE067FFF5FF7A4CA4BDD322C578F |
| vicnum           | *C7847100CDBE29050A338F78EA71F066D196ED98 |
| wordpress        | *C260A4F79FA905AF65142FFE0B9A14FE0E1519CC |
| phpbb            | *CA1F8B079BB2857835107EA008871B4691769547 |
| dvwa             | *D67B38CDCD1A55623ED5F55856A29B9654FF823D |
| mutillidae       | *E82A07F59B0D83BEF29F79E41FA0F8A042CE3DE4 |
| yazd             | *3758F91540524F48F92FE932883C54F6E802A13A |
| personalblog     | *3D118FD3FFC74F534A493C30ADC1F23A48510D9D |
| yazd10           | *30B462BE16C04867D06113304F664BB9A5B573D8 |
| peruggia         | *5297BE816CC703E8CB686D205071E9CD9E8F08A4 |
| ghost            | *9AE953952D993ED69779E70E28193A1EB8DDF91C |
| gtd-php          | *C238B1FA6D14124C867DC9634DEB2CD731212094 |
| getboo           | *8FC7327502AA1203AAE881C4A5E2AA1CD6E46CE8 |
| orangehrm        | *82183BF1F275E47C2692B1CF81CB7A8FD16CE5EA |
| webcal           | *E2E1F0A3459647AACF63319694BCBD107231B10C |
| gallery2         | *DF0F41B82DFDB4AA462186480FA9922EF4BBFCEB |
| tikiwiki         | *48529BB639EC6E4C2A6695C4B3D544A9E2A21D4C |
| joomla           | *F70658E9BDD2910AC33ACDA164605DFC1DA70A68 |
| jotto            | *6126D5A029ACE603DBF187A301C1CCEAEDCFE232 |
| hex              | *E5C4AA1177F0A69A9E124CDC2676D4ECCE01E347 |
| webmaster        | *ED2048BBC6AFD6E2186982869C7899A7EF38C066 |
| kbloom           | *10A99DBC0772291AA6AF9A1A9271945340E4E812 |
| sendmail         | *47A91042510E7E966EF4075A934A77A57A9E71FE |
| undertaker       | *02EAFACD13AEC2C2E139EA38903B9A84A165DF0B |
| stealth          | *0F44FA14B9DFBBFFBDF2F7692868DE1B997C66ED |
| wraith           | *93ADDFABFCD5A66C95E97C73240D373413A01275 |
| citizens         | *E0E85D302E82538A1FDA46B453F687F3964A99B4 |
| wackopicko       | *5FA5F4C9ACD2CA5C1EB9E0EC80175D5FCAA0D7D6 |
| wavsep           | *8028371417372EDAD5755F9653E93D7C1E87564C |
| sqlol            | *1DB6D61428C07B8E8D6876CC60ECAD01D2CE844A |
| cryptomg         | *2132873552FEDF6780E8060F927DD5101759C4DE |
| webgoat.net      | *4BA609A0C9C18D80985519932BAC08C604119234 |
| bricks           | *255195939290DC6D228944BCC682D2427DA57E21 |
| bwapp            | *63C3CE60C4AC4F87F321E54F290A4867684A96C4 |
| admin            | 21232f297a57a5a743894a0e4a801fc3          |
| user             | ee11cbb19052e40b07aac0ca060c23ee          |
+------------------+-------------------------------------------+
39 rows in set (0.11 sec)

union查询的前后字段必须相同,不足时可以用数字来代替;

mysql> select user,password from mysql.user union select user_login,user_pass from wordpress.wp_users limit 5;
+------------------+-------------------------------------------+
| user             | password                                  |
+------------------+-------------------------------------------+
| root             | *73316569DAC7839C2A784FF263F5C0ABBC7086E2 |
| root             | *D5D9F81F5542DE067FFF5FF7A4CA4BDD322C578F |
| debian-sys-maint | *75F15FF5C9F06A7221FEB017724554294E40A327 |
| phpmyadmin       | *D5D9F81F5542DE067FFF5FF7A4CA4BDD322C578F |
| vicnum           | *C7847100CDBE29050A338F78EA71F066D196ED98 |
+------------------+-------------------------------------------+
5 rows in set (0.00 sec)
mysql> select user,password from mysql.user where 1=2 union select user_login,user_pass from wordpress.wp_users limit 5;
+-------+----------------------------------+
| user  | password                         |
+-------+----------------------------------+
| admin | 21232f297a57a5a743894a0e4a801fc3 |
| user  | ee11cbb19052e40b07aac0ca060c23ee |
+-------+----------------------------------+

