信安週報-第03周:DB系統表
信安之路
第03周
前言
這周自主研究的任務以下:php
任務附錄的解釋:html
- 文件讀寫在經過數據庫注入漏洞獲取webshell的時候頗有用
- 系統庫和表存放了不少關鍵信息,在利用注入漏洞獲取更多信息和權限的過程頗有幫助
- eg:庫信息、表信息、用戶信息、權限信息、安裝配置信息
- 用戶信息表通常密碼都是hash加密過的,能夠利用hashcat暴力破解(GPU)
1.文件操做相關
1.1.探索與發現
須要什麼權限才能夠進行文件讀寫操做,看個簡單測試:mysql
讀寫前提:
secure_file_priv不爲NULL、用戶具備File權限(mysql.user中用戶的file_priv=Y)linux
先看權限:nginx
root@localhost帳號直接能夠讀取文件git
命令附錄:github
show variables like 'secure_file_priv';
select user,host,file_priv from mysql.user;
select load_file("etc/passwd");
1.2.參數說明
secure_file_priv的簡單說明:web
PS:
MariaDB5.x默認爲空,sql
- secure_file_priv=
NULL- 表示不容許文件讀寫
- secure_file_priv=
/xxx(/則表明任意目錄讀寫)- 表示只能在指定目錄
/xxx中文件讀寫,其餘目錄不行
- 表示只能在指定目錄
- secure_file_priv爲空時
- 表示可在任意目錄文件讀寫
PS:目標文件大小必須小於select @@max_allowed_packet;的值shell
# MariaDB默認值 MariaDB [(none)]> select @@max_allowed_packet; +----------------------+ | @@max_allowed_packet | +----------------------+ | 1048576 | +----------------------+ 1 row in set (0.00 sec)
1.3.用戶受權
bryan帳號原本是沒file權限的(file_priv=N)
咱們受權一下:grant file on *.* to bryan@'%';
PS:查看數據庫支持哪些權限:
show privileges;、刷新權限:flush privileges;
這時候用root權限查看下bryan的file_priv就會發現有權限了
PS:回收權限:
revoke file from *.* from bryan@'%'
1.4.load_file測試
本地測試:bryan@localhost
遠程測試:bryan@'%'(重開一個查詢窗口/會話)
1.5.load data infile測試
load data infile的主要做用就是從一個文本文件中讀取行,並寫入一個表中
語法:
load data infile '文件路徑' into table 表名;
1.6.select into outfile測試
select into outfile主要做用就是:把查詢寫入文件中
語法:
select * from 表名 into outfile '權限範圍內文件路徑';
PS:若是文件已經存在則寫入失敗
刪除了臨時文件夾建立也會失敗,必須重啓數據庫,或者建立文件夾後改爲mysql全部
系統中真正路徑:
擴展:system命令
mysql命令行下的system摸索過程:
PS:任意讀 + 權限範圍內寫(
本地執行orSSH鏈接Linux進入MySQL命令行執行)
滲透思路:
- 讀取某些敏感的配置文件(eg:數據庫鏈接的配置文件)
- 當有目錄越權訪問漏洞的時候能夠越權執行腳本(權限範圍內的目錄中寫入腳本)
PS C:\Users\Mao> ssh -l bryan 192.168.0.9
bryan@192.168.0.9 password:
Welcome to Ubuntu 18.04.2 LTS (GNU/Linux 5.0.0-23-generic x86_64)
bryan@bryan-pc:~$ mysql -ubryan -p
Enter password:
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 10
Server version: 5.7.27-0ubuntu0.18.04.1-log (Ubuntu)
Copyright (c) 2000, 2019, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
# mysql> select user();
+-----------------+
| user() |
+-----------------+
| bryan@localhost |
+-----------------+
1 row in set (0.06 sec)
# mysql> system ls /home
dnt
# mysql> system ls /var/www/html
index.nginx-debian.html index.php
# mysql> system cat /var/www/html/index.php
<?php
phpinfo();
?>
# mysql> system vi /home/bryan/test.py
# mysql> system cat /home/bryan/test.py
print("test")
# mysql> system cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
avahi-autoipd:x:170:170:Avahi IPv4LL Stack:/var/lib/avahi-autoipd:/sbin/nologin
systemd-bus-proxy:x:999:997:systemd Bus Proxy:/:/sbin/nologin
systemd-network:x:998:996:systemd Network Management:/:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
polkitd:x:997:995:User for polkitd:/:/sbin/nologin
tss:x:59:59:Account used by the trousers package to sandbox the tcsd daemon:/dev/null:/sbin/nologin
postfix:x:89:89::/var/spool/postfix:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
bryan:x:1000:1000:xxx:/home/bryan:/bin/bash
mysql:x:27:27:MariaDB Server:/var/lib/mysql:/sbin/nologin
nginx:x:1001:1001::/home/nginx:/sbin/nologin
擴展命令:pager
重定向查詢結果:pager cat >> /home/dnt/test.log
把查詢的結果,所有追加寫入到指定文件中(只針對當前會話)
2.獲取系統信息
2.1.獲取數據庫版本
select version(); or select @@version;
2.2.獲取操做系統類型
select @@version_compile_os;
2.3.獲取服務器主機名
select @@hostname;
3.獲取DB信息
3.1.獲取數據庫列表
select schema_name from information_schema.schemata;
PS:MySQL5.x能夠經過schemata表來查詢
權限範圍內的數據庫
root權限下獲取全部DB列表
PS:root權限可使用 select schema_name from information_schema.schemata; or select distinct(db) from mysql.db; 來顯示全部數據庫
3.2.獲取當前數據庫
獲取正在use的數據庫:select database();
3.3.獲取指定DB有哪些表
select table_schema,table_name,table_type,engine from information_schema.tables where table_schema = '數據庫名';
3.4.查詢指定表含哪些列
select table_schema,table_name,column_name from information_schema.columns where table_schema= '數據庫名' and table_name = '表名';
PS:查詢除內置數據庫外其餘數據庫和表:select table_schema,table_name,column_name from information_schema.columns where table_schema != 'mysql' and table_schema != 'information_schema' order by table_schema,table_name;
