码迷,mamicode.com
首页 > 数据库 > 详细

mysql syntax bypass some WAF

时间:2015-02-12 09:10:46      阅读:230      评论:0      收藏:0      [点我收藏+]

标签:

select{x table_name}from{x information_schema.tables}
mysql> select{x table_name}from{x information_schema.tables};
+----------------------------------------------------+
| table_name                                         |
+----------------------------------------------------+
| CHARACTER_SETS                                     |
| COLLATIONS                                         |
| COLLATION_CHARACTER_SET_APPLICABILITY              |
| COLUMNS                                            |
| COLUMN_PRIVILEGES                                  |
| ENGINES                                            |
mysql> select{x version()}from{x user};
+---------------+
| {x version()} |
+---------------+
| 5.5.20-log    |
| 5.5.20-log    |
| 5.5.20-log    |
| 5.5.20-log    |
+---------------+
4 rows in set (0.00 sec)

select{x a}from{x b}  . b为当前数据库存在的任意表名。 a就是你要返回的内容。唔 ,我所能想到的场景就是获取user() ,version()之类的 {}代替空格绕过正则的检测啥的。。那我们直接 select{x (user())}或者 select(user())也可以。。
要获取其它信息的话,像这样。

mysql> select{x (select user from user limit 1)} from{x user};
+-------------------------------------+
| {x (select user from user limit 1)} |
+-------------------------------------+
| root                                |
| root                                |
| root                                |
| root          
mysql> select{x(name)}from{x(manager)};
+--------+
| name |
+--------+
| admin  |
+--------+
1 row in set (0.00 sec)

可以这样玩,去掉空格

接用圆括号不就好啦!

such as:
select(host)from(mysql.user);
SELECT(UNHEX(UNHEX(333532453335324533323335)));

直接用括号某些WAF的规则是可以匹配到的

select{x+table_name}from{x(information_schema.tables)} 

 

 

https://twitter.com/Black2Fan/status/564746640138182656
http://dev.mysql.com/doc/refman/5.6/en/date-and-time-literals.html#date-and-time-standard-sql-literals
http://dev.mysql.com/doc/refman/5.6/en/join.html#idm140714470997024

mysql syntax bypass some WAF

标签:

原文地址:http://www.cnblogs.com/hookjoy/p/4287285.html

(0)
(0)
   
举报
评论 一句话评论(0
登录后才能评论!
© 2014 mamicode.com 版权所有  联系我们:gaon5@hotmail.com
迷上了代码!