Version:
mysql> SELECT @@version;
+------------------+
| @@version |
+------------------+
| 5.0.96-community |
+------------------+
1 row in set (0.00 sec)
Comments:
mysql> SELECT 1; #comment
+---+
| 1 |
+---+
| 1 |
+---+
1 row in set (0.00 sec)
mysql> SELECT /*comment*/1;
+---+
| 1 |
+---+
| 1 |
+---+
1 row in set (0.00 sec)
Current User:
mysql> SELECT user();
+----------------+
| user() |
+----------------+
| root@localhost |
+----------------+
1 row in set (0.00 sec)
mysql> SELECT system_user();
+----------------+
| system_user() |
+----------------+
| root@localhost |
+----------------+
1 row in set (0.01 sec)
List Users:
mysql> SELECT user FROM mysql.user;
+------+
| user |
+------+
| root |
| |
| root |
| |
| root |
+------+
5 rows in set (0.00 sec)
List Password Hashes:
mysql> SELECT host, user, password FROM mysql.user;
+-----------------------+------+-------------------------------------------+
| host | user | password |
+-----------------------+------+-------------------------------------------+
| localhost | root | *FAAFFE644E901CFAFAEC7562415E5FAEC243B8B2 |
| localhost.localdomain | root | |
| 127.0.0.1 | root | |
| localhost | | |
| localhost.localdomain | | |
+-----------------------+------+-------------------------------------------+
5 rows in set (0.00 sec)
List Privileges:
mysql> SELECT grantee, privilege_type, is_grantable FROM information_schema.user_privileges;
+--------------------------------+-------------------------+--------------+
| grantee | privilege_type | is_grantable |
+--------------------------------+-------------------------+--------------+
| 'root'@'localhost' | SELECT | YES |
| 'root'@'localhost' | INSERT | YES |
| 'root'@'localhost' | UPDATE | YES |
| 'root'@'localhost' | DELETE | YES |
| 'root'@'localhost' | CREATE | YES |
| 'root'@'localhost' | DROP | YES |
| 'root'@'localhost' | RELOAD | YES |
| 'root'@'localhost' | SHUTDOWN | YES |
| 'root'@'localhost' | PROCESS | YES |
| 'root'@'localhost' | FILE | YES |
| 'root'@'localhost' | REFERENCES | YES |
| 'root'@'localhost' | INDEX | YES |
| 'root'@'localhost' | ALTER | YES |
| 'root'@'localhost' | SHOW DATABASES | YES |
| 'root'@'localhost' | SUPER | YES |
| 'root'@'localhost' | CREATE TEMPORARY TABLES | YES |
| 'root'@'localhost' | LOCK TABLES | YES |
| 'root'@'localhost' | EXECUTE | YES |
| 'root'@'localhost' | REPLICATION SLAVE | YES |
| 'root'@'localhost' | REPLICATION CLIENT | YES |
| 'root'@'localhost' | CREATE VIEW | YES |
| 'root'@'localhost' | SHOW VIEW | YES |
| 'root'@'localhost' | CREATE ROUTINE | YES |
| 'root'@'localhost' | ALTER ROUTINE | YES |
| 'root'@'localhost' | CREATE USER | YES |
| 'root'@'localhost.localdomain' | SELECT | YES |
| 'root'@'localhost.localdomain' | INSERT | YES |
| 'root'@'localhost.localdomain' | UPDATE | YES |
| 'root'@'localhost.localdomain' | DELETE | YES |
| 'root'@'localhost.localdomain' | CREATE | YES |
| 'root'@'localhost.localdomain' | DROP | YES |
| 'root'@'localhost.localdomain' | RELOAD | YES |
| 'root'@'localhost.localdomain' | SHUTDOWN | YES |
| 'root'@'localhost.localdomain' | PROCESS | YES |
| 'root'@'localhost.localdomain' | FILE | YES |
| 'root'@'localhost.localdomain' | REFERENCES | YES |
| 'root'@'localhost.localdomain' | INDEX | YES |
| 'root'@'localhost.localdomain' | ALTER | YES |
| 'root'@'localhost.localdomain' | SHOW DATABASES | YES |
| 'root'@'localhost.localdomain' | SUPER | YES |
| 'root'@'localhost.localdomain' | CREATE TEMPORARY TABLES | YES |
| 'root'@'localhost.localdomain' | LOCK TABLES | YES |
| 'root'@'localhost.localdomain' | EXECUTE | YES |
