【奇技淫巧】记一次实战access注入绕过安全狗
【推荐学习】暗月渗透测试培训 十多年渗透经验,体系化培训渗透测试 、高效学习渗透测试,欢迎添加微信好友aptimeok 咨询。
网站存在注入点地方
![【奇技淫巧】记一次实战access注入绕过安全狗](https://www.moonsec.com/wp-content/themes/justnews/themer/assets/images/lazy.png)
当时测试了布尔盲注,发现有安全狗waf
![【奇技淫巧】记一次实战access注入绕过安全狗](https://www.moonsec.com/wp-content/themes/justnews/themer/assets/images/lazy.png)
对其fuzz一波,发现数据库时access数据库
![【奇技淫巧】记一次实战access注入绕过安全狗](https://www.moonsec.com/wp-content/themes/justnews/themer/assets/images/lazy.png)
由于access数据不能使用注释,并且没有数据库,幸好是安全狗,绕过方法如下
![【奇技淫巧】记一次实战access注入绕过安全狗](https://www.moonsec.com/wp-content/themes/justnews/themer/assets/images/lazy.png)
因为安全狗是对整段url进行检查,发现aa参数和bb参数包裹的是注释所以放过
![【奇技淫巧】记一次实战access注入绕过安全狗](https://www.moonsec.com/wp-content/themes/justnews/themer/assets/images/lazy.png)
其他页面也存在注入点
![【奇技淫巧】记一次实战access注入绕过安全狗](https://www.moonsec.com/wp-content/themes/justnews/themer/assets/images/lazy.png)
![【奇技淫巧】记一次实战access注入绕过安全狗](https://www.moonsec.com/wp-content/themes/justnews/themer/assets/images/lazy.png)
跑sqlmap,因为sqlmap对*敏感,所以对*url编码对应%2a
![【奇技淫巧】记一次实战access注入绕过安全狗](https://www.moonsec.com/wp-content/themes/justnews/themer/assets/images/lazy.png)
这里里跑出来admin表的密码,也找到了对应的后台,但是md5破解不,无法继续
![【奇技淫巧】记一次实战access注入绕过安全狗](https://www.moonsec.com/wp-content/themes/justnews/themer/assets/images/lazy.png)
![【奇技淫巧】记一次实战access注入绕过安全狗](https://www.moonsec.com/wp-content/themes/justnews/themer/assets/images/lazy.png)
本文来自T00ls,经授权后发布,本文观点不代表立场,转载请联系原作者。