尋找本身感興趣的列
根據特定關鍵詞就能夠省去暴力解猜:select table_schema,table_name,column_name from information_schema.columns where column_name like 'pass%' or column_name like 'user%';
3.5.獲取目錄信息
- 獲取數據庫安裝目錄:
select @@basedir; - 獲取數據目錄:
select @@datadir;
目錄驗證:
mysql> show variables like '%basedir%'; +---------------+-------+ | Variable_name | Value | +---------------+-------+ | basedir | /usr/ | +---------------+-------+ 1 row in set (0.00 sec) mysql> show variables like '%datadir%'; +---------------+-----------------+ | Variable_name | Value | +---------------+-----------------+ | datadir | /var/lib/mysql/ | +---------------+-----------------+ 1 row in set (0.00 sec)
4.獲取用戶信息
4.1.獲取當前用戶名
select user(); or select system_user(); or select current_user;
獲取用戶信息(含密碼)
【root權限】顯示全部用戶(含密碼)
MariaDB5.x:select user,host,password from mysql.user;
MySQL5.x:select user,host,authentication_string from mysql.user;
PS:系統生成的加密sha字符串是41位(*1位+sha40位)
sha1是40位,但mysql的加密是變種sha1
4.2.查看指定DB的用戶權限
select grantee, table_schema, privilege_type from information_schema.schema_privileges where table_schema = 'safe_db';
4.3.查詢用戶權限列表
select grantee, privilege_type, is_grantable from information_schema.user_privileges;
PS:也可以使用
show grants for bryan;
PS:root權限查詢的更全面
root權限經過mysql.user查詢更詳細權限信息
【root權限】經過mysql.user查詢更詳細權限信息:select host, user, Select_priv, Insert_priv, Update_priv, Delete_priv, Create_priv, Drop_priv, Reload_priv, Shutdown_priv, Process_priv, File_priv, Grant_priv, References_priv, Index_priv, Alter_priv, Show_db_priv, Super_priv, Create_tmp_table_priv, Lock_tables_priv, Execute_priv, Repl_slave_priv, Repl_client_priv,Create_view_priv,Show_view_priv,Create_routine_priv,Alter_routine_priv,Create_user_priv,Event_priv,Trigger_priv,Create_tablespace_priv from mysql.user;
- Select_priv:用戶是否能夠經過SELECT命令選擇數據
- Insert_priv:用戶是否能夠經過INSERT命令插入數據
- Update_priv:用戶是否能夠經過UPDATE命令修改現有數據
- Delete_priv:用戶是否能夠經過DELETE命令刪除現有數據
- Create_priv:用戶是否能夠建立新的數據庫和表
- Drop_priv:用戶是否能夠刪除現有數據庫和表
- Reload_priv:用戶是否能夠執行刷新和從新加載MySQL所用各類內部緩存的特定命令(包括日誌、權限、主機、查詢和表從新加載權限表)
- Shutdown_priv:用戶是否能夠關閉MySQL服務器(不推薦付給root外用戶)
- Process_priv:用戶是否能夠經過
show processlist;命令查看其餘用戶的進程服務器管理 - File_priv:用戶是否能夠執行
select into outfile和load data infile命令加載服務器上的文件 - Grant_priv:用戶是否能夠將已經授予給該用戶本身的權限再授予其餘用戶(可賦予所有已有權限)
- References_priv:目前只是某些將來功能的佔位符;如今沒有做用
- Index_priv:用戶是否能夠建立和刪除表索引用索引查詢表
- Alter_priv:用戶是否能夠重命名和修改表結構
- Show_db_priv:用戶是否能夠查看服務器上全部數據庫的名字(不推薦開啓)
- Super_priv:用戶是否能夠執行某些強大的管理功能
- 例如經過
kill命令刪除用戶進程 - 使用
set global修改全局MySQL變量 - 執行關於複製和日誌的各類命令超級權限
- 例如經過
- Create_tmp_table_priv:用戶是否能夠建立臨時表
- Lock_tables_priv:用戶是否可使用
lock tables命令阻止對錶的訪問/修改 - Execute_priv:用戶是否能夠執行存儲過程此(MySQL 5新增)
- Repl_slave_priv:用戶是否能夠讀取用於維護複製數據庫環境的二進制日誌文件
- Repl_client_priv:用戶是否能夠肯定複製從服務器和主服務器的位置從服務器管理
- Create_view_priv:用戶是否能夠建立視圖(MySQL 5新增)
- Show_view_priv:用戶是否能夠查看視圖或瞭解視圖如何執行(MySQL 5新增)
- Create_routine_priv:用戶是否能夠更改或放棄存儲過程和函數(MySQL 5新增)
- Alter_routine_priv:用戶是否能夠修改或刪除存儲函數及函數(MySQL 5新增)
- Create_user_priv:用戶是否能夠執行
CREATE USER用於建立新的MySQL帳戶 - Event_priv:用戶是否建立、修改和刪除事件(MySQL 5.1.6新增)
- Trigger_priv:用戶是否建立和刪除觸發器(MySQL 5.1.6新增)
- Create_tablespace_priv:用戶是否能夠建立表空間
MariaDB [safe_db]> select host, user, Select_priv, Insert_priv, Update_priv, Delete_priv, Create_priv, Drop_priv, Reload_priv, Shutdown_priv, Process_priv, File_priv, Grant_priv, References_priv, Index_priv, Alter_priv, Show_db_priv, Super_priv, Create_tmp_table_priv, Lock_tables_priv, Execute_priv, Repl_slave_priv, Repl_client_priv,Create_view_priv,Show_view_priv,Create_routine_priv,Alter_routine_priv,Create_user_priv,Event_priv,Trigger_priv,Create_tablespace_priv from mysql.user\G;
*************************** 1. row ***************************
host: localhost
user: root
Select_priv: Y
Insert_priv: Y
Update_priv: Y
Delete_priv: Y
Create_priv: Y
Drop_priv: Y
Reload_priv: Y
Shutdown_priv: Y
Process_priv: Y
File_priv: Y
Grant_priv: Y
References_priv: Y
Index_priv: Y
Alter_priv: Y
Show_db_priv: Y
Super_priv: Y
Create_tmp_table_priv: Y
Lock_tables_priv: Y
Execute_priv: Y
Repl_slave_priv: Y
Repl_client_priv: Y
Create_view_priv: Y