| 'root'@'localhost.localdomain' | REPLICATION SLAVE | YES |
| 'root'@'localhost.localdomain' | REPLICATION CLIENT | YES |
| 'root'@'localhost.localdomain' | CREATE VIEW | YES |
| 'root'@'localhost.localdomain' | SHOW VIEW | YES |
| 'root'@'localhost.localdomain' | CREATE ROUTINE | YES |
| 'root'@'localhost.localdomain' | ALTER ROUTINE | YES |
| 'root'@'localhost.localdomain' | CREATE USER | YES |
| 'root'@'127.0.0.1' | SELECT | YES |
| 'root'@'127.0.0.1' | INSERT | YES |
| 'root'@'127.0.0.1' | UPDATE | YES |
| 'root'@'127.0.0.1' | DELETE | YES |
| 'root'@'127.0.0.1' | CREATE | YES |
| 'root'@'127.0.0.1' | DROP | YES |
| 'root'@'127.0.0.1' | RELOAD | YES |
| 'root'@'127.0.0.1' | SHUTDOWN | YES |
| 'root'@'127.0.0.1' | PROCESS | YES |
| 'root'@'127.0.0.1' | FILE | YES |
| 'root'@'127.0.0.1' | REFERENCES | YES |
| 'root'@'127.0.0.1' | INDEX | YES |
| 'root'@'127.0.0.1' | ALTER | YES |
| 'root'@'127.0.0.1' | SHOW DATABASES | YES |
| 'root'@'127.0.0.1' | SUPER | YES |
| 'root'@'127.0.0.1' | CREATE TEMPORARY TABLES | YES |
| 'root'@'127.0.0.1' | LOCK TABLES | YES |
| 'root'@'127.0.0.1' | EXECUTE | YES |
| 'root'@'127.0.0.1' | REPLICATION SLAVE | YES |
| 'root'@'127.0.0.1' | REPLICATION CLIENT | YES |
| 'root'@'127.0.0.1' | CREATE VIEW | YES |
| 'root'@'127.0.0.1' | SHOW VIEW | YES |
| 'root'@'127.0.0.1' | CREATE ROUTINE | YES |
| 'root'@'127.0.0.1' | ALTER ROUTINE | YES |
| 'root'@'127.0.0.1' | CREATE USER | YES |
| ''@'localhost' | USAGE | NO |
| ''@'localhost.localdomain' | USAGE | NO |
+--------------------------------+-------------------------+--------------+
77 rows in set (0.00 sec)
mysql> SELECT host, user, Select_priv, Insert_priv, Update_priv, Delete_priv, Create_priv, Drop_priv, Reload_priv, Shutdown_priv, Process_priv, File_priv, Grant_priv, References_priv, Index_priv, Alter_priv, Show_db_priv, Super_priv, Create_tmp_table_priv, Lock_tables_priv, Execute_priv, Repl_slave_priv, Repl_client_priv FROM mysql.user;
+-----------------------+------+-------------+-------------+-------------+-------------+-------------+-----------+-------------+---------------+--------------+-----------+------------+-----------------+------------+------------+--------------+------------+-----------------------+------------------+--------------+-----------------+------------------+
| host | user | Select_priv | Insert_priv | Update_priv | Delete_priv | Create_priv | Drop_priv | Reload_priv | Shutdown_priv | Process_priv | File_priv | Grant_priv | References_priv | Index_priv | Alter_priv | Show_db_priv | Super_priv | Create_tmp_table_priv | Lock_tables_priv | Execute_priv | Repl_slave_priv | Repl_client_priv |
+-----------------------+------+-------------+-------------+-------------+-------------+-------------+-----------+-------------+---------------+--------------+-----------+------------+-----------------+------------+------------+--------------+------------+-----------------------+------------------+--------------+-----------------+------------------+
| localhost | root | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y |
| localhost.localdomain | root | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y |
| 127.0.0.1 | root | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y |
| localhost | | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N |
| localhost.localdomain | | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N |