猜字段

mysql> select * from dvwa.users  union select 1;
ERROR 1222 (21000): The used SELECT statements have a different number of columns
mysql> select * from dvwa.users  union select 1,2;
ERROR 1222 (21000): The used SELECT statements have a different number of columns
mysql> select * from dvwa.users  union select 1,2,3;
ERROR 1222 (21000): The used SELECT statements have a different number of columns
mysql> select * from dvwa.users  union select 1,2,3,4;
ERROR 1222 (21000): The used SELECT statements have a different number of columns
mysql> select * from dvwa.users  union select 1,2,3,4,5;
ERROR 1222 (21000): The used SELECT statements have a different number of columns
mysql> select * from dvwa.users  union select 1,2,3,4,5,6;
+---------+------------+-----------+---------+----------------------------------+--------------------------------------------------+
| user_id | first_name | last_name | user    | password                         | avatar                                           |
+---------+------------+-----------+---------+----------------------------------+--------------------------------------------------+
|       1 | admin      | admin     | admin   | 21232f297a57a5a743894a0e4a801fc3 | http://127.0.0.1/dvwa/hackable/users/admin.jpg   |
|       2 | Gordon     | Brown     | gordonb | e99a18c428cb38d5f260853678922e03 | http://127.0.0.1/dvwa/hackable/users/gordonb.jpg |
|       3 | Hack       | Me        | 1337    | 8d3533d75ae2c3966d7e0d4fcc69216b | http://127.0.0.1/dvwa/hackable/users/1337.jpg    |
|       4 | Pablo      | Picasso   | pablo   | 0d107d09f5bbe40cade3de5c71e9e9b7 | http://127.0.0.1/dvwa/hackable/users/pablo.jpg   |
|       5 | Bob        | Smith     | smithy  | 5f4dcc3b5aa765d61d8327deb882cf99 | http://127.0.0.1/dvwa/hackable/users/smithy.jpg  |
|       6 | user       | user      | user    | ee11cbb19052e40b07aac0ca060c23ee | http://127.0.0.1/dvwa/hackable/users/1337.jpg    |
|       1 | 2          | 3         | 4       | 5                                | 6                                                |
+---------+------------+-----------+---------+----------------------------------+--------------------------------------------------+
7 rows in set (0.00 sec)
mysql> select * from dvwa.users where 1=2 union select user_login,user_pass,3,4,5,6 from wordpress.wp_users;
+---------+----------------------------------+-----------+------+----------+--------+
| user_id | first_name                       | last_name | user | password | avatar |
+---------+----------------------------------+-----------+------+----------+--------+
| admin   | 21232f297a57a5a743894a0e4a801fc3 | 3         | 4    | 5        | 6      |
| user    | ee11cbb19052e40b07aac0ca060c23ee | 3         | 4    | 5        | 6      |
+---------+----------------------------------+-----------+------+----------+--------+

 

 

information_schema

+---------------------------------------+
| Tables_in_information_schema          |
+---------------------------------------+
| CHARACTER_SETS                        |
| COLLATIONS                            |
| COLLATION_CHARACTER_SET_APPLICABILITY |
| COLUMNS                               |
| COLUMN_PRIVILEGES                     |
| ENGINES                               |
| EVENTS                                |
| FILES                                 |
| GLOBAL_STATUS                         |
| GLOBAL_VARIABLES                      |
| KEY_COLUMN_USAGE                      |
| PARTITIONS                            |
| PLUGINS                               |
| PROCESSLIST                           |
| PROFILING                             |
| REFERENTIAL_CONSTRAINTS               |
| ROUTINES                              |
| SCHEMATA                              |
| SCHEMA_PRIVILEGES                     |
| SESSION_STATUS                        |
| SESSION_VARIABLES                     |
| STATISTICS                            |
| TABLES                                |
| TABLE_CONSTRAINTS                     |
| TABLE_PRIVILEGES                      |
| TRIGGERS                              |
| USER_PRIVILEGES                       |
| VIEWS                                 |
+---------------------------------------+

查看内存和负载信息

freeroot@owaspbwa:~# uptime
 07:21:00 up  3:57,  2 users,  load average: 0.00, 0.00, 0.00

卸载

a:~# umount /proc -l    不管忙不忙,只管卸载
root@owaspbwa:~# free
Cannot find /proc/version - is /proc mounted?