Show_view_priv: Y
Create_routine_priv: Y
Alter_routine_priv: Y
Create_user_priv: Y
Event_priv: Y
Trigger_priv: Y
Create_tablespace_priv: Y
*************************** 2. row ***************************
host: %
user: root
Select_priv: N
Insert_priv: N
Update_priv: N
Delete_priv: N
Create_priv: N
Drop_priv: N
Reload_priv: N
Shutdown_priv: N
Process_priv: N
File_priv: N
Grant_priv: N
References_priv: N
Index_priv: N
Alter_priv: N
Show_db_priv: N
Super_priv: N
Create_tmp_table_priv: N
Lock_tables_priv: N
Execute_priv: N
Repl_slave_priv: N
Repl_client_priv: N
Create_view_priv: N
Show_view_priv: N
Create_routine_priv: N
Alter_routine_priv: N
Create_user_priv: N
Event_priv: N
Trigger_priv: N
Create_tablespace_priv: N
。。。。。。
*************************** 5. row ***************************
host: %
user: bryan
Select_priv: N
Insert_priv: N
Update_priv: N
Delete_priv: N
Create_priv: N
Drop_priv: N
Reload_priv: N
Shutdown_priv: N
Process_priv: N
File_priv: N
Grant_priv: N
References_priv: N
Index_priv: N
Alter_priv: N
Show_db_priv: N
Super_priv: N
Create_tmp_table_priv: N
Lock_tables_priv: N
Execute_priv: N
Repl_slave_priv: N
Repl_client_priv: N
Create_view_priv: N
Show_view_priv: N
Create_routine_priv: N
Alter_routine_priv: N
Create_user_priv: N
Event_priv: N
Trigger_priv: N
Create_tablespace_priv: N
6 rows in set (0.00 sec)
擴展
查看當前數據庫支持哪些權限:show privileges;
獲取列的權限列表(用的很少)
select table_schema, table_name, column_name, privilege_type from information_schema.column_privileges;
5.hashcat初探
官方下載地址:https://hashcat.net/hashcat/
PS:GitHub:https://github.com/hashcat/hashcat
簡單使用:hashcat64 --force -a 破解模式編號 -m hash類型 須要破解的hash文件路徑 字典路徑
Linux:./hashcat64 -a 0 -m 300 ./test.hash ./test.dict --show
PS:若是出問題把
--show去除便可
PS:Win下:hashcat64.exe -a 0 -m 300 test.hash test.dict --show
5.1.參數說明
-a 指定要使用的破解模式,其值參考後面對參數。「-a 0」字典攻擊,「-a 1」 組合攻擊;「-a 3」掩碼攻 擊。 -m 指定要破解的hash類型,若是不指定類型,則默認是MD5 -o 指定破解成功後的hash及所對應的明文密碼的存放位置,能夠用它把破解成功的hash寫到指定的文件中 --force 忽略破解過程當中的警告信息,跑單條hash可能須要加上此選項 --show 顯示已經破解的hash及該hash所對應的明文 --increment 啓用增量破解模式,你能夠利用此模式讓hashcat在指定的密碼長度範圍內執行破解過程 --increment-min 密碼最小長度,後面直接等於一個整數便可,配置increment模式一塊兒使用 --increment-max 密碼最大長度,同上 --outfile-format 指定破解結果的輸出格式id,默認是3 --username 忽略hash文件中的指定的用戶名,在破解linux系統用戶密碼hash可能會用到 --remove 刪除已被破解成功的hash -r 使用自定義破解規則
5.2.攻擊模式
0 = Straight (字典破解) 1 = Combination (組合破解) 2 = Toggle-Case (大小寫轉換) 3 = Brute-force(掩碼暴力破解) 4 = Permutation(序列破解) 5 = Table-Lookup(查表破解) 6 = Hybrid dict + mask 字典加掩碼破解 7 = Hybrid mask + dict 掩碼+字典破解 8 = Prince(王子破解)
5.3.Hash類型
0 = MD5
10 = md5($pass.$salt)
20 = md5($salt.$pass)
30 = md5(unicode($pass).$salt)
40 = md5($salt.unicode($pass))
50 = HMAC-MD5 (key = $pass)
60 = HMAC-MD5 (key = $salt)
100 = SHA1
110 = sha1($pass.$salt)
120 = sha1($salt.$pass)
130 = sha1(unicode($pass).$salt)
140 = sha1($salt.unicode($pass))
150 = HMAC-SHA1 (key = $pass)
160 = HMAC-SHA1 (key = $salt)
200 = MySQL323
300 = MySQL4.1/MySQL5
400 = phpass, MD5(WordPress), MD5(phpBB3),MD5(Joomla)
500 = md5crypt, MD5(Unix), FreeBSD MD5,Cisco-IOS MD5
900 = MD4
1000 = NTLM
1100 = Domain Cached Credentials (DCC), MSCache
1400 = SHA256
1410 = sha256($pass.$salt)
1420 = sha256($salt.$pass)
1430 = sha256(unicode($pass).$salt)
1431 = base64(sha256(unicode($pass)))
1440 = sha256($salt.unicode($pass))
1450 = HMAC-SHA256 (key = $pass)
1460 = HMAC-SHA256 (key = $salt)
1600 = md5apr1, MD5(APR), Apache MD5
1700 = SHA512
1710 = sha512($pass.$salt)
1720 = sha512($salt.$pass)
1730 = sha512(unicode($pass).$salt)
1740 = sha512($salt.unicode($pass))
1750 = HMAC-SHA512 (key = $pass)
1760 = HMAC-SHA512 (key = $salt)
1800 = SHA-512(Unix)
2400 = Cisco-PIX MD5
2410 = Cisco-ASA MD5
2500 = WPA/WPA2
2600 = Double MD5
3200 = bcrypt, Blowfish(OpenBSD)
3300 = MD5(Sun)
3500 = md5(md5(md5($pass)))
3610 = md5(md5($salt).$pass)
3710 = md5($salt.md5($pass))
3720 = md5($pass.md5($salt))
3800 = md5($salt.$pass.$salt)
3910 = md5(md5($pass).md5($salt))
4010 = md5($salt.md5($salt.$pass))
4110 = md5($salt.md5($pass.$salt))
4210 = md5($username.0.$pass)
4300 = md5(strtoupper(md5($pass)))
4400 = md5(sha1($pass))
4500 = Double SHA1