+-----------------------+------+-------------+-------------+-------------+-------------+-------------+-----------+-------------+---------------+--------------+-----------+------------+-----------------+------------+------------+--------------+------------+-----------------------+------------------+--------------+-----------------+------------------+
5 rows in set (0.00 sec)
mysql> SELECT grantee, table_schema, privilege_type FROM information_schema.schema_privileges;
+---------+--------------+-------------------------+
| grantee | table_schema | privilege_type |
+---------+--------------+-------------------------+
| ''@'%' | test | SELECT |
| ''@'%' | test | INSERT |
| ''@'%' | test | UPDATE |
| ''@'%' | test | DELETE |
| ''@'%' | test | CREATE |
| ''@'%' | test | DROP |
| ''@'%' | test | REFERENCES |
| ''@'%' | test | INDEX |
| ''@'%' | test | ALTER |
| ''@'%' | test | CREATE TEMPORARY TABLES |
| ''@'%' | test | LOCK TABLES |
| ''@'%' | test | CREATE VIEW |
| ''@'%' | test | SHOW VIEW |
| ''@'%' | test | CREATE ROUTINE |
| ''@'%' | test\_% | SELECT |
| ''@'%' | test\_% | INSERT |
| ''@'%' | test\_% | UPDATE |
| ''@'%' | test\_% | DELETE |
| ''@'%' | test\_% | CREATE |
| ''@'%' | test\_% | DROP |
| ''@'%' | test\_% | REFERENCES |
| ''@'%' | test\_% | INDEX |
| ''@'%' | test\_% | ALTER |
| ''@'%' | test\_% | CREATE TEMPORARY TABLES |
| ''@'%' | test\_% | LOCK TABLES |
| ''@'%' | test\_% | CREATE VIEW |
| ''@'%' | test\_% | SHOW VIEW |
| ''@'%' | test\_% | CREATE ROUTINE |
+---------+--------------+-------------------------+
28 rows in set (0.00 sec)
mysql> SELECT table_schema, table_name, column_name, privilege_type FROM information_schema.column_privileges;
Empty set (0.00 sec)
List DBA Accounts:
mysql> SELECT grantee, privilege_type, is_grantable FROM information_schema.user_privileges WHERE privilege_type = 'SUPER';
+--------------------------------+----------------+--------------+
| grantee | privilege_type | is_grantable |
+--------------------------------+----------------+--------------+
| 'root'@'localhost' | SUPER | YES |
| 'root'@'localhost.localdomain' | SUPER | YES |
| 'root'@'127.0.0.1' | SUPER | YES |
+--------------------------------+----------------+--------------+
3 rows in set (0.00 sec)
mysql> SELECT host, user FROM mysql.user WHERE Super_priv = 'Y';
+-----------------------+------+
| host | user |
+-----------------------+------+
| localhost | root |
| localhost.localdomain | root |
| 127.0.0.1 | root |
+-----------------------+------+
3 rows in set (0.00 sec)
Current Database:
mysql> SELECT database();
+------------+
| database() |
+------------+
| NULL |
+------------+
1 row in set (0.00 sec)
mysql> use mysql
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
mysql> SELECT database();
+------------+
| database() |
+------------+
| mysql |
+------------+
1 row in set (0.00 sec)
List Databases:
mysql> SELECT schema_name FROM information_schema.schemata;
+--------------------+
| schema_name |
+--------------------+
| information_schema |
| mysql |
| test |
+--------------------+
3 rows in set (0.03 sec)
mysql> SELECT distinct(db) FROM mysql.db;
+---------+
| db |
+---------+
| test |
| test\_% |
+---------+
2 rows in set (0.00 sec)
Create Database and table:
mysql> create database db_user;
Query OK, 1 row affected (0.05 sec)
mysql> use db_user;
Database changed
mysql> create table tb_user (
-> username varchar(20) primary key,
-> password varchar(20) not null
-> );
Query OK, 0 rows affected (0.05 sec)
List Columns:
mysql> SELECT table_schema, table_name, column_name FROM information_schema.columns WHERE table_schema != 'mysql' AND table_schema != 'information_schema';
