buuctf 刷题记录 极客大挑战 lovesql教程
buuctf
进入界面,先随便输入登录进去,常规sql注入
令他报错 
发现是单引号包裹,字符型注入
接着就是老套路了
order by 查询 发现 
到4的时候错误,所以有3个字段
联合查询 union select 
可以发现2,3字段可以查询
试试查询2字段,发现2字段查询不了表名。。。。
然后查询3字段,发现了表名
表名如下:
{‘ALL\_PLUGINS,APPLICABLE\_ROLES,CHARACTER\_SETS,CHECK\_CONSTRAINTS,COLLATIONS,COLLATION\_CHARACTER\_SET\_APPLICABILITY,COLUMNS,COLUMN\_PRIVILEGES,ENABLED\_ROLES,ENGINES,EVENTS,FILES,GLOBAL\_STATUS,GLOBAL\_VARIABLES,KEY\_CACHES,KEY\_COLUMN\_USAGE,PARAMETERS,PARTITIONS,PLUGINS,PROCESSLIST,PROFILING,REFERENTIAL\_CONSTRAINTS,ROUTINES,SCHEMATA,SCHEMA\_PRIVILEGES,SESSION\_STATUS,SESSION\_VARIABLES,STATISTICS,SYSTEM\_VARIABLES,TABLES,TABLESPACES,TABLE\_CONSTRAINTS,TABLE\_PRIVILEGES,TRIGGERS,USER\_PRIVILEGES,VIEWS,GEOMETRY\_COLUMNS,SPATIAL\_REF\_SYS,CLIENT\_STATISTICS,INDEX\_STATISTICS,INNODB\_SYS\_DATAFILES,USER\_STATISTICS,INNODB\_SYS\_TABLESTATS,INNODB\_LOCKS,INNODB\_MUTEXES,INNODB\_CMPMEM,INNODB\_CMP\_PER\_INDEX,INNODB\_CMP,INNODB\_FT\_DELETED,INNODB\_CMP\_RESET,INNODB\_LOCK\_WAITS,TABLE\_STATISTICS,INNODB\_TABLESPACES\_ENCRYPTION,INNODB\_BUFFER\_PAGE\_LRU,INNODB\_SYS\_FIELDS,INNODB\_CMPMEM\_RESET,INNODB\_SYS\_COLUMNS,INNODB\_FT\_INDEX\_TABLE,INNODB\_CMP\_PER\_INDEX\_RESET,user\_variables,INNODB\_FT\_INDEX\_CACHE,INNODB\_SYS\_FOREIGN\_COLS,INNODB\_FT\_BEING\_DELETED,INNODB\_BUFFER\_POOL\_STATS,INNODB\_TRX,INNODB\_SYS\_FOREIGN,INNODB\_SYS\_TABLES,INNODB\_FT\_DEFAULT\_STOPWORD,INNODB\_FT\_CONFIG,INNODB\_BUFFER\_PAGE,INNODB\_SYS\_TABLESPACES,INNODB\_METRICS,INNODB\_SYS\_INDEXES,INNODB\_SYS\_VIRTUAL,INNODB\_TABLESPACES\_SCRUBBING,INNODB\_SYS\_SEMAPHORE\_WAITS,accounts,cond\_instances,events\_stages\_current,events\_stages\_history,events\_stages\_history\_long,events\_stages\_summary\_by\_account\_by\_event\_name,events\_stages\_summary\_by\_host\_by\_event\_name,events\_stages\_summary\_by\_thread\_by\_event\_name,events\_stages\_summary\_by\_user\_by\_event\_name,events\_stages\_summary\_global\_by\_event\_name,events\_statements\_current,events\_statements\_history,events\_statements\_history\_long,events\_statements\_summary\_by\_account\_by\_event\_name,events\_statements\_summary\_by\_digest,events\_statements\_summary\_by\_host\_by\_event\_name,events\_statements\_summary\_by\_thread\_by\_event\_name,events\_statements\_summary\_by\_user\_by\_event\_name,events\_statements\_summary\_global\_by\_event\_name,events\_waits\_current,events\_waits\_history,events\_waits\_history\_long,events\_waits\_summary\_by\_account\_by\_event\_name,events\_waits\_summary\_by\_host\_by\_event\_name,events\_waits\_summary\_by\_instance,events\_waits\_summary\_by\_thread\_by\_event\_name,events\_waits\_summary\_by\_user\_by\_event\_name,events\_waits\_summary\_global\_by\_event\_name,file\_instances,file\_summary\_by\_event\_name,file\_summary\_by\_instance,host\_cache,hosts,mutex\_instances,objects\_summary\_global\_by\_type,performance\_timers,rwlock\_instances,session\_account\_connect\_attrs,session\_connect\_attrs,setup\_actors,setup\_consumers,setup\_instruments,setup\_objects,setup\_timers,socket\_instances,socket\_summary\_by\_event\_name,socket\_summary\_by\_instance,table\_io\_waits\_summary\_by\_index\_usage,table\_io\_waits\_summary\_by\_table,table\_lock\_waits\_summary\_by\_table,threads,users,column\_stats,columns\_priv,db,event,func,general\_log,gtid\_slave\_pos,help\_category,help\_keyword,help\_relation,help\_topic,host,index\_stats,innodb\_index\_stats,innodb\_table\_stats,plugin,proc,procs\_priv,proxies\_priv,roles\_mapping,servers,slow\_log,table\_stats,tables\_priv,time\_zone,time\_zone\_leap\_second,time\_zone\_name,time\_zone\_transition,time\_zone\_transition\_type,transaction\_registry,user,geekuser,l0ve1ysq1’}
一堆表名。。。。。
不慌不慌,再查询字段名
字段名如下