4600 = sha1(sha1(sha1($pass)))
4700 = sha1(md5($pass))
4800 = MD5(Chap), iSCSI CHAP authentication
4900 = sha1($salt.$pass.$salt)
5000 = SHA-3(Keccak)
5100 = Half MD5
5200 = Password Safe SHA-256
5300 = IKE-PSK MD5
5400 = IKE-PSK SHA1
5500 = NetNTLMv1-VANILLA / NetNTLMv1-ESS
5600 = NetNTLMv2
5700 = Cisco-IOS SHA256
5800 = Android PIN
6300 = AIX {smd5}
6400 = AIX {ssha256}
6500 = AIX {ssha512}
6700 = AIX {ssha1}
6900 = GOST, GOST R 34.11-94
7000 = Fortigate (FortiOS)
7100 = OS X v10.8+
7200 = GRUB 2
7300 = IPMI2 RAKP HMAC-SHA1
7400 = sha256crypt, SHA256(Unix)
7900 = Drupal7
8400 = WBB3, Woltlab Burning Board 3
8900 = scrypt
9200 = Cisco $8$
9300 = Cisco $9$
9800 = Radmin2
10000 = Django (PBKDF2-SHA256)
10200 = Cram MD5
10300 = SAP CODVN H (PWDSALTEDHASH) iSSHA-1
11000 = PrestaShop
11100 = PostgreSQL Challenge-ResponseAuthentication (MD5)
11200 = MySQL Challenge-Response Authentication(SHA1)
11400 = SIP digest authentication (MD5)
99999 = Plaintext
特殊哈希類型
11 = Joomla < 2.5.18
12 = PostgreSQL
21 = osCommerce, xt:Commerce
23 = Skype
101 = nsldap, SHA-1(Base64), Netscape LDAPSHA
111 = nsldaps, SSHA-1(Base64), Netscape LDAPSSHA
112 = Oracle S: Type (Oracle 11+)
121 = SMF > v1.1
122 = OS X v10.4, v10.5, v10.6
123 = EPi
124 = Django (SHA-1)
131 = MSSQL(2000)
132 = MSSQL(2005)
133 = PeopleSoft
141 = EPiServer 6.x < v4
1421 = hMailServer
1441 = EPiServer 6.x > v4
1711 = SSHA-512(Base64), LDAP {SSHA512}
1722 = OS X v10.7
1731 = MSSQL(2012 & 2014)
2611 = vBulletin < v3.8.5
2612 = PHPS
2711 = vBulletin > v3.8.5
2811 = IPB2+, MyBB1.2+
3711 = Mediawiki B type
3721 = WebEdition CMS
7600 = Redmine Project Management Web App
附錄
1.獲取系統信息
# 獲取數據庫版本 MariaDB [(none)]> select version(); +----------------+ | version() | +----------------+ | 5.5.60-MariaDB | +----------------+ 1 row in set (0.00 sec) MariaDB [(none)]> select @@version; +----------------+ | @@version | +----------------+ | 5.5.60-MariaDB | +----------------+ 1 row in set (0.00 sec) # 獲取操做系統 MariaDB [(none)]> select @@version_compile_os; +----------------------+ | @@version_compile_os | +----------------------+ | Linux | +----------------------+ 1 row in set (0.00 sec) # 獲取主機名 MariaDB [(none)]> select @@hostname; +-----------------------+ | @@hostname | +-----------------------+ | localhost.localdomain | +-----------------------+ 1 row in set (0.00 sec) mysql> select @@hostname; +------------+ | @@hostname | +------------+ | bryan-pc | +------------+ 1 row in set (0.00 sec)
2.獲取DB信息
# 1.MySQL5.x能夠經過schemata表來查詢`權限範圍內`的數據庫 MariaDB [safe_db]> select schema_name from information_schema.schemata; +--------------------+ | schema_name | +--------------------+ | information_schema | | safe_db | | work_db | +--------------------+ 3 rows in set (0.00 sec) # 驗證以下:show databases; MariaDB [safe_db]> show databases; +--------------------+ | Database | +--------------------+ | information_schema | | safe_db | | work_db | +--------------------+ 3 rows in set (0.00 sec) # 【root】顯示全部數據庫 MariaDB [(none)]> select schema_name from information_schema.schemata; +--------------------+ | schema_name | +--------------------+ | information_schema | | mysql | | performance_schema | | safe_db | | test_db | | work_db | +--------------------+ 6 rows in set (0.00 sec) # 【root】顯示全部數據庫(只要受權過的數據庫都會顯示出來) MariaDB [(none)]> select distinct(db) from mysql.db; +---------+ | db | +---------+ | safe_db | | test_db | | work_db | +---------+ 3 rows in set (0.00 sec) # 獲取當前數據庫 MariaDB [safe_db]> select database(); +------------+ | database() | +------------+ | safe_db | +------------+ 1 row in set (0.00 sec) # 2.查詢safe_db裏的表名和視圖 MariaDB [safe_db]> select table_schema,table_name,table_type,engine from information_schema.tables where table_schema = 'safe_db'; +--------------+---------------+------------+--------+ | table_schema | table_name | table_type | engine | +--------------+---------------+------------+--------+ | safe_db | file_records | BASE TABLE | InnoDB | | safe_db | users | BASE TABLE | InnoDB | | safe_db | view_userinfo | VIEW | NULL | +--------------+---------------+------------+--------+ 3 rows in set (0.00 sec) # 3.