MSSQL WAF Bypass (2)

0x00 Preface

The last bypass was too simple to be able to draw data or get permission, this time continue to bypass, get the data

0x01 process

Or the last site, simple judgment, presence injected

Find and number, exec, union Select, select Number ... Be filtered

found that the Execute function was not filtered and the dog did not show that the function could be used

execute(‘sql语句‘)  //execute函数中可以写sql语句，且为字符串，那么就可以传入一些变形字符串来绕过waf

Verify it locally.

Some variants

Just this time using SQL Server stack injection, and will not show the data on the page, so let this time stacking error, to achieve the effect of error injection

execute(‘select convert(int,@@version)‘) --a

Of course it needs to be deformed, otherwise it will be intercepted because a select

execute(‘sel‘%2b‘ect convert(int,@@version)‘) --a   //在url编码中 %2b 等价与 + 所以可以理解为 ‘sel‘ + ‘ect‘

By using the Execute function, you can deform to make the WAF impossible to intercept, get the data, or execute the SQL statement, which makes it much easier.
Execute Cmdshell, because Cmdshell cannot be echoed by error, but can redirect the results to a file or write to a table

execute(‘master..xp_cmdshell whoami > e:\‘%2b‘\xx\‘%2b‘\1.txt‘)  // 双斜杠被过滤

Returning an error does not matter, WAF does not intercept, see if 1.txt has data

0x02 Follow-up

Would like to write to Webshell or download Webshell through the public network, but the server can not go out of the network, and there is a WAF, resulting in the write shell failure, consider to kill the WAF, but also to avoid the impact on the server.

MSSQL WAF Bypass (2)