+--------------+------------+-------------+
| table_schema | table_name | column_name |
+--------------+------------+-------------+
| db_user | tb_user | username |
| db_user | tb_user | password |
+--------------+------------+-------------+
2 rows in set (0.00 sec)
List Tables:
mysql> SELECT table_schema,table_name FROM information_schema.tables WHERE table_schema != 'mysql' AND table_schema != 'information_schema';
+--------------+------------+
| table_schema | table_name |
+--------------+------------+
| db_user | tb_user |
+--------------+------------+
1 row in set (0.00 sec)
Find Tables From Column Name:
mysql> SELECT table_schema, table_name FROM information_schema.columns WHERE column_name = 'username';
+--------------+------------+
| table_schema | table_name |
+--------------+------------+
| db_user | tb_user |
+--------------+------------+
1 row in set (0.02 sec)
Insert Data:
mysql> insert into tb_user values ('user1', 'pass1');
Query OK, 1 row affected (0.00 sec)
mysql> insert into tb_user values ('user2', 'pass2');
Query OK, 1 row affected (0.00 sec)
Select Nth Row:
mysql> SELECT username, password FROM tb_user ORDER BY username LIMIT 1 OFFSET 0;
+----------+----------+
| username | password |
+----------+----------+
| user1 | pass1 |
+----------+----------+
1 row in set (0.00 sec)
mysql> SELECT username, password FROM tb_user ORDER BY username LIMIT 1 OFFSET 1;
+----------+----------+
| username | password |
+----------+----------+
| user2 | pass2 |
+----------+----------+
1 row in set (0.00 sec)
Select Nth Char:
mysql> SELECT substr('abcd', 3, 1);
+----------------------+
| substr('abcd', 3, 1) |
+----------------------+
| c |
+----------------------+
1 row in set (0.00 sec)
Bitwise AND:
mysql> SELECT 6 & 2;
+-------+
| 6 & 2 |
+-------+
| 2 |
+-------+
1 row in set (0.00 sec)
mysql> SELECT 6 & 1;
+-------+
| 6 & 1 |
+-------+
| 0 |
+-------+
1 row in set (0.00 sec)
ASCII Value -> Char:
mysql> SELECT char(65);
+----------+
| char(65) |
+----------+
| A |
+----------+
1 row in set (0.00 sec)
Char -> ASCII Value:
mysql> SELECT ascii('A');
+------------+
| ascii('A') |
+------------+
| 65 |
+------------+
1 row in set (0.00 sec)
Casting:
mysql> SELECT cast('1' AS unsigned integer);
+-------------------------------+
| cast('1' AS unsigned integer) |
+-------------------------------+
| 1 |
+-------------------------------+
1 row in set (0.00 sec)
mysql> SELECT cast('123' AS char);
+---------------------+
| cast('123' AS char) |
+---------------------+
| 123 |
+---------------------+
1 row in set (0.00 sec)
String Concatenation:
mysql> SELECT CONCAT('A','B');
+-----------------+
| CONCAT('A','B') |
+-----------------+
| AB |
+-----------------+
1 row in set (0.00 sec)
mysql> SELECT CONCAT('A','B','C');
+---------------------+
| CONCAT('A','B','C') |
+---------------------+
| ABC |
+---------------------+
1 row in set (0.00 sec)
If Statement:
mysql> SELECT if(1=1,'foo','bar');
+---------------------+
| if(1=1,'foo','bar') |
+---------------------+
| foo |
+---------------------+
1 row in set (0.00 sec)
Case Statement:
mysql> SELECT CASE WHEN (1=1) THEN 'A' ELSE 'B' END;
+---------------------------------------+
| CASE WHEN (1=1) THEN 'A' ELSE 'B' END |
+---------------------------------------+
| A |
+---------------------------------------+
1 row in set (0.00 sec)
Avoiding Quotes:
mysql> SELECT 0x414243;
+----------+
| 0x414243 |
+----------+
| ABC |
+----------+
1 row in set (0.00 sec)
Time Delay:
mysql> SELECT BENCHMARK(1000000,MD5('A'));
+-----------------------------+
