• Welcome to the world's largest Chinese hacker forum

    Welcome to the world's largest Chinese hacker forum, our forum registration is open! You can now register for technical communication with us, this is a free and open to the world of the BBS, we founded the purpose for the study of network security, please don't release business of black/grey, or on the BBS posts, to seek help hacker if violations, we will permanently frozen your IP and account, thank you for your cooperation. Hacker attack and defense cracking or network Security

    business please click here: Creation Security  From CNHACKTEAM

记一次失败的过云锁


This Wind

Recommended Posts

前言

日站天天碰云锁?旁站都是注入,一点开,我草,云锁?云锁!云锁!云锁,云SUO。草

nNPs2R.jpg

云锁的安装方法

先安服务端,在安PC端。然后去官网注册个号,打开PC端用账号登入之后使用本机的用户名和密码连接云锁的5555端口。然后就能在PC端见到你的机子了

云锁官网

云锁下载地址

nNkXdK.png
nNkzJe.png

初试

and 1=1这种,被杀穿了就不弄他了

id=if(1=1,(1=1),1)
id=1 %26%26 True
id=1 Xor 1=1 #大部分WAF对Xor都是网开一面

 

nNP5PH.png

云锁比较直男,直接就弹框告诉你触发了那个敏感规则

nNPTxI.png

盲注测试

id=2 Xor length(database())=4
id=2 Xor left(database(),4)="test"

 

nNktKI.png

后面参考404表哥的mysql bypass 文章发现还是过不了,我当时就绝望的一批

得到的规则

后面我在这里发现了云锁的一些规则:

/**/替换为空
/*!*/替换为空
匹配的关键有:and,or,updatexml,select xxx from,union xxx select
匹配select xx from的正则应该是:select .*? from
匹配union xx select的正则应该是:union .*? select
不认识的请求直接拦截

 

nNkwa8.png

规则:

image
image

参考链接

sql注入过防御笔记

拓展Bypass的常用思路

我与云锁有个约会)

https://422926799.github.io/posts/1aa6f64d.html

 

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now