:{‘PLUGIN\_NAME,PLUGIN\_VERSION,PLUGIN\_STATUS,PLUGIN\_TYPE,PLUGIN\_TYPE\_VERSION,PLUGIN\_LIBRARY,PLUGIN\_LIBRARY\_VERSION,PLUGIN\_AUTHOR,PLUGIN\_DESCRIPTION,PLUGIN\_LICENSE,LOAD\_OPTION,PLUGIN\_MATURITY,PLUGIN\_AUTH\_VERSION,GRANTEE,ROLE\_NAME,IS\_GRANTABLE,IS\_DEFAULT,CHARACTER\_SET\_NAME,DEFAULT\_COLLATE\_NAME,DESCRIPTION,MAXLEN,CONSTRAINT\_CATALOG,CONSTRAINT\_SCHEMA,CONSTRAINT\_NAME,TABLE\_NAME,CHECK\_CLAUSE,COLLATION\_NAME,CHARACTER\_SET\_NAME,ID,IS\_DEFAULT,IS\_COMPILED,SORTLEN,COLLATION\_NAME,CHARACTER\_SET\_NAME,TABLE\_CATALOG,TABLE\_SCHEMA,TABLE\_NAME,COLUMN\_NAME,ORDINAL\_POSITION,COLUMN\_DEFAULT,IS\_NULLABLE,DATA\_TYPE,CHARACTER\_MAXIMUM\_LENGTH,CHARACTER\_OCTET\_LENGTH,NUMERIC\_PRECISION,NUMERIC\_SCALE,DATETIME\_PRECISION,CHARACTER\_SET\_NAME,COLLATION\_NAME,COLUMN\_TYPE,COLUMN\_KEY,EXTRA,PRIVILEGES,COLUMN\_COMMENT,IS\_GENERATED,GENERATION\_EXPRESSION,GRANTEE,TABLE\_CATALOG,TABLE\_SCHEMA,TABLE\_NAME,COLUMN\_NAME,PRIVILEGE\_TYPE,IS\_GRANTABLE,ROLE\_NAME,ENGINE,SUPPORT,COMMENT,TRANSACTIONS,XA,SAVEPOINTS,EVENT\_CATALOG,EVENT\_SCHEMA,EVENT\_NAME,DEFINER,TIME\_ZONE,EVENT\_BODY,EVENT\_DEFINITION,EVENT\_TYPE,EXECUTE\_AT,INTERVAL\_VALUE,INTERVAL\_FIELD,SQL\_MODE,STARTS,ENDS,STATUS,ON\_COMPLETION,CREATED,LAST\_ALTERED,LAST\_EXECUTED,EVENT\_COMMENT,ORIGINATOR,CHARACTER\_SET\_CLIENT,COLLATION\_CONNECTION,DATABASE\_COLLATION,FILE\_ID,FILE\_NAME,FILE\_TYPE,TABLESPACE\_NAME,TABLE\_CATALOG,TABLE\_SCHEMA,TABLE\_NAME,LOGFILE\_GROUP\_NAME,LOGFILE\_GROUP\_NUMBER,ENGINE,FULLTEXT\_KEYS,DELETED\_ROWS,UPDATE\_COUNT,FREE\_EXTENTS,TOTAL\_EXTENTS,EXTENT\_SIZE,INITIAL\_SIZE,MAXIMUM\_SIZE,AUTOEXTEND\_SIZE,CREATION\_TIME,LAST\_UPDATE\_TIME,LAST\_ACCESS\_TIME,RECOVER\_TIME,TRANSACTION\_COUNTER,VERSION,ROW\_FORMAT,TABLE\_ROWS,AVG\_ROW\_LENGTH,DATA\_LENGTH,MAX\_DATA\_LENGTH,INDEX\_LENGTH,DATA\_FREE,CREATE\_TIME,UPDATE\_TIME,CHECK\_TIME,CHECKSUM,STATUS,EXTRA,VARIABLE\_NAME,VARIABLE\_VALUE,VARIABLE\_NAME,VARIABLE\_VALUE,KEY\_CACHE\_NAME,SEGMENTS,SEGMENT\_NUMBER,FULL\_SIZE,BLOCK\_SIZE,USED\_BLOCKS,UNUSED\_BLOCKS,DIRTY\_BLOCKS,READ\_REQUESTS,READS,WRITE\_REQUESTS,WRITES,CONSTRAINT\_CATALOG,CONSTRAINT\_SCHEMA,CONSTRAINT\_NAME,TABLE\_CATALOG,TABLE\_SCHEMA,TABLE\_NAME,COLUMN\_NAME,ORDINAL\_POSITION,POSITION\_IN\_UNIQUE\_CONSTRAINT,REFERENCED\_TABLE\_SCHEMA,REFERENCED\_TABLE\_NAME,REFERENCED\_COLUMN\_NAME,SPECIFIC\_CATALOG,SPECIFIC\_SCHEMA,SPECIFIC\_NAME,ORDINAL\_POSITION,PARAMETER\_MODE,PARAMETER\_NAME,DATA\_TYPE,CHARACTER\_MAXIMUM\_LENGTH,CHARACTER\_OCTET\_LENGTH,NUMERIC\_PRECISION,NUMERIC\_SCALE,DATETIME\_PRECISION,CHARACTER\_SET\_NAME,COLLATION\_NAME,DTD\_IDENTIFIER,ROUTINE\_TYPE,TABLE\_CATALOG,TABLE\_SCHEMA,TABLE\_NAME,PARTITION\_NAME,SUBPARTITION\_NAME,PARTITION\_ORDINAL\_POSITION,SUBPARTITION\_ORDINAL\_POSITION,PARTITION\_METHOD,SUBPARTITION\_METHOD,PARTITION\_EXPRESSION,SUBPARTITION\_EXPRESSION,PARTITION\_DESCRIPTION,TABLE\_ROWS,AVG\_ROW\_LENGTH,DATA\_LENGTH,MAX\_DATA\_LENGTH,INDEX\_LENGTH,DATA\_FREE,CREATE\_TIME,UPDATE\_TIME,CHECK\_TIME,CHECKSUM,PARTITION\_COMMENT,NODEGROUP,TABLESPACE\_NAME,PLUGIN\_NAME,PLUGIN\_VERSION,PLUGIN\_STATUS,PLUGIN\_TYPE,PLUGIN\_TYPE\_VERSION,PLUGIN\_LIBRARY,PLUGIN\_LIBRARY\_VERSION,PLUGIN\_AUTHOR,PLUGIN\_DESCRIPTION,PLUGIN\_LICENSE,LOAD\_OPTION,PLUGIN\_MATURITY,PLUGIN\_AUTH\_VERSION,ID,USER,HOST,DB,COMMAND,TIME,STATE,INFO,TIME\_MS,STAGE,MAX\_STAGE,PROGRESS,MEMORY\_USED,MAX\_MEMORY\_USED,EXAMINED\_ROWS,QUERY\_ID,INFO\_BINARY,TID,QUERY\_ID,SEQ,STATE,DURATION,CPU\_USER,CPU\_SYSTEM,CONTEXT\_VOLUNTARY,CONTEXT\_INVOLUNTARY,BLOCK\_OPS\_IN,BLOCK\_OPS\_OUT,MESSAGES\_SENT,MESSAGES\_RECEIVED,PAGE\_FAULTS\_MAJOR,PAGE\_FAULTS\_MINOR,SWAPS,SOURCE\_FUNCTION,SOURCE\_FILE,SOURCE\_LINE,CONSTRAINT\_CATALOG,CONSTRAINT\_SCHEMA,CONSTRAINT\_NAME,UNIQUE\_CONSTRAINT\_CATALOG,UNIQUE\_CONSTRAINT\_SCHEMA,UNIQUE\_CONSTRAINT\_NAME,MATCH\_OPTION,UPDATE\_RULE,DELETE\_RULE,TABLE\_NAME,REFERENCED\_TABLE\_NAME,SPECIFIC\_NAME,ROUTINE\_CATALOG,ROUTINE\_SCHEMA,ROUTINE\_NAME,ROUTINE\_TYPE,DATA\_TYPE,CHARACTER\_MAXIMUM\_LENGTH,CHARACTER\_OCTET\_LENGTH,NUMERIC\_PRECISION,NUMERIC\_SCALE,DATETIME\_PRECISION,CHARACTER\_SET\_NAME,COLLATION\_NAME,DTD\_IDENTIFIER,ROUTINE\_BODY,ROUTINE\_DEFINITION,EXTERNAL\_NAME,EXTERNAL\_LANGUAGE,PARAMETER\_STYLE,IS\_DETERMINISTIC,SQL\_DATA\_ACCESS,SQL\_PATH,SECURITY\_TYPE,CREATED,LAST\_ALTERED,SQL\_MODE,ROUTINE\_COMMENT,DEFINER,CHARACTER\_SET\_CLIENT,COLLATION\_CONNECTION,DATABASE\_COLLATION,CATALOG\_NAME,SCHEMA\_NAME,DEFAULT\_CHARACTER\_SET\_NAME,DEFAULT\_COLLATION\_NAME,SQL\_PATH,GRANTEE,TABLE\_CATALOG,TABLE\_SCHEMA,PRIVILEGE\_TYPE,IS\_GRANTABLE,VARIABLE\_NAME,VARIABLE\_VALUE,VARIABLE\_NAME,VARIABLE\_VALUE,TABLE\_CATALOG,TABLE\_SCHEMA,TABLE\_NAME,NON\_UNIQUE,INDEX\_SCHEMA,INDEX\_NAME,SEQ\_IN\_INDEX,COLUMN\_NAME,COLLATION,CARDINALITY,SUB\_PART,PACKED,NULLABLE,INDEX\_TYPE,COMMENT,INDEX\_COMMENT,VARIABLE\_NAME,SESSION\_VALUE,GLOBAL\_VALUE,GLOBAL\_VALUE\_ORIGIN,DEFAULT\_VALUE,VARIABLE\_SCOPE,VARIABLE\_TYPE,VARIABLE\_COMMENT,NUMERIC\_MIN\_VALUE,NUMERIC\_MAX\_VALUE,NUMERIC\_BLOCK\_SIZE,ENUM\_VALUE\_LIST,READ\_ONLY,COMMAND\_LINE\_ARGUMENT,TABLE\_CATALOG,TABLE\_SCHEMA,TABLE\_NAME,TABLE\_TYPE,ENGINE,VERSION,ROW\_FORMAT,TABLE\_ROWS,AVG\_ROW\_LENGTH,DATA\_LENGTH,MAX\_DATA\_LENGTH,INDEX\_LENGTH,DATA\_FREE,AUTO\_INCREMENT,CREATE\_TIME,UPDATE\_TIME,CHECK\_TIME,TABLE\_COLLATION,CHECKSUM,CREATE\_OPTIONS,TABLE\_COMMENT,MAX\_INDEX\_LENGTH,TEMPORARY,TABLESPACE\_NAME,ENGINE,TABLESPACE\_TYPE,LOGFILE\_GROUP\_NAME,EXTENT\_SIZE,AUTOEXTEND\_SIZE,MAXIMUM\_SIZE,NODEGROUP\_ID,TABLESPACE\_COMMENT,CONSTRAINT\_CATALOG,CONSTRAINT\_SCHEMA,CONSTRAINT\_NAME,TABLE\_SCHEMA,TABLE\_NAME,CONSTRAINT\_TYPE,GRANTEE,TABLE\_CATALOG,TABLE\_SCHEMA,TABLE\_NAME,PRIVILEGE\_TYPE,IS\_GRANTABLE,TRIGGER\_CATALOG,TRIGGER\_SCHEMA,TRIGGER\_NAME,EVENT\_MANIPULATION,EVENT\_OBJECT\_CATALOG,EVENT\_OBJECT\_SCHEMA,EVENT\_OBJECT\_TABLE,ACTION\_ORDER,ACTION\_CONDITION,ACTION\_STATEMENT,ACTION\_ORIENTATION,ACTION\_TIMING,ACTION\_REFERENCE\_OLD\_TABLE,ACTION\_REFERENCE\_NEW\_TABLE,ACTION\_REFERENCE\_OLD\_ROW,ACTION\_REFERENCE\_NEW\_ROW,CREATED,SQL\_MODE,DEFINER,CHARACTER\_SET\_CLIENT,COLLATION\_CONNECTION,DATABASE\_COLLATION,GRANTEE,TABLE\_CATALOG,PRIVILEGE\_TYPE,IS\_GRANTABLE,TABLE\_CATALOG,TABLE\_SCHEMA,TABLE\_NAME,VIEW\_DEFINITION,CHECK\_OPTION,IS\_UPDATABLE,DEFINER,SECURITY\_TYPE,CHARACTER\_SET\_CLIENT,COLLATION\_CONNECTION,ALGORITHM,F\_TABLE\_CATALOG,F\_TABLE\_SCHEMA,F\_TABLE\_NAME,F\_GEOMETRY\_COLUMN,G\_TABLE\_CATALOG,G\_TABLE\_SCHEMA,G\_TABLE\_NAME,G\_GEOMETRY\_COLUMN,STORAGE\_TYPE,GEOMETRY\_TYPE,COORD\_DIMENSION,MAX\_PPR,SRID,SRID,AUTH\_NAME,AUTH\_SRID,SRTEXT,CLIENT,TOTAL\_CONNECTIONS,CONCURRENT\_CONNECTIONS,CONNECTED\_TIME,BUSY\_TIME,CPU\_TIME,BYTES\_RECEIVED,BYTES\_SENT,BINLOG\_BYTES\_WRITTEN,ROWS\_READ,ROWS\_SENT,ROWS\_DELETED,ROWS\_INSERTED,ROWS\_UPDATED,SELECT\_COMMANDS,UPDATE\_COMMANDS,OTHER\_COMMANDS,COMMIT\_TRANSACTIONS,ROLLBACK\_TRANSACTIONS,DENIED\_CONNECTIONS,LOST\_CONNECTIONS,ACCESS\_DENIED,EMPTY\_QUERIES,TOTAL\_SSL\_CONNECTIONS,MAX\_STATEMENT\_TIME\_EXCEEDED,TABLE\_SCHEMA,TABLE\_NAME,INDEX\_NAME,ROWS\_READ,SPACE,PATH,USER,TOTAL\_CONNECTIONS,CONCURRENT\_CONNECTIONS,CONNECTED\_TIME,BUSY\_TIME,CPU\_TIME,BYTES\_RECEIVED,BYTES\_SENT,BINLOG\_BYTES\_WRITTEN,ROWS\_READ,ROWS\_SENT,ROWS\_DELETED,ROWS\_INSERTED,ROWS\_UPDATED,SELECT\_COMMANDS,UPDATE\_COMMANDS,OTHER\_COMMANDS,COMMIT\_TRANSACTIONS,ROLLBACK\_TRANSACTIONS,DENIED\_CONNECTIONS,LOST\_CONNECTIONS,ACCESS\_DENIED,EMPTY\_QUERIES,TOTAL\_SSL\_CONNECTIONS,MAX\_STATEMENT\_TIME\_EXCEEDED,TABLE\_ID,NAME,STATS\_INITIALIZED,NUM\_ROWS,CLUST\_INDEX\_SIZE,OTHER\_INDEX\_SIZE,MODIFIED\_COUNTER,AUTOINC,REF\_COUNT,lock\_id,lock\_trx\_id,lock\_mode,lock\_type,lock\_table,lock\_index,lock\_space,lock\_page,lock\_rec,lock\_data,NAME,CREATE\_FILE,CREATE\_LINE,OS\_WAITS,page\_size,buffer\_pool\_instance,pages\_used,pages\_free,relocation\_ops,relocation\_time,database\_name,table\_name,index\_name,compress\_ops,compress\_ops\_ok,compress\_time,uncompress\_ops,uncompress\_time,page\_size,compress\_ops,compress\_ops\_ok,compress\_time,uncompress\_ops,uncompress\_time,DOC\_ID,page\_size,compress\_ops,compress\_ops\_ok,compress\_time,uncompress\_ops,uncompress\_time,requesting\_trx\_id,requested\_lock\_id,blocking\_trx\_id,blocking\_lock\_id,TABLE\_SCHEMA,TABLE\_NAME,ROWS\_READ,ROWS\_CHANGED,ROWS\_CHANGED\_X\_INDEXES,SPACE,NAME,ENCRYPTION\_SCHEME,KEYSERVER\_REQUESTS,MIN\_KEY\_VERSION,CURRENT\_KEY\_VERSION,KEY\_ROTATION\_PAGE\_NUMBER,KEY\_ROTATION\_MAX\_PAGE\_NUMBER,CURRENT\_KEY\