查詢指定表含哪些列 MariaDB [(none)]> select table_schema,table_name,column_name from information_schema.columns where table_schema= 'safe_db' and table_name = 'users'; +--------------+------------+-------------+ | table_schema | table_name | column_name | +--------------+------------+-------------+ | safe_db | users | id | | safe_db | users | username | | safe_db | users | password | | safe_db | users | email | | safe_db | users | tel | | safe_db | users | usercode | | safe_db | users | createtime | | safe_db | users | updatetime | | safe_db | users | datastatus | +--------------+------------+-------------+ 9 rows in set (0.00 sec) # 查詢除內置數據庫外其餘數據庫和表 MariaDB [(none)]> select table_schema,table_name,column_name from information_schema.columns where table_schema != 'mysql' and table_schema != 'information_schema' order by table_schema,table_name; +--------------+---------------+-------------+ | table_schema | table_name | column_name | +--------------+---------------+-------------+ | safe_db | file_records | id | | safe_db | file_records | datastatus | | safe_db | file_records | createtime | | safe_db | file_records | url | | safe_db | file_records | ip | | safe_db | file_records | user_id | | safe_db | file_records | meta_type | | safe_db | file_records | md5 | | safe_db | file_records | file_name | | safe_db | users | datastatus | | safe_db | users | updatetime | | safe_db | users | createtime | | safe_db | users | usercode | | safe_db | users | tel | | safe_db | users | email | | safe_db | users | password | | safe_db | users | username | | safe_db | users | id | | safe_db | view_userinfo | datastatus | | safe_db | view_userinfo | tel | | safe_db | view_userinfo | email | | safe_db | view_userinfo | password | | safe_db | view_userinfo | username | | safe_db | view_userinfo | id | | work_db | users | id | | work_db | users | user_name | | work_db | users | pass | +--------------+---------------+-------------+ 27 rows in set (0.00 sec) # 尋找本身感興趣的列 MariaDB [(none)]> select table_schema,table_name,column_name from information_schema.columns where column_name like 'pass%' or column_name like 'user%'; +--------------------+-----------------+-------------+ | table_schema | table_name | column_name | +--------------------+-----------------+-------------+ | information_schema | PROCESSLIST | USER | | information_schema | USER_STATISTICS | USER | | safe_db | file_records | user_id | | safe_db | users | username | | safe_db | users | password | | safe_db | users | usercode | | safe_db | view_userinfo | username | | safe_db | view_userinfo | password | | work_db | users | user_name | | work_db | users | pass | +--------------------+-----------------+-------------+ 10 rows in set (0.01 sec) # 獲取數據庫安裝目錄 MariaDB [(none)]> select @@basedir; +-----------+ | @@basedir | +-----------+ | /usr | +-----------+ 1 row in set (0.00 sec) # 獲取數據目錄 MariaDB [(none)]> select @@datadir; +-----------------+ | @@datadir | +-----------------+ | /var/lib/mysql/ | +-----------------+ 1 row in set (0.00 sec)
3.獲取用戶信息
# 查看當前用戶
MariaDB [(none)]> select user();
+-----------------+
| user() |
+-----------------+
| bryan@localhost |
+-----------------+
1 row in set (0.00 sec)
MariaDB [(none)]> select system_user();
+-----------------+
| system_user() |
+-----------------+
| bryan@localhost |
+-----------------+
1 row in set (0.00 sec)
MariaDB [(none)]> select current_user;
+--------------+
| current_user |
+--------------+
| bryan@% |
+--------------+
1 row in set (0.00 sec)
# MariaDB5.x ~ 【root】顯示全部用戶(含密碼)
MariaDB [(none)]> select user,host,password from mysql.user;
+-------+-----------+-------------------------------------------+
| user | host | password |
+-------+-----------+-------------------------------------------+
| root | localhost | *5E6EF6ECECBC479438947268E744A8097EB19B62 |
| root | % | |
| root | 127.0.0.1 | *5E6EF6ECECBC479438947268E744A8097EB19B62 |
| root | ::1 | *5E6EF6ECECBC479438947268E744A8097EB19B62 |
| bryan | % | *F79F429101E0EB00B8132FC6874AEC01315F2088 |
| dnt | % | *1132FE0C4288F794EBF0B330344ECAFDCDD01EE9 |
