Sql注入-数据库系统功能函数
学习目标
- 学习数据库自带函数的功能与用法(思考在什么情况下可以执行命令)
- 将所有涉及的函数进行测试并举例说明其用法
- 针对自己所选数据库,构造所需环境,尝试执行系统命令
Mysql函数
1. 字符串函数
ASCII(s)
返回字符串 s 的第一个字符的 ASCII 码。
mysql> select ASCII(User) from user;
+-------------+
| ASCII(User) |
+-------------+
| 109 |
| 109 |
| 114 |
+-------------+
3 rows in set (0.00 sec)
mysql> select User from user;
+---------------+
| User |
+---------------+
| mysql.session |
| mysql.sys |
| root |
+---------------+
3 rows in set (0.00 sec)
CHAR_LENGTH(s)
返回字符串 s 的字符数,不管汉字还是数字或者是字母都算是一个字符。
mysql> select CHAR_LENGTH("whoami");
+-----------------------+
| CHAR_LENGTH("whoami") |
+-----------------------+
| 6 |
+-----------------------+
1 row in set (0.01 sec)
CHARACTER_LENGTH(s)
返回字符串 s 的字符数,CHARACTER_LENGTH()是CHAR_LENGTH()函数的同义词。
mysql> select CHARACTER_LENGTH("whoami");
+----------------------------+
| CHARACTER_LENGTH("whoami") |
+----------------------------+
| 6 |
+----------------------------+
1 row in set (0.00 sec)
CONCAT(s1,s2...sn)
字符串 s1,s2 等多个字符串合并为一个字符串。
mysql> SELECT CONCAT("SQL ", "baidu ", "Gooogle ", "Facebook") AS ConcatenatedString;
+-----------------------------+
| ConcatenatedString |
+-----------------------------+
| SQL baidu Gooogle Facebook |
+-----------------------------+
1 row in set (0.01 sec)
CONCAT_WS(x, s1,s2...sn)
同 CONCAT(s1,s2,...) 函数,但是每个字符串之间要加上 x,x 可以是分隔符
mysql> SELECT CONCAT_WS("-", "SQL", "Tutorial", "is", "fun!")AS ConcatenatedString;
+----------------------+
| ConcatenatedString |
+----------------------+
| SQL-Tutorial-is-fun! |
+----------------------+
1 row in set (0.00 sec)
FIELD(s,s1,s2...)
返回第一个字符串 s 在字符串列表(s1,s2...)中的位置
返回字符串 c 在列表值中的位置:
mysql> SELECT FIELD("c", "a", "b", "c", "d", "e");
+-------------------------------------+
| FIELD("c", "a", "b", "c", "d", "e") |
+-------------------------------------+
| 3 |
+-------------------------------------+
1 row in set (0.01 sec)
FIND_IN_SET(s1,s2)
返回在字符串s2中与s1匹配的字符串的位置
mysql> SELECT FIND_IN_SET("c", "a,b,c,d,e");
+-------------------------------+
| FIND_IN_SET("c", "a,b,c,d,e") |
+-------------------------------+
| 3 |
+-------------------------------+
1 row in set (0.00 sec)
FORMAT(x,n)
函数可以将数字 x 进行格式化 "#,###.##", 将 x 保留到小数点后 n 位,最后一位四舍五入。
保留小数点后2位
mysql> SELECT FORMAT(250500.5634, 2);
+------------------------+
| FORMAT(250500.5634, 2) |
+------------------------+
| 250,500.56 |
+------------------------+
1 row in set (0.00 sec)
INSERT(s1,x,len,s2)
将s1中x位置开始长度为len的字符串替换为s2
“google.com“位置1开始长度为6的字符“google”替换成了“baiduu”
mysql> SELECT INSERT("google.com", 1, 6, "baiduu");
+--------------------------------------+
| INSERT("google.com", 1, 6, "runnob") |
+--------------------------------------+
| baiduu.com |
+--------------------------------------+
1 row in set (0.01 sec)
LOCATE(s1,s)
从字符串 s 中获取 s1 的开始位置
mysql> SELECT LOCATE('op','aaaaopopbbbb');
+-----------------------------+
| LOCATE('op','aaaaopopbbbb') |
+-----------------------------+
| 5 |
+-----------------------------+
1 row in set (0.01 sec)
LCASE(s)
将字符串 s 的所有字母变成小写字母
mysql> SELECT LCASE('BAIDUU');
+-----------------+
| LCASE('BAIDUU') |
+-----------------+
| baiduu |
+-----------------+
1 row in set (0.00 sec)
LEFT(s,n)
返回字符串 s 的前 n 个字符
mysql> SELECT LEFT('whoami',2);
+------------------+
| LEFT('whoami',2) |
+------------------+
| wh |
+------------------+
1 row in set (0.00 sec)
LOWER(s)
将字符串 s 的所有字母变成小写字母
mysql> SELECT LOWER('AAAbbb');
+-----------------+
| LOWER('AAAbbb') |
+-----------------+
| aaabbb |
+-----------------+
1 row in set (0.00 sec)
LPAD(s1,len,s2)
在字符串 s1 前填充字符串 s2,使字符串长度达到 len
mysql> SELECT LPAD('abc',6,'xs');
+--------------------+
| LPAD('abc',6,'xs') |
+--------------------+
| xsxabc |
+--------------------+
1 row in set (0.00 sec)
mysql> SELECT LPAD('abc',7,'xs');
+--------------------+
| LPAD('abc',7,'xs') |
+--------------------+
| xsxsabc |
+--------------------+
1 row in set (0.00 sec)
LTRIM(s)
去掉字符串 s 开始处的空格
mysql> SELECT LTRIM(" baidu");
+--------------------+
| LTRIM(" baidu") |
+--------------------+