mount proc -t proc /proc

 

查询数据库名,表名         information_schema.tables

*************************** 638. row ***************************
  TABLE_CATALOG: NULL
   TABLE_SCHEMA: webcal
     TABLE_NAME: webcal_view
     TABLE_TYPE: BASE TABLE
         ENGINE: MyISAM
        VERSION: 10
     ROW_FORMAT: Dynamic
     TABLE_ROWS: 0
 AVG_ROW_LENGTH: 0
    DATA_LENGTH: 0
MAX_DATA_LENGTH: 281474976710655
   INDEX_LENGTH: 1024
      DATA_FREE: 0
 AUTO_INCREMENT: NULL
    CREATE_TIME: 2011-04-17 13:11:41
    UPDATE_TIME: 2011-04-17 13:11:41
     CHECK_TIME: NULL
TABLE_COLLATION: latin1_swedish_ci
       CHECKSUM: NULL
 CREATE_OPTIONS: 
  TABLE_COMMENT: 

上面是information_schema.TABLES表的部分内容,记录了表的一些信息;

mysql> select DISTINCT TABLE_SCHEMA from TABLES;  相当于show databases;
+--------------------+
| TABLE_SCHEMA       |
+--------------------+
| information_schema |
| bricks             |
| bwapp              |
| citizens           |
| cryptomg           |
| dvwa               |
| gallery2           |
| getboo             |
| ghost              |
| gtd-php            |
| hex                |
| isp                |
| joomla             |
| mutillidae         |
| mysql              |
| nowasp             |
| orangehrm          |
| personalblog       |
| peruggia           |
| phpbb              |
| phpmyadmin         |
| proxy              |
| rentnet            |
| sqlol              |
| tikiwiki           |
| vicnum             |
| wackopicko         |
| wavsepdb           |
| webcal             |
| webgoat_coins      |
| wordpress          |
| wraithlogin        |
| yazd               |
+--------------------+
mysql> select TABLE_SCHEMA,TABLE_NAME from TABLES limit 5;
+--------------------+---------------------------------------+
| TABLE_SCHEMA       | TABLE_NAME                            |
+--------------------+---------------------------------------+
| information_schema | CHARACTER_SETS                        |
| information_schema | COLLATIONS                            |
| information_schema | COLLATION_CHARACTER_SET_APPLICABILITY |
| information_schema | COLUMNS                               |
| information_schema | COLUMN_PRIVILEGES                     |
+--------------------+---------------------------------------+
mysql> select TABLE_SCHEMA,GROUP_CONCAT(TABLE_NAME) from TABLES group by TABLE_SCHEMA \G  ; 
*************************** 1. row ***************************
            TABLE_SCHEMA: bricks
GROUP_CONCAT(TABLE_NAME): users
*************************** 2. row ***************************
            TABLE_SCHEMA: bwapp
GROUP_CONCAT(TABLE_NAME): blog,users,movies,heroes
mysql> select TABLE_NAME from TABLES where TABLE_SCHEMA='dvwa';
+------------+
| TABLE_NAME |
+------------+
| guestbook  |
| users      |
+------------+

 

 

查询数据库名,表名,字段名   information_schema.columns

************************** 4682. row ***************************
           TABLE_CATALOG: NULL
            TABLE_SCHEMA: yazd                    库名
              TABLE_NAME: yazduserprop            表名
             COLUMN_NAME: propValue         字段名
        ORDINAL_POSITION: 3
          COLUMN_DEFAULT: NULL
             IS_NULLABLE: NO
               DATA_TYPE: varchar
CHARACTER_MAXIMUM_LENGTH: 255
  CHARACTER_OCTET_LENGTH: 255
       NUMERIC_PRECISION: NULL
           NUMERIC_SCALE: NULL
      CHARACTER_SET_NAME: latin1
          COLLATION_NAME: latin1_swedish_ci
             COLUMN_TYPE: varchar(255)
              COLUMN_KEY: 
                   EXTRA: 
              PRIVILEGES: select,insert,update,references
          COLUMN_COMMENT: 
mysql> select COLUMN_NAME from information_schema.columns \G; 查询所有的字段名
mysql> select COLUMN_NAME from information_schema.columns where table_schema="yazd" and table_name="yazduserprop";
+-------------+
| COLUMN_NAME |
+-------------+
| userID      |
| name        |
| propValue   |
+-------------+

 

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!