+-------+-----------+-------------------------------------------+
# MySQL5.x ~ 【root】顯示全部用戶(含密碼)
mysql> select user,host,authentication_string from mysql.user;
+------------------+-----------+-------------------------------------------+
| user | host | authentication_string |
+------------------+-----------+-------------------------------------------+
| root | localhost | |
| mysql.session | localhost | *THISISNOTAVALIDPASSWORDTHATCANBEUSEDHERE |
| mysql.sys | localhost | *THISISNOTAVALIDPASSWORDTHATCANBEUSEDHERE |
| debian-sys-maint | localhost | *8D894A8D6A636A0B04DAABD0905B58349E106D6E |
| bryan | % | *F79F429101E0EB00B8132FC6874AEC01315F2088 |
+------------------+-----------+-------------------------------------------+
5 rows in set (0.02 sec)
# PS:MySQL的sha1是變種加密
MariaDB [safe_db]> select password('xxxx');
+-------------------------------------------+
| password('xxxx') |
+-------------------------------------------+
| *F79F429101E0EB00B8132FC6874AEC01315F2088 |
+-------------------------------------------+
1 row in set (0.00 sec)
# 查看指定數據庫授予用戶的權限
MariaDB [(none)]> select grantee, table_schema, privilege_type from information_schema.schema_privileges where table_schema = 'safe_db';
+-------------+--------------+-------------------------+
| grantee | table_schema | privilege_type |
+-------------+--------------+-------------------------+
| 'bryan'@'%' | safe_db | SELECT |
| 'bryan'@'%' | safe_db | INSERT |
| 'bryan'@'%' | safe_db | UPDATE |
| 'bryan'@'%' | safe_db | DELETE |
| 'bryan'@'%' | safe_db | CREATE |
| 'bryan'@'%' | safe_db | DROP |
| 'bryan'@'%' | safe_db | REFERENCES |
| 'bryan'@'%' | safe_db | INDEX |
| 'bryan'@'%' | safe_db | ALTER |
| 'bryan'@'%' | safe_db | CREATE TEMPORARY TABLES |
| 'bryan'@'%' | safe_db | LOCK TABLES |
| 'bryan'@'%' | safe_db | EXECUTE |
| 'bryan'@'%' | safe_db | CREATE VIEW |
| 'bryan'@'%' | safe_db | SHOW VIEW |
| 'bryan'@'%' | safe_db | CREATE ROUTINE |
| 'bryan'@'%' | safe_db | ALTER ROUTINE |
| 'bryan'@'%' | safe_db | EVENT |
| 'bryan'@'%' | safe_db | TRIGGER |
+-------------+--------------+-------------------------+
18 rows in set (0.00 sec)
# 查詢用戶權限列表
MariaDB [(none)]> select grantee, privilege_type, is_grantable from information_schema.user_privileges;
+-------------+----------------+--------------+
| grantee | privilege_type | is_grantable |
+-------------+----------------+--------------+
| 'bryan'@'%' | USAGE | NO |
+-------------+----------------+--------------+
1 row in set (0.00 sec)
MariaDB [safe_db]> show grants for bryan;
+-----------------------------------------------------+
| Grants for bryan@% |
+-----------------------------------------------------+
| GRANT USAGE ON *.* TO 'bryan'@'%' IDENTIFIED BY PASSWORD '*F79F429101E0EB00B8132FC6874AEC01315F2088' |
| GRANT ALL PRIVILEGES ON `safe_db`.* TO 'bryan'@'%' |
| GRANT ALL PRIVILEGES ON `work_db`.* TO 'bryan'@'%' |
+-----------------------------------------------------+
3 rows in set (0.00 sec)
# 【root】用戶查看所有用戶權限列表
MariaDB [safe_db]> select grantee, privilege_type, is_grantable from information_schema.user_privileges;
+--------------------+-------------------------+--------------+
| grantee | privilege_type | is_grantable |
+--------------------+-------------------------+--------------+
| 'root'@'localhost' | SELECT | YES |
| 'root'@'localhost' | INSERT | YES |
| 'root'@'localhost' | UPDATE | YES |
| 'root'@'localhost' | DELETE | YES |
| 'root'@'localhost' | CREATE | YES |
| 'root'@'localhost' | DROP | YES |
| 'root'@'localhost' | RELOAD | YES |
| 'root'@'localhost' | SHUTDOWN | YES |
| 'root'@'localhost' | PROCESS | YES |
| 'root'@'localhost' | FILE | YES |
| 'root'@'localhost' | REFERENCES | YES |
| 'root'@'localhost' | INDEX | YES |
| 'root'@'localhost' | ALTER | YES |
| 'root'@'localhost' | SHOW DATABASES | YES |
| 'root'@'localhost' | SUPER | YES |
| 'root'@'localhost' | CREATE TEMPORARY TABLES | YES |
| 'root'@'localhost' | LOCK TABLES | YES |
| 'root'@'localhost' | EXECUTE | YES |
| 'root'@'localhost' | REPLICATION SLAVE | YES |
| 'root'@'localhost' | REPLICATION CLIENT | YES |