| baidu |
+--------------------+
1 row in set (0.01 sec)
MID(s,n,len)
从字符串 s 的 n 位置截取长度为 len 的子字符串,同 SUBSTRING(s,n,len)
从baidu123字符串第2个位置开始截取3个字符,结果aid
mysql> SELECT MID("baidu123", 2, 3);
+-----------------------+
| MID("baidu123", 2, 3) |
+-----------------------+
| aid |
+-----------------------+
1 row in set (0.00 sec)
POSITION(s1 IN s)
从字符串 s 中获取 s1 的开始位置
mysql> SELECT POSITION('b' in 'abc');
+------------------------+
| POSITION('b' in 'abc') |
+------------------------+
| 2 |
+------------------------+
1 row in set (0.00 sec)
REPEAT(s,n)
将字符串 s 重复 n 次
mysql> SELECT REPEAT('baidu',3);
+-------------------+
| REPEAT('baidu',3) |
+-------------------+
| baidubaidubaidu |
+-------------------+
1 row in set (0.00 sec)
TRIM(s)
去掉字符串 s 开始和结尾处的空格
mysql> SELECT TRIM(' baidu ');
+-----------------------+
| TRIM(' baidu ') |
+-----------------------+
| baidu |
+-----------------------+
1 row in set (0.00 sec)
UCASE(s) / UPPER(s)
将字符串转换为大写
mysql> SELECT UCASE("baidu");
+----------------+
| UCASE("baidu") |
+----------------+
| BAIDU |
+----------------+
1 row in set (0.01 sec)
2. 数字函数
greatest(v1, v2...) | least(v1, v2...)
返回一系列数的最大/最小值
mysql> select greatest(1, 3, 5, 7, 0);
+-------------------------+
| greatest(1, 3, 5, 7, 0) |
+-------------------------+
| 7 |
+-------------------------+
1 row in set (0.01 sec)
mysql> select least(1, 3, 5, 7, 0);
+----------------------+
| least(1, 3, 5, 7, 0) |
+----------------------+
| 0 |
+----------------------+
1 row in set (0.00 sec)
max(s) | min(s)
返回表达式 exp 计算后的最大/最小值
#返回该列的最大值
select max(列名) from table;
#返回该列的最小值
select min(列名) from table;
sum(s)
求和
avg(s)
求均值
count(s)
返回查询的行数
mysql> select count(*) from user;
+----------+
| count(*) |
+----------+
| 3 |
+----------+
1 row in set (0.00 sec)
abs(num)
求绝对值
ceil(num) | ceiling(num)
向上取整
floor(num)
向下取整
div(x, y)
除法,返回一个整数
mod(x, y) | x mod y | x % y
取模
3. 日期函数
current_date() | curdate()
mysql> select current_date(), curdate();
+----------------+------------+
| current_date() | curdate() |
+----------------+------------+
| 2019-08-30 | 2019-08-30 |
+----------------+------------+
1 row in set (0.02 sec)
current_time() | curtime()
mysql> select current_time(), curtime();
+----------------+-----------+
| current_time() | curtime() |
+----------------+-----------+
| 22:43:58 | 22:43:58 |
+----------------+-----------+
1 row in set (0.01 sec)
current_timestamp() | now() | sysdate()
mysql> select current_timestamp(), now(), sysdate();
+---------------------+---------------------+---------------------+
| current_timestamp() | now() | sysdate() |
+---------------------+---------------------+---------------------+
| 2019-08-30 22:45:03 | 2019-08-30 22:45:03 | 2019-08-30 22:45:03 |
+---------------------+---------------------+---------------------+
1 row in set (0.00 sec)
localtime() | localtimestamp()
mysql> select localtime(), localtimestamp();
+---------------------+---------------------+
| localtime() | localtimestamp() |
+---------------------+---------------------+
| 2019-08-30 22:46:00 | 2019-08-30 22:46:00 |
+---------------------+---------------------+
1 row in set (0.00 sec)
Mysql高级函数
进制转换
BIN(x)
返回 x 的二进制编码
mysql> SELECT BIN(15);
+---------+
| BIN(15) |
+---------+
| 1111 |
+---------+
1 row in set (0.01 sec)
hex(s)
将十六进制 s 转换为ASCII
mysql> SELECT hex(15);
+---------+
| hex(15) |
+---------+
| F |
+---------+
1 row in set (0.00 sec)
unhex()
与hex()相反
mysql> SELECT hex('1');
+----------+
| hex('1') |
+----------+
| 31 |
+----------+
1 row in set (0.00 sec)
mysql> SELECT unhex(31);
+-----------+
| unhex(31) |
+-----------+
| 1 |
+-----------+
1 row in set (0.00 sec)
数据库信息
current_user()
MySQL 授权的用户名和主机名
user() | session_user() | system_user()
当前连接的用户名和主机名
database()
当前数据库
connection_id()
当前连接id
version()
mysql版本
执行系统命令
使用system
在 MySQL 的命令行界面中可以使用 system shell-cmd 或者 ! shell-cmd 格式执行 shell 命令
# 查看当前目录
mysql> \! pwd
/home/tudouer/.local/share/Trash/files/dvwa
# 开启新的shell
mysql> \! bash
[root@localhost dvwa]# exit
exit
mysql>