| BENCHMARK(1000000,MD5('A')) |
+-----------------------------+
| 0 |
+-----------------------------+
1 row in set (2.03 sec)
mysql> SELECT SLEEP(5);
+----------+
| SLEEP(5) |
+----------+
| 0 |
+----------+
1 row in set (5.00 sec)
Command Execution:
If mysqld (<5.0) is running as root AND you compromise a DBA account you can execute OS commands by uploading a shared object file into /usr/lib (or similar)
Local File Access:
mysql> SELECT LOAD_FILE('/etc/passwd');
+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| LOAD_FILE('/etc/passwd') |
+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
news:x:9:13:news:/etc/news:/sbin/nologin
uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin
rpc:x:32:32:Rpcbind Daemon:/var/lib/rpcbind:/sbin/nologin
nscd:x:28:28:NSCD Daemon:/:/sbin/nologin
tcpdump:x:72:72::/:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
polkituser:x:87:87:PolicyKit:/:/sbin/nologin
pulse:x:499:497:PulseAudio daemon:/:/sbin/nologin
avahi:x:498:494:avahi-daemon:/var/run/avahi-daemon:/sbin/nologin
mailnull:x:47:47::/var/spool/mqueue:/sbin/nologin
smmsp:x:51:51::/var/spool/mqueue:/sbin/nologin
apache:x:48:48:Apache:/var/www:/sbin/nologin
smolt:x:497:491:Smolt:/usr/share/smolt:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin
nfsnobody:x:65534:490:Anonymous NFS User:/var/lib/nfs:/sbin/nologin
torrent:x:496:489:BitTorrent Seed/Tracker:/var/lib/bittorrent:/sbin/nologin
haldaemon:x:68:68:HAL daemon:/:/sbin/nologin
gdm:x:42:42::/var/lib/gdm:/sbin/nologin
ntp:x:38:38::/etc/ntp:/sbin/nologin
hsqldb:x:96:96::/var/lib/hsqldb:/sbin/nologin
yang:x:500:500:yang:/home/yang:/bin/bash
mysql:x:495:488:MySQL server:/var/lib/mysql:/bin/bash
|
+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
1 row in set (0.00 sec)
mysql> SELECT * FROM tb_user INTO dumpfile '/tmp/tb_user';
Query OK, 2 rows affected (0.00 sec)
Hostname, IP Address:
mysql> SELECT @@hostname;
+-----------------------+
| @@hostname |
+-----------------------+
| localhost.localdomain |
+-----------------------+
1 row in set (0.00 sec)
Create Users:
mysql> CREATE USER test1 IDENTIFIED BY 'pass1';
Query OK, 0 rows affected (0.02 sec)
Delete Users:
mysql> DROP USER test1;
Query OK, 0 rows affected (0.00 sec)
Make User DBA:
mysql> GRANT ALL PRIVILEGES ON *.* TO test1@'%';
Query OK, 0 rows affected (0.00 sec)
Location of DB files:
mysql> SELECT @@datadir;
+-----------------+
| @@datadir |
+-----------------+
| /var/lib/mysql/ |
+-----------------+
1 row in set (0.00 sec)
查看当前数据库所有的表:
mysql> select group_concat(table_name) from information_schema.tables where table_schema=database();
+--------------------------+
| group_concat(table_name) |
+--------------------------+
| tb_user |
+--------------------------+
1 row in set (0.00 sec)
查看当前数据库所有的列:
mysql> select group_concat(column_name) from information_schema.columns where table_schema=database();
+---------------------------+
| group_concat(column_name) |
+---------------------------+
| username,password,phone |
+---------------------------+
1 row in set (0.05 sec)
查看表tb_user的所有列:
mysql> select group_concat(column_name) from information_schema.columns where table_name='tb_user';
+---------------------------+
| group_concat(column_name) |
+---------------------------+
| username,password,phone |
+---------------------------+
1 row in set (0.08 sec)
如果是以URL的形式,要变成:
select group_concat(column_name) from information_schema.columns where table_name=0x74625F75736572
其中tb_user的16进制是0x74625F75736572
查看用户名密码:
select group_concat(username,0x3a,password) from users;