| 'root'@'localhost' | CREATE VIEW | YES |
| 'root'@'localhost' | SHOW VIEW | YES |
| 'root'@'localhost' | CREATE ROUTINE | YES |
| 'root'@'localhost' | ALTER ROUTINE | YES |
| 'root'@'localhost' | CREATE USER | YES |
| 'root'@'localhost' | EVENT | YES |
| 'root'@'localhost' | TRIGGER | YES |
| 'root'@'localhost' | CREATE TABLESPACE | YES |
| 'root'@'127.0.0.1' | SELECT | YES |
| 'root'@'127.0.0.1' | INSERT | YES |
| 'root'@'127.0.0.1' | UPDATE | YES |
| 'root'@'127.0.0.1' | DELETE | YES |
| 'root'@'127.0.0.1' | CREATE | YES |
| 'root'@'127.0.0.1' | DROP | YES |
| 'root'@'127.0.0.1' | RELOAD | YES |
| 'root'@'127.0.0.1' | SHUTDOWN | YES |
| 'root'@'127.0.0.1' | PROCESS | YES |
| 'root'@'127.0.0.1' | FILE | YES |
| 'root'@'127.0.0.1' | REFERENCES | YES |
| 'root'@'127.0.0.1' | INDEX | YES |
| 'root'@'127.0.0.1' | ALTER | YES |
| 'root'@'127.0.0.1' | SHOW DATABASES | YES |
| 'root'@'127.0.0.1' | SUPER | YES |
| 'root'@'127.0.0.1' | CREATE TEMPORARY TABLES | YES |
| 'root'@'127.0.0.1' | LOCK TABLES | YES |
| 'root'@'127.0.0.1' | EXECUTE | YES |
| 'root'@'127.0.0.1' | REPLICATION SLAVE | YES |
| 'root'@'127.0.0.1' | REPLICATION CLIENT | YES |
| 'root'@'127.0.0.1' | CREATE VIEW | YES |
| 'root'@'127.0.0.1' | SHOW VIEW | YES |
| 'root'@'127.0.0.1' | CREATE ROUTINE | YES |
| 'root'@'127.0.0.1' | ALTER ROUTINE | YES |
| 'root'@'127.0.0.1' | CREATE USER | YES |
| 'root'@'127.0.0.1' | EVENT | YES |
| 'root'@'127.0.0.1' | TRIGGER | YES |
| 'root'@'127.0.0.1' | CREATE TABLESPACE | YES |
| 'root'@'::1' | SELECT | YES |
| 'root'@'::1' | INSERT | YES |
| 'root'@'::1' | UPDATE | YES |
| 'root'@'::1' | DELETE | YES |
| 'root'@'::1' | CREATE | YES |
| 'root'@'::1' | DROP | YES |
| 'root'@'::1' | RELOAD | YES |
| 'root'@'::1' | SHUTDOWN | YES |
| 'root'@'::1' | PROCESS | YES |
| 'root'@'::1' | FILE | YES |
| 'root'@'::1' | REFERENCES | YES |
| 'root'@'::1' | INDEX | YES |
| 'root'@'::1' | ALTER | YES |
| 'root'@'::1' | SHOW DATABASES | YES |
| 'root'@'::1' | SUPER | YES |
| 'root'@'::1' | CREATE TEMPORARY TABLES | YES |
| 'root'@'::1' | LOCK TABLES | YES |
| 'root'@'::1' | EXECUTE | YES |
| 'root'@'::1' | REPLICATION SLAVE | YES |
| 'root'@'::1' | REPLICATION CLIENT | YES |
| 'root'@'::1' | CREATE VIEW | YES |
| 'root'@'::1' | SHOW VIEW | YES |
| 'root'@'::1' | CREATE ROUTINE | YES |
| 'root'@'::1' | ALTER ROUTINE | YES |
| 'root'@'::1' | CREATE USER | YES |
| 'root'@'::1' | EVENT | YES |
| 'root'@'::1' | TRIGGER | YES |
| 'root'@'::1' | CREATE TABLESPACE | YES |
| 'root'@'%' | USAGE | NO |
| 'bryan'@'%' | USAGE | NO |
| 'dnt'@'%' | USAGE | NO |
+--------------------+-------------------------+--------------+
87 rows in set (0.00 sec)
# 【root】查詢更詳細的用戶權限
MariaDB [safe_db]> select host, user, Select_priv, Insert_priv, Update_priv, Delete_priv, Create_priv, Drop_priv, Reload_priv, Shutdown_priv, Process_priv, File_priv, Grant_priv, References_priv, Index_priv, Alter_priv, Show_db_priv, Super_priv, Create_tmp_table_priv, Lock_tables_priv, Execute_priv, Repl_slave_priv, Repl_client_priv from mysql.user\G;
*************************** 1. row ***************************
host: %
user: root
Select_priv: N
Insert_priv: N
Update_priv: N
Delete_priv: N
Create_priv: N
Drop_priv: N
Reload_priv: N
Shutdown_priv: N
Process_priv: N
File_priv: N
Grant_priv: N
References_priv: N
Index_priv: N
Alter_priv: N
Show_db_priv: N
Super_priv: N
Create_tmp_table_priv: N
Lock_tables_priv: N
Execute_priv: N
Repl_slave_priv: N
Repl_client_priv: N
。。。。。。
*************************** 5. row ***************************
host: %
user: bryan
Select_priv: N
Insert_priv: N
Update_priv: N
Delete_priv: N
Create_priv: N
Drop_priv: N
Reload_priv: N
Shutdown_priv: N
Process_priv: N
File_priv: N
Grant_priv: N
References_priv: N
Index_priv: N
Alter_priv: N
Show_db_priv: N
Super_priv: N
Create_tmp_table_priv: N
Lock_tables_priv: N
Execute_priv: N
Repl_slave_priv: N
Repl_client_priv: N
*************************** 6. row ***************************
host: %
user: dnt
Select_priv: N
Insert_priv: N
Update_priv: N
Delete_priv: N
Create_priv: N
Drop_priv: N
