看到本文的时候,其实我还是很蛋定的,大约早在3年多前就看到有人这么做过了,当时还给我发了一大堆这样的代码。
其实还有例子,那就是当初在liba网的时候,有一段时间突然发现MYSQL超慢。bobby查询了所有的数据库查询,发现了类似本文的例子,那时候其实很惊讶,/*!xxxx*/这样的代码不是被注释了吗?又能用来干嘛 ?
所以,今天看到这一篇博客的时候,还是忍不住贴出来,因为这已经真的不算是秘密的秘密了。
来源:http://hi.baidu.com/isbx/blog/item/795dcc112b85f40eb8127b4d.html
作者:meao
昨天在检测一个外国PHP网站时
在id=255后加’出现forbidden
于是我and 1=1正常 and 1=2出错
说明肯定有注入
接着我order by猜出字段
然后union select 1,2,3,4 //悲剧的又出现了forbidden
肯定是做了过滤了
后来构造了语句id=-255+union+/*!select*/+1,2,3,4
原理:
MySQL Server supports some variants of C-style comments. These enable you to write code that includes MySQL extensions, but is still portable, by using comments of the following form:
/*! MySQL-specific code */
In this case, MySQL Server parses and executes the code within the comment as it would any other SQL statement, but other SQL servers will ignore the extensions. For example, MySQL Server recognizes the STRAIGHT_JOIN keyword in the following statement, but other servers will not:
SELECT /*! STRAIGHT_JOIN */ col1 FROM table1,table2 WHERE …
If you add a version number after the “!” character, the syntax within the comment is executed only if the MySQL version is greater than or equal to the specified version number. The TEMPORARY keyword in the following comment is executed only by servers from MySQL 3.23.02 or higher:
CREATE /*!32302 TEMPORARY */ TABLE t (a INT);
The comment syntax just described applies to how the mysqld server parses SQL statements. The mysql client program also performs some parsing of statements before sending them to the server. (It does this to determine statement boundaries within a multiple-statement input line.)