What exactly does Mysql database mysqlSchema have? amp; basic essentials of manual injection # view the database version
Mysql> select @ version;
+ ------------ +
| @ Version |
+ ------------ +
| 5.5.16-log |
+ ------------ +
1 row in set (0.00 sec)
Mysql> select * from information_schema.schemata; # stores all database names of the system. the key field is schema_name.
#2 rows in set (0.04 sec) indicates that there are only two databases
+ -------------- + -------------------- + ------------------------------ + ---------------------- + ---------- +
| Catalog_name | schema_name | default_character_set_name | default_collation_name | SQL _path |
+ -------------- + -------------------- + ------------------------------ + ---------------------- + ---------- +
| Def | information_schema | utf8 | utf8_general_ci | null |
| Def | test | gb2312 | gb2312_chinese_ci | null |
+ -------------- + -------------------- + ------------------------------ + ---------------------- + ---------- +
Mysql> select * from information_schema.columns ;#
# The key field is table_name & column_name 411 rows in set (0.05 sec)
+ --------------- + -------------------- + --------------------------------------- + ----------------------------- + ------------------
| Table_catalog | table_schema | table_name | column_name | ordinal_position | column_default | is_nullable | data_type |
Character_maximum_length | character_octet_length | numeric_precision | numeric_scale | character_set_name | collation_name | column_type | column_key | extra
| Privileges | column_comment |
+ --------------- + -------------------- + --------------------------------------- + ----------------------------- + ------------------
Mysql> select * from information_schema.tables; # contains all the table names. 38 rows in set (0.09 sec) indicates that there are 38 tables.
Mysql> select count (*) from information_schema.tables; # count (*) returns the total number of rows (that is, the number of records)
+ ---------- +
| Count (*) |
+ ---------- +
| 38 |
+ ---------- +
1 row in set (0.00 sec)
# The key field is table_column & table_name
+ --------------- + -------------------- + --------------------------------------- + ------------- + -------- + --------- + ------------ + --
| Table_catalog | table_schema | table_name | table_type | engine | version | row_format | table_rows | avg_row_length | data_length |
Max_data_length | index_length | data_free | auto_increment | create_time | update_time | check_time | table_collation | checksum | create_options |
Table_comment |
+ --------------- + -------------------- + --------------------------------------- + ------------- + -------- + --------- + ------------ + --
Mysql> select * from information_schema.tables where table_schema = "test ";
# The keywords are table_name and table_schema (database name)
+ --------------- + -------------- + ------------ + -------- + ----------- + ------------ + ---------------- + -----
| Table_catalog | table_schema | table_name | table_type | engine | version | row_format | table_rows | avg_row_length | data_length | max_data_length | index_length |
Data_free | auto_increment | create_time | update_time | check_time | table_collation | checksum | create_options | table_comment |
+ --------------- + -------------- + ------------ + -------- + ----------- + ------------ + ---------------- + -----
| Def | test | t_users | base table | innodb | 10 | compact | 0 | 0 | 16384 | 0 | 16384 | 9437184 | 1 | 2012-10
-06 12:21:23 | null | gb2312_chinese_ci | null |
+ --------------- + -------------- + ------------ + -------- + ----------- + ------------ + ---------------- + -----
1 row in set (0.00 sec)
Mysql> select * from information_schema.columns where table_name = "t_users ";
# The key is to get column_name
+ --------------- + -------------- + ------------ + ------------- + ------------------ + ---------------- + ------------- + ----------- + ----
| Table_catalog | table_schema | table_name | column_name | ordinal_position | column_default | is_nullable | data_type | character_maximum_length |
Character_octet_length | numeric_precision | numeric_scale | character_set_name | collation_name | column_type | column_key | extra | privileges |
Column_comment |
+ --------------- + -------------- + ------------ + ------------- + ------------------ + ---------------- + ------------- + ----------- + ----
| Def | test | t_users | id | 1 | null | no | int | null | 10 | 0 | null |
Null | int (11) | pri | auto_increment | select, insert, update, references |
| Def | test | t_users | name | 2 | null | no | text | 65535 | 65535 | null | gb2312
| Gb2312_chinese_ci | text | select, insert, update, references |
| Def | test | t_users | password | 3 | null | no | text | 65535 | 65535 | null | gb2312
| Gb2312_chinese_ci | text | select, insert, update, references |
+ --------------- + -------------- + ------------ + ------------- + ------------------ + ---------------- + ------------- + ----------- + ----
3 rows in set (0.01 sec)
Mysql> select "id", "password" from information_schema.columns where table_name = "t_users ";
# Note: when the variable to be queried is a constant, it is an empty query. The return value must be your query constant, which is usually determined in the union query.