_ID,ROTATING\_OR\_FLUSHING,POOL\_ID,LRU\_POSITION,SPACE,PAGE\_NUMBER,PAGE\_TYPE,FLUSH\_TYPE,FIX\_COUNT,IS\_HASHED,NEWEST\_MODIFICATION,OLDEST\_MODIFICATION,ACCESS\_TIME,TABLE\_NAME,INDEX\_NAME,NUMBER\_RECORDS,DATA\_SIZE,COMPRESSED\_SIZE,COMPRESSED,IO\_FIX,IS\_OLD,FREE\_PAGE\_CLOCK,INDEX\_ID,NAME,POS,page\_size,buffer\_pool\_instance,pages\_used,pages\_free,relocation\_ops,relocation\_time,TABLE\_ID,NAME,POS,MTYPE,PRTYPE,LEN,WORD,FIRST\_DOC\_ID,LAST\_DOC\_ID,DOC\_COUNT,DOC\_ID,POSITION,database\_name,table\_name,index\_name,compress\_ops,compress\_ops\_ok,compress\_time,uncompress\_ops,uncompress\_time,VARIABLE\_NAME,VARIABLE\_VALUE,VARIABLE\_TYPE,CHARACTER\_SET\_NAME,WORD,FIRST\_DOC\_ID,LAST\_DOC\_ID,DOC\_COUNT,DOC\_ID,POSITION,ID,FOR\_COL\_NAME,REF\_COL\_NAME,POS,DOC\_ID,POOL\_ID,POOL\_SIZE,FREE\_BUFFERS,DATABASE\_PAGES,OLD\_DATABASE\_PAGES,MODIFIED\_DATABASE\_PAGES,PENDING\_DECOMPRESS,PENDING\_READS,PENDING\_FLUSH\_LRU,PENDING\_FLUSH\_LIST,PAGES\_MADE\_YOUNG,PAGES\_NOT\_MADE\_YOUNG,PAGES\_MADE\_YOUNG\_RATE,PAGES\_MADE\_NOT\_YOUNG\_RATE,NUMBER\_PAGES\_READ,NUMBER\_PAGES\_CREATED,NUMBER\_PAGES\_WRITTEN,PAGES\_READ\_RATE,PAGES\_CREATE\_RATE,PAGES\_WRITTEN\_RATE,NUMBER\_PAGES\_GET,HIT\_RATE,YOUNG\_MAKE\_PER\_THOUSAND\_GETS,NOT\_YOUNG\_MAKE\_PER\_THOUSAND\_GETS,NUMBER\_PAGES\_READ\_AHEAD,NUMBER\_READ\_AHEAD\_EVICTED,READ\_AHEAD\_RATE,READ\_AHEAD\_EVICTED\_RATE,LRU\_IO\_TOTAL,LRU\_IO\_CURRENT,UNCOMPRESS\_TOTAL,UNCOMPRESS\_CURRENT,trx\_id,trx\_state,trx\_started,trx\_requested\_lock\_id,trx\_wait\_started,trx\_weight,trx\_mysql\_thread\_id,trx\_query,trx\_operation\_state,trx\_tables\_in\_use,trx\_tables\_locked,trx\_lock\_structs,trx\_lock\_memory\_bytes,trx\_rows\_locked,trx\_rows\_modified,trx\_concurrency\_tickets,trx\_isolation\_level,trx\_unique\_checks,trx\_foreign\_key\_checks,trx\_last\_foreign\_key\_error,trx\_is\_read\_only,trx\_autocommit\_non\_locking,ID,FOR\_NAME,REF\_NAME,N\_COLS,TYPE,TABLE\_ID,NAME,FLAG,N\_COLS,SPACE,ROW\_FORMAT,ZIP\_PAGE\_SIZE,SPACE\_TYPE,value,KEY,VALUE,POOL\_ID,BLOCK\_ID,SPACE,PAGE\_NUMBER,PAGE\_TYPE,FLUSH\_TYPE,FIX\_COUNT,IS\_HASHED,NEWEST\_MODIFICATION,OLDEST\_MODIFICATION,ACCESS\_TIME,TABLE\_NAME,INDEX\_NAME,NUMBER\_RECORDS,DATA\_SIZE,COMPRESSED\_SIZE,PAGE\_STATE,IO\_FIX,IS\_OLD,FREE\_PAGE\_CLOCK,SPACE,NAME,FLAG,ROW\_FORMAT,PAGE\_SIZE,ZIP\_PAGE\_SIZE,SPACE\_TYPE,FS\_BLOCK\_SIZE,FILE\_SIZE,ALLOCATED\_SIZE,NAME,SUBSYSTEM,COUNT,MAX\_COUNT,MIN\_COUNT,AVG\_COUNT,COUNT\_RESET,MAX\_COUNT\_RESET,MIN\_COUNT\_RESET,AVG\_COUNT\_RESET,TIME\_ENABLED,TIME\_DISABLED,TIME\_ELAPSED,TIME\_RESET,STATUS,TYPE,COMMENT,INDEX\_ID,NAME,TABLE\_ID,TYPE,N\_FIELDS,PAGE\_NO,SPACE,MERGE\_THRESHOLD,TABLE\_ID,POS,BASE\_POS,SPACE,NAME,COMPRESSED,LAST\_SCRUB\_COMPLETED,CURRENT\_SCRUB\_STARTED,CURRENT\_SCRUB\_ACTIVE\_THREADS,CURRENT\_SCRUB\_PAGE\_NUMBER,CURRENT\_SCRUB\_MAX\_PAGE\_NUMBER,THREAD\_ID,OBJECT\_NAME,FILE,LINE,WAIT\_TIME,WAIT\_OBJECT,WAIT\_TYPE,HOLDER\_THREAD\_ID,HOLDER\_FILE,HOLDER\_LINE,CREATED\_FILE,CREATED\_LINE,WRITER\_THREAD,RESERVATION\_MODE,READERS,WAITERS\_FLAG,LOCK\_WORD,LAST\_WRITER\_FILE,LAST\_WRITER\_LINE,OS\_WAIT\_COUNT,USER,HOST,CURRENT\_CONNECTIONS,TOTAL\_CONNECTIONS,NAME,OBJECT\_INSTANCE\_BEGIN,THREAD\_ID,EVENT\_ID,END\_EVENT\_ID,EVENT\_NAME,SOURCE,TIMER\_START,TIMER\_END,TIMER\_WAIT,NESTING\_EVENT\_ID,NESTING\_EVENT\_TYPE,THREAD\_ID,EVENT\_ID,END\_EVENT\_ID,EVENT\_NAME,SOURCE,TIMER\_START,TIMER\_END,TIMER\_WAIT,NESTING\_EVENT\_ID,NESTING\_EVENT\_TYPE,THREAD\_ID,EVENT\_ID,END\_EVENT\_ID,EVENT\_NAME,SOURCE,TIMER\_START,TIMER\_END,TIMER\_WAIT,NESTING\_EVENT\_ID,NESTING\_EVENT\_TYPE,USER,HOST,EVENT\_NAME,COUNT\_STAR,SUM\_TIMER\_WAIT,MIN\_TIMER\_WAIT,AVG\_TIMER\_WAIT,MAX\_TIMER\_WAIT,HOST,EVENT\_NAME,COUNT\_STAR,SUM\_TIMER\_WAIT,MIN\_TIMER\_WAIT,AVG\_TIMER\_WAIT,MAX\_TIMER\_WAIT,THREAD\_ID,EVENT\_NAME,COUNT\_STAR,SUM\_TIMER\_WAIT,MIN\_TIMER\_WAIT,AVG\_TIMER\_WAIT,MAX\_TIMER\_WAIT,USER,EVENT\_NAME,COUNT\_STAR,SUM\_TIMER\_WAIT,MIN\_TIMER\_WAIT,AVG\_TIMER\_WAIT,MAX\_TIMER\_WAIT,EVENT\_NAME,COUNT\_STAR,SUM\_TIMER\_WAIT,MIN\_TIMER\_WAIT,AVG\_TIMER\_WAIT,MAX\_TIMER\_WAIT,THREAD\_ID,EVENT\_ID,END\_EVENT\_ID,EVENT\_NAME,SOURCE,TIMER\_START,TIMER\_END,TIMER\_WAIT,LOCK\_TIME,SQL\_TEXT,DIGEST,DIGEST\_TEXT,CURRENT\_SCHEMA,OBJECT\_TYPE,OBJECT\_SCHEMA,OBJECT\_NAME,OBJECT\_INSTANCE\_BEGIN,MYSQL\_ERRNO,RETURNED\_SQLSTATE,MESSAGE\_TEXT,ERRORS,WARNINGS,ROWS\_AFFECTED,ROWS\_SENT,ROWS\_EXAMINED,CREATED\_TMP\_DISK\_TABLES,CREATED\_TMP\_TABLES,SELECT\_FULL\_JOIN,SELECT\_FULL\_RANGE\_JOIN,SELECT\_RANGE,SELECT\_RANGE\_CHECK,SELECT\_SCAN,SORT\_MERGE\_PASSES,SORT\_RANGE,SORT\_ROWS,SORT\_SCAN,NO\_INDEX\_USED,NO\_GOOD\_INDEX\_USED,NESTING\_EVENT\_ID,NESTING\_EVENT\_TYPE,THREAD\_ID,EVENT\_ID,END\_EVENT\_ID,EVENT\_NAME,SOURCE,TIMER\_START,TIMER\_END,TIMER\_WAIT,LOCK\_TIME,SQL\_TEXT,DIGEST,DIGEST\_TEXT,CURRENT\_SCHEMA,OBJECT\_TYPE,OBJECT\_SCHEMA,OBJECT\_NAME,OBJECT\_INSTANCE\_BEGIN,MYSQL\_ERRNO,RETURNED\_SQLSTATE,MESSAGE\_TEXT,ERRORS,WARNINGS,ROWS\_AFFECTED,ROWS\_SENT,ROWS\_EXAMINED,CREATED\_TMP\_DISK\_TABLES,CREATED\_TMP\_TABLES,SELECT\_FULL\_JOIN,SELECT\_FULL\_RANGE\_JOIN,SELECT\_RANGE,SELECT\_RANGE\_CHECK,SELECT\_SCAN,SORT\_MERGE\_PASSES,SORT\_RANGE,SORT\_ROWS,SORT\_SCAN,NO\_INDEX\_USED,NO\_GOOD\_INDEX\_USED,NESTING\_EVENT\_ID,NESTING\_EVENT\_TYPE,THREAD\_ID,EVENT\_ID,END\_EVENT\_ID,EVENT\_NAME,SOURCE,TIMER\_START,TIMER\_END,TIMER\_WAIT,LOCK\_TIME,SQL\_TEXT,DIGEST,DIGEST\_TEXT,CURRENT\_SCHEMA,OBJECT\_TYPE,OBJECT\_SCHEMA,OBJECT\_NAME,OBJECT\_INSTANCE\_BEGIN,MYSQL\_ERRNO,RETURNED\_SQLSTATE,MESSAGE\_TEXT,ERRORS,WARNINGS,ROWS\_AFFECTED,ROWS\_SENT,ROWS\_EXAMINED,CREATED\_TMP\_DISK\_TABLES,CREATED\_TMP\_TABLES,SELECT\_FULL\_JOIN,SELECT\_FULL\_RANGE\_JOIN,SELECT\_RANGE,SELECT\_RANGE\_CHECK,SELECT\_SCAN,SORT\_MERGE\_PASSES,SORT\_RANGE,SORT\_ROWS,SORT\_SCAN,NO\_INDEX\_USED,NO\_GOOD\_INDEX\_USED,NESTING\_EVENT\_ID,NESTING\_EVENT\_TYPE,USER,HOST,EVENT\_NAME,COUNT\_STAR,SUM\_TIMER\_WAIT,MIN\_TIMER\_WAIT,AVG\_TIMER\_WAIT,MAX\_TIMER\_WAIT,SUM\_LOCK\_TIME,SUM\_ERRORS,SUM\_WARNINGS,SUM\_ROWS\_AFFECTED,SUM\_ROWS\_SENT,SUM\_ROWS\_EXAMINED,SUM\_CREATED\_TMP\_DISK\_TABLES,SUM\_CREATED\_TMP\_TABLES,SUM\_SELECT\_FULL\_JOIN,SUM\_SELECT\_FULL\_RANGE\_JOIN,SUM\_SELECT\_RANGE,SUM\_SELECT\_RANGE\_CHECK,SUM\_SELECT\_SCAN,SUM\_SORT\_MERGE\_PASSES,SUM\_SORT\_RANGE,SUM\_SORT\_ROWS,SUM\_SORT\_SCAN,SUM\_NO\_INDEX\_USED,SUM\_NO\_GOOD\_INDEX\_USED,SCHEMA\_NAME,DIGEST,DIGEST\_TEXT,COUNT\_STAR,SUM\_TIMER\_WAIT,MIN\_TIMER\_WAIT,AVG\_TIMER\_WAIT,MAX\_TIMER\_WAIT,SUM\_LOCK\_TIME,SUM\_ERRORS,SUM\_WARNINGS,SUM\_ROWS\_AFFECTED,SUM\_ROWS\_SENT,SUM\_ROWS\_EXAMINED,SUM\_CREATED\_TMP\_DISK\_TABLES,SUM\_CREATED\_TMP\_TABLES,SUM\_SELECT\_FULL\_JOIN,SUM\_SELECT\_FULL\_RANGE\_JOIN,SUM\_SELECT\_RANGE,SUM\_SELECT\_RANGE\_CHECK,SUM\_SELECT\_SCAN,SUM\_SORT\_MERGE\_PASSES,SUM\_SORT\_RANGE,SUM\_SORT\_ROWS,SUM\_SORT\_SCAN,SUM\_NO\_INDEX\_USED,SUM\_NO\_GOOD\_INDEX\_USED,FIRST\_SEEN,LAST\_SEEN,HOST,EVENT\_NAME,COUNT\_STAR,SUM\_TIMER\_WAIT,MIN\_TIMER\_WAIT,AVG\_TIMER\_WAIT,MAX\_TIMER\_WAIT,SUM\_LOCK\_TIME,SUM\_ERRORS,SUM\_WARNINGS,SUM\_ROWS\_AFFECTED,SUM\_ROWS\_SENT,SUM\_ROWS\_EXAMINED,SUM\_CREATED\_TMP\_DISK\_TABLES,SUM\_CREATED\_TMP\_TABLES,SUM\_SELECT\_FULL\_JOIN,SUM\_SELECT\_FULL\_RANGE\_JOIN,SUM\_SELECT\_RANGE,SUM\_SELECT\_RANGE\_CHECK,SUM\_SELECT\_SCAN,SUM\_SORT\_MERGE\_PASSES,SUM\_SORT\_RANGE,SUM\_SORT\_ROWS,SUM\_SORT\_SCAN,SUM\_NO\_INDEX\_USED,SUM\_NO\_GOOD\_INDEX\_USED,THREAD\_ID,EVENT\_NAME,COUNT\_STAR,SUM\_TIMER\_WAIT,MIN\_TIMER\_WAIT,AVG\_TIMER\_WAIT,MAX\_TIMER\_WAIT,SUM\_LOCK\_TIME,SUM\_ERRORS,SUM\_WARNINGS,SUM\_ROWS\_AFFECTED,SUM\_ROWS\_SENT,SUM\_ROWS\_EXAMINED,SUM\_CREATED\_TMP\_DISK\_TABLES,SUM\_CREATED\_TMP\_TABLES,SUM\_SELECT\_FULL\_JOIN,SUM\_SELECT\_FULL\_RANGE\_JOIN,SUM\_SELECT\_RANGE,SUM\_SELECT\_RANGE\_CHECK,SUM\_SELECT\_SCAN,SUM\_SORT\_MERGE\_PASSES,SUM\_SORT\_RANGE,SUM\_SORT\_ROWS,SUM\_SORT\_SCAN,SUM\_NO\_INDEX\_USED,SUM\_NO\_GOOD\_INDEX\_USED,USER,EVENT\_NAME,COUNT\_STAR,SUM\_TIMER\_WAIT,MIN\_TIMER\_WAIT,AVG\_TIMER\_WAIT,MAX\_TIMER\_WAIT,SUM\_LOCK\_TIME,SUM\_ERRORS,SUM\_WARNINGS,SUM\_ROWS\_AFFECTED,SUM\_ROWS\_SENT,SUM\_ROWS\_EXAMINED,SUM\_CREATED\_TMP\_DISK\_TABLES,SUM\_CREATED\_TMP\_TABLES,SUM\_SELECT\_FULL\_JOIN,SUM\_SELECT\_FULL\_RANGE\_JOIN,SUM\_SELECT\_RANGE,SUM\_SELECT\_RANGE\_CHECK,SUM\_SELECT\_SCAN,SUM\_SORT\_MERGE\_PASSES,SUM\_SORT\_RANGE,SUM\_SORT\_ROWS,SUM\_SORT\_SCAN,SUM\_NO\_INDEX\_USED,SUM\_NO\_GOOD\_INDEX\_USED,EVENT\_NAME,COUNT\_STAR,SUM\_TIMER\_WAIT,MIN\_TIMER\_WAIT,AVG\_TIMER\_WAIT,MAX\_TIMER\_WAIT,SUM\_LOCK\_TIME,SUM\_ERRORS,SUM\_WARNINGS,SUM\_ROWS\_AFFECTED,SUM\_ROWS\_SENT,SUM\_ROWS\_EXAMINED,SUM\_CREATED\_TMP\_DISK\_TABLES,SUM\_CREATED\_TMP\_TABLES,SUM\_SELECT\_FULL\_JOIN,SUM\_SELECT\_FULL\_RANGE\_JOIN,SUM\_SELECT\_RANGE,SUM\_SELECT\_RANGE\_CHECK,SUM\_SELECT\_SCAN,SUM\_SORT\_MERGE\_PASSES,SUM\_SORT\_RANGE,SUM\_SORT\_ROWS,SUM\_SORT\_SCAN,SUM\_NO\_INDEX\_USED,SUM\_NO\_GOOD\_INDEX\_USED,THREAD\_ID,EVENT\_ID,END\_EVENT\_ID,EVENT\_NAME,SOURCE,TIMER\_START,TIMER\_END,TIMER\_WAIT,SPINS,OBJECT\_SCHEMA,OBJECT\_NAME,INDEX\_NAME,OBJECT\_TYPE,OBJECT\_INSTANCE\_BEGIN,NESTING\_EVENT\_ID,NESTING\_EVENT\_TYPE,OPERATION,NUMBER\_OF\_BYTES,FLAGS,THREAD\_ID,EVENT\_ID,END\_EVENT\_ID,EVENT\_NAME,SOURCE,TIMER\_START,TIMER\_END,TIMER\_WAIT,SPINS,OBJECT\_SCHEMA,OBJECT\_NAME,INDEX\_NAME,OBJECT\_TYPE,OBJECT\_INSTANCE\_BEGIN,NESTING\_EVENT\_ID,NESTING\_EVENT\_TYPE,OPERATION,NUMBER\_OF\_BYTES,FLAGS,THREAD\_ID,EVENT\_ID,END\_EVENT\_ID,EVENT\_NAME,SOURCE,TIMER\_START,TIMER\_END,TIMER\_WAIT,SPINS,OBJECT\_SCHEMA,OBJECT\_NAME,INDEX\_NAME,OBJECT\_TYPE,OBJECT\_INSTANCE\_BEGIN,NESTING\_EVENT\_ID,NESTING\_EVENT\_TYPE,OPERATION,NUMBER\_OF\_BYTES,FLAGS,USER,HOST,EVENT\_NAME,COUNT\_STAR,SUM\_TIMER\_WAIT,MIN\_TIMER\_WAIT,AVG\_TIMER\_WAIT,MAX\_TIMER\_WAIT,HOST,EVENT\_NAME,COUNT\_STAR,SUM\_TIMER\_WAIT,MIN\_TIMER\_WAIT,AVG\_TIMER\_WAIT,MAX\_TIMER\_WAIT,EVENT\_NAME,OBJECT\_INSTANCE\_BEGIN,COUNT\_STAR,SUM\_TIMER\_WAIT,MIN\_TIMER\_WAIT,AVG\_TIMER\_WAIT,MAX\_TIMER\_WAIT,THREAD\_ID,EVENT\_NAME,COUNT\_STAR,SUM\_TIMER\_WAIT,MIN\_TIMER\_WAIT,AVG\_TIMER\_WAIT,MAX\_TIMER\_WAIT,USER,EVENT\_NAME,COUNT\_STAR,SUM\_TIMER\_WAIT,MIN\_TIMER\_WAIT,AVG\_TIMER\_WAIT,MAX\_TIMER\_WAIT,EVENT\_NAME,COUNT\_STAR,SUM\_TIMER\_WAIT,MIN\_TIMER\_WAIT,AVG\_TIMER\_WAIT,MAX\_TIMER\_WAIT,FILE\_NAME,EVENT\_NAME,OPEN\_COUNT,EVENT\_NAME,COUNT\_STAR,SUM\_TIMER\_WAIT,MIN\_TIMER\_WAIT,AVG\_TIMER\_WAIT,MAX\_TIMER\_WAIT,COUNT\_READ,SUM\_TIMER\_READ,MIN\_TIMER\_READ,AVG\_TIMER\_READ,MAX\_TIMER\_READ,SUM\_NUMBER\_OF\_BYTES\_READ,COUNT\_WRITE,SUM\_TIMER\_WRITE,MIN\_TIMER\_WRITE,AVG\_TIMER\_WRITE,MAX\_TIMER\_WRITE,SUM\_NUMBER\_OF\_BYTES\_WRITE,COUNT\_MISC,SUM\_TIMER\_MISC,MIN\_TIMER\_MISC,AVG\_TIMER\_MISC,MAX\_TIMER\_MISC,FILE\_NAME,EVENT\_NAME,OBJECT\_INSTANCE\_BEGIN,COUNT\_STAR,SUM\_TIMER\_WAIT,MIN\_TIMER\_WAIT,AVG\_TIMER\_WAIT,MAX\_TIMER\_WAIT,COUNT\_READ,SUM\_TIMER\_READ,MIN\_TIMER\_READ,AVG\_TIMER\_READ,MAX\_TIMER\_READ,SUM\_NUMBER\_OF\_BYTES\_READ,COUNT\_WRITE,SUM\_TIMER\_WRITE,MIN\_TIMER\_WRITE,AVG\_TIMER\_WRITE,MAX\_TIMER\_WRITE,SUM\_NUMBER\_OF\_BYTES\_WRITE,COUNT\_MISC,SUM\_TIMER\_MISC,MIN\_TIMER\_MISC,AVG\_TIMER\_MISC,MAX\_TIMER\_MISC,IP,HOST,HOST\_VALIDATED,SUM\_CONNECT\_ERRORS,COUNT\_HOST\_BLOCKED\_ERRORS,COUNT\_NAMEINFO\_TRANSIENT\_ERRORS,COUNT\_NAMEINFO\_PERMANENT\_ERRORS,COUNT\_FORMAT\_ERRORS,COUNT\_ADDRINFO\_TRANSIENT\_ERRORS,COUNT\_ADDRINFO\_PERMANENT\_ERRORS,COUNT\_FCRDNS\_ERRORS,COUNT\_HOST\_ACL\_ERRORS,COUNT\_NO\_AUTH\_PLUGIN\_ERRORS,COUNT\_AUTH\_PLUGIN\_ERRORS,COUNT\_HANDSHAKE\_ERRORS,COUNT\_PROXY\_USER\_ERRORS,COUNT\_PROXY\_USER\_ACL\_ERRORS,COUNT\_AUTHENTICATION\_ERRORS,COUNT\_SSL\_ERRORS,COUNT\_MAX\_USER\_CONNECTIONS\_ERRORS,COUNT\_MAX\_USER\_CONNECTIONS\_PER\_HOUR\_ERRORS,COUNT\_DEFAULT\_DATABASE\_ERRORS,COUNT\_INIT\_CONNECT\_ERRORS,COUNT\_LOCAL\_ERRORS,COUNT\_UNKNOWN\_ERRORS,FIRST\_SEEN,LAST\_SEEN,FIRST\_ERROR\_SEEN,LAST\_ERROR\_SEEN,HOST,CURRENT\_CONNECTIONS,TOTAL\_CONNECTIONS,NAME,OBJECT\_INSTANCE\_BEGIN,LOCKED\_BY\_THREAD\_ID,OBJECT\_TYPE,OBJECT\_SCHEMA,OBJECT\_NAME,COUNT\_STAR,SUM\_TIMER\_WAIT,MIN\_TIMER\_WAIT,AVG\_TIMER\_WAIT,MAX\_TIMER\_WAIT,TIMER\_NAME,TIMER\_FREQUENCY,TIMER\_RESOLUTION,TIMER\_OVERHEAD,NAME,OBJECT\_INSTANCE\_BEGIN,WRITE\_LOCKED\_BY\_THREAD\_ID,READ\