js 提取 sql 条件 表名 limit

var obj={}
var str="select * from table1 where id >1000 and uid=123 or event_id=3 and a in('1',2','3',4) and b like '%abc%' limit 1000"
str.match(/\s+from\s+(\w+)/g)
obj['table']=RegExp.$1;

str.match(/\s+limit\s+(\d+)/g)
obj['limit']=RegExp.$1;


str.match(/\s+where\s+(.+)*?\s+limit\s+/g)
obj['where']=RegExp.$1;

var a=obj['where'].split(/\s+(and|or)\s+/)
console.log(a);
var w='';
for(var i=0;i<a.length;i++){
    if(i%2==1){
        w+=" "+a[i]+" ";
        continue;
    }
    //console.log(a[i]);
    var b=a[i].split(/\s*(>|<|=|>=|<=|\s+in\s*|\s+like\s+)\s*/);
    for(var k in b){
        b[k]=b[k].trim();
    }
    if(/\s+in\s*/.test(a[i])){
        var c=b[2].replace(/\(|\)/g,'').split(/,\s*/);
        w+="(";
        for(var k=0;k<c.length;k++){
            var d=' OR '
            if(k==0)d='';
            w+=d+"SingleColumnValueFilter('f1','"+b[0]+"',=,'binary:"+c[k].replace(/'/g,"")+"')";
        }
        w+=")";
    }else if(/\s+like\s+/.test(a[i])){
        w+="SingleColumnValueFilter('f1','"+b[0]+"',=,'regexstring:."+b[2].replace(/\%|'/g,"*")+"')";
    }else{
        w+="SingleColumnValueFilter('f1','"+b[0]+"',"+b[1]+",'binary:"+b[2]+"')";
    }
}
console.log(w);

 

上一篇:GYCTF 盲注【regexp注入+时间盲注】


下一篇:RegExp:正则表达式对象 || Global对象