mysql> select * from test where id = 1; +----+------+------+ | Id | QAQ | QAQ1 | +----+------+------+ | 1 | 123 | 233 | +----+------+------+ 1 row in set (0.00 sec)
错误查询:
1 2
mysql> select * from test where id = -1; Emptyset (0.00 sec)
非正常查询:
1 2 3 4 5 6 7
mysql> select * from test where id = -1=(0)=1; +----+------+------+ | Id | QAQ | QAQ1 | +----+------+------+ | 1 | 123 | 233 | +----+------+------+ 1 row in set (0.00 sec)
这个语句很容易理解,首先是
1
select * from test whereid = -1
这句话为假,即它的值为0,但是0 = 0,就成立了,成真,所以
1
select * from test whereid = -1=(0)
的值为真,即为1,1=1成立,因此该句成立,从而返回查询结果。 与之类似
1 2 3 4 5 6 7
mysql> select * from test where id =-1=(1)=0; +----+------+------+ | Id | QAQ | QAQ1 | +----+------+------+ | 1 | 123 | 233 | +----+------+------+ 1 row in set (0.00 sec)
甚至不等号”<>”,都可以。
1 2 3 4 5 6 7
mysql> select * from test where id =-1<>(1)<>0; +----+------+------+ | Id | QAQ | QAQ1 | +----+------+------+ | 1 | 123 | 233 | +----+------+------+ 1 row in set (0.00 sec)
中间的语句可以用来构造Bool条件。 SQL语句实在是太灵活了,感觉是,只有想不到,没有做不到。。
0x02 Misc
杂项不愧是杂项,每次做题总能遇到没见过的。
Thumbs.db文件
Thumbs.db是一个用于Microsoft Windows XP或mac os x缓存Windows Explorer的缩略图的文件。
cygwin warning: MS-DOS style path detected: E:\CTF\\xE6\xAF\x94\xE8\xB5\x9B\\xE7\x81\xAB\xE7\xA7\x8DCTF\wifi\www.ivs Preferred POSIX equivalent is: /cygdrive/e/CTF/\xE6\xAF\x94\xE8\xB5\x9B/\xE7\x81\xAB\xE7\xA7\x8DCTF/wifi/www.ivs CYGWIN environment variable option "nodosfilewarning" turns off this warning. Consult the user's guide for more details about POSIX paths: http://cygwin.com/cygwin-ug-net/using.html#using-pathnames Read 36977 packets.