_LOCKED\_BY\_COUNT,PROCESSLIST\_ID,ATTR\_NAME,ATTR\_VALUE,ORDINAL\_POSITION,PROCESSLIST\_ID,ATTR\_NAME,ATTR\_VALUE,ORDINAL\_POSITION,HOST,USER,ROLE,NAME,ENABLED,NAME,ENABLED,TIMED,OBJECT\_TYPE,OBJECT\_SCHEMA,OBJECT\_NAME,ENABLED,TIMED,NAME,TIMER\_NAME,EVENT\_NAME,OBJECT\_INSTANCE\_BEGIN,THREAD\_ID,SOCKET\_ID,IP,PORT,STATE,EVENT\_NAME,COUNT\_STAR,SUM\_TIMER\_WAIT,MIN\_TIMER\_WAIT,AVG\_TIMER\_WAIT,MAX\_TIMER\_WAIT,COUNT\_READ,SUM\_TIMER\_READ,MIN\_TIMER\_READ,AVG\_TIMER\_READ,MAX\_TIMER\_READ,SUM\_NUMBER\_OF\_BYTES\_READ,COUNT\_WRITE,SUM\_TIMER\_WRITE,MIN\_TIMER\_WRITE,AVG\_TIMER\_WRITE,MAX\_TIMER\_WRITE,SUM\_NUMBER\_OF\_BYTES\_WRITE,COUNT\_MISC,SUM\_TIMER\_MISC,MIN\_TIMER\_MISC,AVG\_TIMER\_MISC,MAX\_TIMER\_MISC,EVENT\_NAME,OBJECT\_INSTANCE\_BEGIN,COUNT\_STAR,SUM\_TIMER\_WAIT,MIN\_TIMER\_WAIT,AVG\_TIMER\_WAIT,MAX\_TIMER\_WAIT,COUNT\_READ,SUM\_TIMER\_READ,MIN\_TIMER\_READ,AVG\_TIMER\_READ,MAX\_TIMER\_READ,SUM\_NUMBER\_OF\_BYTES\_READ,COUNT\_WRITE,SUM\_TIMER\_WRITE,MIN\_TIMER\_WRITE,AVG\_TIMER\_WRITE,MAX\_TIMER\_WRITE,SUM\_NUMBER\_OF\_BYTES\_WRITE,COUNT\_MISC,SUM\_TIMER\_MISC,MIN\_TIMER\_MISC,AVG\_TIMER\_MISC,MAX\_TIMER\_MISC,OBJECT\_TYPE,OBJECT\_SCHEMA,OBJECT\_NAME,INDEX\_NAME,COUNT\_STAR,SUM\_TIMER\_WAIT,MIN\_TIMER\_WAIT,AVG\_TIMER\_WAIT,MAX\_TIMER\_WAIT,COUNT\_READ,SUM\_TIMER\_READ,MIN\_TIMER\_READ,AVG\_TIMER\_READ,MAX\_TIMER\_READ,COUNT\_WRITE,SUM\_TIMER\_WRITE,MIN\_TIMER\_WRITE,AVG\_TIMER\_WRITE,MAX\_TIMER\_WRITE,COUNT\_FETCH,SUM\_TIMER\_FETCH,MIN\_TIMER\_FETCH,AVG\_TIMER\_FETCH,MAX\_TIMER\_FETCH,COUNT\_INSERT,SUM\_TIMER\_INSERT,MIN\_TIMER\_INSERT,AVG\_TIMER\_INSERT,MAX\_TIMER\_INSERT,COUNT\_UPDATE,SUM\_TIMER\_UPDATE,MIN\_TIMER\_UPDATE,AVG\_TIMER\_UPDATE,MAX\_TIMER\_UPDATE,COUNT\_DELETE,SUM\_TIMER\_DELETE,MIN\_TIMER\_DELETE,AVG\_TIMER\_DELETE,MAX\_TIMER\_DELETE,OBJECT\_TYPE,OBJECT\_SCHEMA,OBJECT\_NAME,COUNT\_STAR,SUM\_TIMER\_WAIT,MIN\_TIMER\_WAIT,AVG\_TIMER\_WAIT,MAX\_TIMER\_WAIT,COUNT\_READ,SUM\_TIMER\_READ,MIN\_TIMER\_READ,AVG\_TIMER\_READ,MAX\_TIMER\_READ,COUNT\_WRITE,SUM\_TIMER\_WRITE,MIN\_TIMER\_WRITE,AVG\_TIMER\_WRITE,MAX\_TIMER\_WRITE,COUNT\_FETCH,SUM\_TIMER\_FETCH,MIN\_TIMER\_FETCH,AVG\_TIMER\_FETCH,MAX\_TIMER\_FETCH,COUNT\_INSERT,SUM\_TIMER\_INSERT,MIN\_TIMER\_INSERT,AVG\_TIMER\_INSERT,MAX\_TIMER\_INSERT,COUNT\_UPDATE,SUM\_TIMER\_UPDATE,MIN\_TIMER\_UPDATE,AVG\_TIMER\_UPDATE,MAX\_TIMER\_UPDATE,COUNT\_DELETE,SUM\_TIMER\_DELETE,MIN\_TIMER\_DELETE,AVG\_TIMER\_DELETE,MAX\_TIMER\_DELETE,OBJECT\_TYPE,OBJECT\_SCHEMA,OBJECT\_NAME,COUNT\_STAR,SUM\_TIMER\_WAIT,MIN\_TIMER\_WAIT,AVG\_TIMER\_WAIT,MAX\_TIMER\_WAIT,COUNT\_READ,SUM\_TIMER\_READ,MIN\_TIMER\_READ,AVG\_TIMER\_READ,MAX\_TIMER\_READ,COUNT\_WRITE,SUM\_TIMER\_WRITE,MIN\_TIMER\_WRITE,AVG\_TIMER\_WRITE,MAX\_TIMER\_WRITE,COUNT\_READ\_NORMAL,SUM\_TIMER\_READ\_NORMAL,MIN\_TIMER\_READ\_NORMAL,AVG\_TIMER\_READ\_NORMAL,MAX\_TIMER\_READ\_NORMAL,COUNT\_READ\_WITH\_SHARED\_LOCKS,SUM\_TIMER\_READ\_WITH\_SHARED\_LOCKS,MIN\_TIMER\_READ\_WITH\_SHARED\_LOCKS,AVG\_TIMER\_READ\_WITH\_SHARED\_LOCKS,MAX\_TIMER\_READ\_WITH\_SHARED\_LOCKS,COUNT\_READ\_HIGH\_PRIORITY,SUM\_TIMER\_READ\_HIGH\_PRIORITY,MIN\_TIMER\_READ\_HIGH\_PRIORITY,AVG\_TIMER\_READ\_HIGH\_PRIORITY,MAX\_TIMER\_READ\_HIGH\_PRIORITY,COUNT\_READ\_NO\_INSERT,SUM\_TIMER\_READ\_NO\_INSERT,MIN\_TIMER\_READ\_NO\_INSERT,AVG\_TIMER\_READ\_NO\_INSERT,MAX\_TIMER\_READ\_NO\_INSERT,COUNT\_READ\_EXTERNAL,SUM\_TIMER\_READ\_EXTERNAL,MIN\_TIMER\_READ\_EXTERNAL,AVG\_TIMER\_READ\_EXTERNAL,MAX\_TIMER\_READ\_EXTERNAL,COUNT\_WRITE\_ALLOW\_WRITE,SUM\_TIMER\_WRITE\_ALLOW\_WRITE,MIN\_TIMER\_WRITE\_ALLOW\_WRITE,AVG\_TIMER\_WRITE\_ALLOW\_WRITE,MAX\_TIMER\_WRITE\_ALLOW\_WRITE,COUNT\_WRITE\_CONCURRENT\_INSERT,SUM\_TIMER\_WRITE\_CONCURRENT\_INSERT,MIN\_TIMER\_WRITE\_CONCURRENT\_INSERT,AVG\_TIMER\_WRITE\_CONCURRENT\_INSERT,MAX\_TIMER\_WRITE\_CONCURRENT\_INSERT,COUNT\_WRITE\_DELAYED,SUM\_TIMER\_WRITE\_DELAYED,MIN\_TIMER\_WRITE\_DELAYED,AVG\_TIMER\_WRITE\_DELAYED,MAX\_TIMER\_WRITE\_DELAYED,COUNT\_WRITE\_LOW\_PRIORITY,SUM\_TIMER\_WRITE\_LOW\_PRIORITY,MIN\_TIMER\_WRITE\_LOW\_PRIORITY,AVG\_TIMER\_WRITE\_LOW\_PRIORITY,MAX\_TIMER\_WRITE\_LOW\_PRIORITY,COUNT\_WRITE\_NORMAL,SUM\_TIMER\_WRITE\_NORMAL,MIN\_TIMER\_WRITE\_NORMAL,AVG\_TIMER\_WRITE\_NORMAL,MAX\_TIMER\_WRITE\_NORMAL,COUNT\_WRITE\_EXTERNAL,SUM\_TIMER\_WRITE\_EXTERNAL,MIN\_TIMER\_WRITE\_EXTERNAL,AVG\_TIMER\_WRITE\_EXTERNAL,MAX\_TIMER\_WRITE\_EXTERNAL,THREAD\_ID,NAME,TYPE,PROCESSLIST\_ID,PROCESSLIST\_USER,PROCESSLIST\_HOST,PROCESSLIST\_DB,PROCESSLIST\_COMMAND,PROCESSLIST\_TIME,PROCESSLIST\_STATE,PROCESSLIST\_INFO,PARENT\_THREAD\_ID,ROLE,INSTRUMENTED,USER,CURRENT\_CONNECTIONS,TOTAL\_CONNECTIONS,db\_name,table\_name,column\_name,min\_value,max\_value,nulls\_ratio,avg\_length,avg\_frequency,hist\_size,hist\_type,histogram,Host,Db,User,Table\_name,Column\_name,Timestamp,Column\_priv,Host,Db,User,Select\_priv,Insert\_priv,Update\_priv,Delete\_priv,Create\_priv,Drop\_priv,Grant\_priv,References\_priv,Index\_priv,Alter\_priv,Create\_tmp\_table\_priv,Lock\_tables\_priv,Create\_view\_priv,Show\_view\_priv,Create\_routine\_priv,Alter\_routine\_priv,Execute\_priv,Event\_priv,Trigger\_priv,Delete\_history\_priv,db,name,body,definer,execute\_at,interval\_value,interval\_field,created,modified,last\_executed,starts,ends,status,on\_completion,sql\_mode,comment,originator,time\_zone,character\_set\_client,collation\_connection,db\_collation,body\_utf8,name,ret,dl,type,event\_time,user\_host,thread\_id,server\_id,command\_type,argument,domain\_id,sub\_id,server\_id,seq\_no,help\_category\_id,name,parent\_category\_id,url,help\_keyword\_id,name,help\_topic\_id,help\_keyword\_id,help\_topic\_id,name,help\_category\_id,description,example,url,Host,Db,Select\_priv,Insert\_priv,Update\_priv,Delete\_priv,Create\_priv,Drop\_priv,Grant\_priv,References\_priv,Index\_priv,Alter\_priv,Create\_tmp\_table\_priv,Lock\_tables\_priv,Create\_view\_priv,Show\_view\_priv,Create\_routine\_priv,Alter\_routine\_priv,Execute\_priv,Trigger\_priv,db\_name,table\_name,index\_name,prefix\_arity,avg\_frequency,database\_name,table\_name,index\_name,last\_update,stat\_name,stat\_value,sample\_size,stat\_description,database\_name,table\_name,last\_update,n\_rows,clustered\_index\_size,sum\_of\_other\_index\_sizes,name,dl,db,name,type,specific\_name,language,sql\_data\_access,is\_deterministic,security\_type,param\_list,returns,body,definer,created,modified,sql\_mode,comment,character\_set\_client,collation\_connection,db\_collation,body\_utf8,aggregate,Host,Db,User,Routine\_name,Routine\_type,Grantor,Proc\_priv,Timestamp,Host,User,Proxied\_host,Proxied\_user,With\_grant,Grantor,Timestamp,Host,User,Role,Admin\_option,Server\_name,Host,Db,Username,Password,Port,Socket,Wrapper,Owner,start\_time,user\_host,query\_time,lock\_time,rows\_sent,rows\_examined,db,last\_insert\_id,insert\_id,server\_id,sql\_text,thread\_id,rows\_affected,db\_name,table\_name,cardinality,Host,Db,User,Table\_name,Grantor,Timestamp,Table\_priv,Column\_priv,Time\_zone\_id,Use\_leap\_seconds,Transition\_time,Correction,Name,Time\_zone\_id,Time\_zone\_id,Transition\_time,Transition\_type\_id,Time\_zone\_id,Transition\_type\_id,Offset,Is\_DST,Abbreviation,transaction\_id,commit\_id,begin\_timestamp,commit\_timestamp,isolation\_level,Host,User,Password,Select\_priv,Insert\_priv,Update\_priv,Delete\_priv,Create\_priv,Drop\_priv,Reload\_priv,Shutdown\_priv,Process\_priv,File\_priv,Grant\_priv,References\_priv,Index\_priv,Alter\_priv,Show\_db\_priv,Super\_priv,Create\_tmp\_table\_priv,Lock\_tables\_priv,Execute\_priv,Repl\_slave\_priv,Repl\_client\_priv,Create\_view\_priv,Show\_view\_priv,Create\_routine\_priv,Alter\_routine\_priv,Create\_user\_priv,Event\_priv,Trigger\_priv,Create\_tablespace\_priv,Delete\_history\_priv,ssl\_type,ssl\_cipher,x509\_issuer,x509\_subject,max\_questions,max\_updates,max\_connections,max\_user\_connections,plugin,authentication\_string,password\_expired,is\_role,default\_role,max\_statement\_time,id,username,password,id,username,password’
} 
然后我们发现有个password字段名
因为库名只有一个,password对应的表名应该是最后一个 
查询字段值,找到了flag
总结
这里要用到group\_concat()函数,查询所有的表,字段,库。
没有任何难点,学会sql联合查询注入就会做了