Used to display the location
+ ---- + ---------- +
| Id | password |
+ ---- + ---------- +
| Id | password |
| Id | password |
| Id | password |
+ ---- + ---------- +
3 rows in set (0.02 sec)
Mysql> use test; # use this database
Database changed
Mysql> select * from test;
Error 1146 (42s02): table 'test. test' doesn' t exist
Mysql> select * from t_users;
Empty set (0.00 sec)
In this way, you do not need to guess the user name and password.
Insert into 't_ users' ('id', 'name', 'password') values (001, 'Zhang sancrazy ', '123 ');
# Insert a record
Mysql> select * from t_users;
+ ---- + -------- + ---------- +
| Id | name | password |
+ ---- + -------- + ---------- +
| 1 | Zhang sancrazy | 123456 |
+ ---- + -------- + ---------- +
1 row in set (0.00 sec)
# If you do not have the permission to add it, you can only guess the value by bit.
Mysql> select count (*) from t_users where len (password) = 12;
Error 1305 (42000): function test. len does not exist
Mysql>
# Binary search
# Here, an error is reported. This function does not exist. in mysql, it is length () and len () in access ();
Mysql> select count (*) from t_users where length (password) = 12;
Error 1305 (42000): function test. len does not exist
# First determine the password length
Mysql> select password from t_users where length (password) <6;
Empty set (0.00 sec)
Mysql> select password from t_users where length (password)> 6;
Empty set (0.00 sec)
Mysql> select password from t_users where length (password) = 6;
+ ---------- +
| Password |
+ ---------- +
| 1, 123456 |
+ ---------- +
1 row in set (0.00 sec)
# Perform a bit-by-bit guess
Select * from t_users where asc (left (password, 1)> 0;
Mysql> select password from t_users where left (password, 1) <1;
Empty set (0.00 sec)
Mysql> select password from t_users where left (password, 1) <2;
+ ---------- +
| Password |
+ ---------- +
| 1, 123456 |
+ ---------- +
# If the function is successfully executed and returned, the first value is 1.
# Or directly query the password:
Mysql> select password from t_users where length ('password')> 0;
+ ---------- +
| Password |
+ ---------- +
| 1, 123456 |
+ ---------- +
1 row in set (0.00 sec)
Mysql> select password from t_users where ascii (left (password, 1) <2;
Empty set (0.00 sec)
# All functions in mysql must be fully written. in acess, asc () is used directly ();
Mysql> select password from t_users where ascii (left (password, 1) = 49;
+ ---------- +
| Password |
+ ---------- +
| 1, 123456 |
# The values of each bit can be directly wiped, or the acs value can be queried, but the direct query value is faster.
# Until the length (password) bit is guessed
# However, it is difficult to guess Chinese names. one word and two bytes.
>>> Int ("Zhang ")
Traceback (most recent call last ):
File" ", Line 1, in
Valueerror: invalid literal for int () with base 10: '/xd6/xec'
>>>
>>> Chr (66)
'B'
>>>
# It can still be queried.
Mysql> select password from t_users where left (name, 1) = "Zhang ";
+ ---------- +
| Password |
+ ---------- +
| 1, 123456 |
+ ---------- +
1 row in set (0.00 sec)
Mysql> select password from t_users where left (name, 2) = "Zhang ";
Empty set (0.00 sec)
# Remember that left is the value of all left returned.
Mysql> select password from t_users where left (name, 2) = "James ";
+ ---------- +
| Password |
+ ---------- +
| 1, 123456 |
+ ---------- +
# Mid
Mysql> select password from t_users where mid (name, 2, 1) = "3 ";
+ ---------- +
| Password |
+ ---------- +
| 1, 123456 |
+ ---------- +
1 row in set (0.00 sec)