Reload_priv: N
Shutdown_priv: N
Process_priv: N
File_priv: N
Grant_priv: N
References_priv: N
Index_priv: N
Alter_priv: N
Show_db_priv: N
Super_priv: N
Create_tmp_table_priv: N
Lock_tables_priv: N
Execute_priv: N
Repl_slave_priv: N
Repl_client_priv: N
6 rows in set (0.00 sec)
# PS:獲取列的權限列表(用的很少)
select table_schema, table_name, column_name, privilege_type from information_schema.column_privileges;
# PS:查詢數據庫支持哪些權限
mysql> show privileges;
+-------------------------+---------------------------------------+-------------------------------------------------------+
| Privilege | Context | Comment |
+-------------------------+---------------------------------------+-------------------------------------------------------+
| Alter | Tables | To alter the table |
| Alter routine | Functions,Procedures | To alter or drop stored functions/procedures |
| Create | Databases,Tables,Indexes | To create new databases and tables |
| Create routine | Databases | To use CREATE FUNCTION/PROCEDURE |
| Create temporary tables | Databases | To use CREATE TEMPORARY TABLE |
| Create view | Tables | To create new views |
| Create user | Server Admin | To create new users |
| Delete | Tables | To delete existing rows |
| Drop | Databases,Tables | To drop databases, tables, and views |
| Event | Server Admin | To create, alter, drop and execute events |
| Execute | Functions,Procedures | To execute stored routines |
| File | File access on server | To read and write files on the server |
| Grant option | Databases,Tables,Functions,Procedures | To give to other users those privileges you possess |
| Index | Tables | To create or drop indexes |
| Insert | Tables | To insert data into tables |
| Lock tables | Databases | To use LOCK TABLES (together with SELECT privilege) |
| Process | Server Admin | To view the plain text of currently executing queries |
| Proxy | Server Admin | To make proxy user possible |
| References | Databases,Tables | To have references on tables |
| Reload | Server Admin | To reload or refresh tables, logs and privileges |
| Replication client | Server Admin | To ask where the slave or master servers are |
| Replication slave | Server Admin | To read binary log events from the master |
| Select | Tables | To retrieve rows from table |
| Show databases | Server Admin | To see all databases with SHOW DATABASES |
| Show view | Tables | To see views with SHOW CREATE VIEW |
| Shutdown | Server Admin | To shut down the server |
| Super | Server Admin | To use KILL thread, SET GLOBAL, CHANGE MASTER, etc. |
| Trigger | Tables | To use triggers |
| Create tablespace | Server Admin | To create/alter/drop tablespaces |
| Update | Tables | To update existing rows |
| Usage | Server Admin | No privileges - allow connect only |
+-------------------------+---------------------------------------+-------------------------------------------------------+
31 rows in set (0.00 sec)
other
# 獲取會話id MariaDB [(none)]> select connection_id(); +-----------------+ | connection_id() | +-----------------+ | 6 | +-----------------+ 1 row in set (0.00 sec) # 獲取最後一個插入的id MariaDB [(none)]> select last_insert_id(); +------------------+ | last_insert_id() | +------------------+ | 0 | +------------------+ 1 row in set (0.00 sec) # 返回前一個SQL進行`update、delete、insert`操做所影響的行數 MariaDB [(none)]> select row_count(); +-------------+ | row_count() | +-------------+ | -1 | +-------------+ 1 row in set (0.00 sec)
參考連接
國外經常使用的SQLi備忘錄:
- MySQL:http://pentestmonkey.net/category/cheat-sheet
- MSSQL:http://pentestmonkey.net/cheat-sheet/sql-injection/mssql-sql-injection-cheat-sheet
MySQL系統表相關知識:
相關文章
- 1. 信安週報-第02周:SQL基礎
- 2. 第二週週報
- 3. 第六週週報
- 4. 第一週週報
- 5. 第三週週報
- 6. python週報第十五週
- 7. 寒假第一週週報
- 8. python週報第十四周
- 9. python週報第六週
- 10. python週報第九周
- 更多相關文章...
- • Rust 生命週期 - RUST 教程
- • SVN 生命週期 - SVN 教程
- • 使用Rxjava計算圓周率
- • Docker容器實戰(七) - 容器眼光下的文件系統
相關標籤/搜索
每日一句
-
每一个你不满意的现在,都有一个你没有努力的曾经。
歡迎關注本站公眾號,獲取更多信息
相關文章
- 1. 信安週報-第02周:SQL基礎
- 2. 第二週週報
- 3. 第六週週報
- 4. 第一週週報
- 5. 第三週週報
- 6. python週報第十五週
- 7. 寒假第一週週報
- 8. python週報第十四周
- 9. python週報第六週
- 10. python週報第九周