See recruit: Bypass WAF continue SQL injection Common methods

Source: Internet
Author: User
Tags sql injection attack

The first name before this article is: WAF bypass for SQL injection #理论篇, I submitted freebuf on June 17. Link: Click here now Blog recovery, special hair here.

Web hacker always survive in the constant struggle with WAF, manufacturers constantly filter, Hacker constantly bypass. WAF Bypass is an eternal topic, many friends also summed up a lot of strange tricks. Well, today I'm here to do a little literacy. First, what is the WAF bypass?

A WAF, simply stated, is a Web application firewall whose function is to filter certain malicious requests with certain keywords. WAF is just a tool to help protect your website. But if you write a special slag, don't say WAF can not help you, even wefgod can not help you ... So it is not naïve to think that using a WAF on your site on the hundred poison does not invade. Get started--

1> annotation Characters

I believe a lot of friends know about SQL notation, which is the most widely used around the WAF. They allow us to bypass many Web application firewalls and restrictions, and we can comment out some SQL statements and then let them execute only the attack statement for the purpose of the intrusion.

Common comment characters:

,--,/**/, #,--+,---,;%0 0

2> Situation Change

However, some of the previously audited open-source programs, some vendors are not rigorous filtering, some are blocked by the filter, but some only filter the lowercase form, but at the time of the transfer of parameters did not convert the receive parameter to lowercase to match. In this case, we can easily get around.

For example, its filter statements are:


So we can construct this:


3> Inline annotation

Some of the WAF's filtering keywords are like/union\sselect/g, as stated above, and many times I use inline annotations. More sophisticated examples require a more advanced approach. For example, with the addition of the SQL keyword, we need to further separate the two words to bypass the filter.

id=1/*! Union*/select

With/*! Code * * To execute our SQL statement. Inline annotations can be used throughout the SQL statement. So if table_name or INFORMATION_SCHEMA is filtered, we can add more inline comment content.

For example, a filter filters:

Union,where, table_name, table_schema, =, and Information_schema

These are the goals that our inline annotations need to bypass. Therefore, an inline annotation is usually used to bypass the following:

id=1/*! Union*/+select+1,2,concat (/*!table_name*/) +from/*information_schema*/.tables/*! WHERE */+/*! Table_schema*/+like+database ()---

Usually, the above code can bypass the filter, notice that we use like rather than =

When everything seems to have failed, you can try to close the variables used in the SQL statement by applying the firewall:

Id=1+union/*&a=*/select/*&a=*/1,2,3,database ()---

Even if the common inline annotation itself does not work, the above code should also be able to bypass the Union+select filter.

4> Buffer Overflow:

Unexpected input:

We know that many of the wafs are in C, and they can easily overflow when loading a bunch of data. One such WAF is described below when it receives a malicious request and response from a large number of data.

Id=1 and (select 1) = (select 0xAAAAAAAAAAAAAAAAAAAAA, more A ' s) +union+select+1,2,version (), 4,5,database (), User (), 8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36--+

The above bypass statement, I used in a recent site bypass.

5> Replace keyword (preg_replace and/or can achieve the same purpose):

Sometimes the program will delete all the keywords, for example, there is a filter, he will make the union select Blank, then we can use the following way to bypass:


It's not hard to understand, is it? The Union and select become blank, and the two sides are re-assembled into new queries.


6>character Code:

In some cases, the WAF decodes the input in the application, but some WAF is only filtered and decoded once, so we can bypass the bypass statement as long as we double-encode it. (The WAF decodes and then filters, and then the SQL statements are automatically decoded and executed directly)

Example of a double-coded bypass statement:


Some examples of double coding:

Single quote: '%u0027%u02b9%u02bc%u02c8%u2032%uff07%c0%27%c0%a7%e0%80%a7 blank:%u0020%uff00%c0%20%c0%a0%e0%80%a0 Left bracket (:%u0028% Uff08%c0%28%c0%a8%e0%80%a8 closing parenthesis):%U0029%UFF09%C0%29%C0%A9%E0%80%A9

7> Synthesis:

After bypassing a few simple WAF, the later tasks are getting easier ~ Here are a few ways to get around your target WAF.

7a> splitting the SQL statement:

The usual practice is to break up the SQL injection statement to check which keyword is being filtered. For example, if you enter a Union+select statement, you are quoted a 403 or internal server error, what union is not legal what, you know what is filtered, but also the common fuzzing test. This is the premise of making bypass statements.

7b> lengthy error:

When your SQL syntax input error, the other site did not close the error echo, there will be a lot of errors, in PHP will be more sensitive site root directory address. ASPX will burst the entire syntax error details.

For example, the syntax you enter is:


Will quote you the following error:

Error at line 1 near "" +1,2,3--

The above also said the blacklist filter, you can also use the following ways to bypass:


This is just one of many ways to bypass different WAF and require different bypass ideas.

8> Advanced Bypass Tips:

As mentioned above, when you try to bypass a few WAF, you will feel that he is not difficult, will feel very interesting, very challenging: B, when you find yourself in the WAF after the injection, do not want to give up, try to challenge, see what it filters, what syntax allows, what syntax is not allowed. Of course, you can also try to violence some, it as inflatable doll, [;: {} () *&$/|<>? "] These special characters in brackets are not to keep the decoration of the scatter ~ can report a mistake is quite proud of, Sao years, you say right?

However, if you try n statements, the TM is filtered, the whole person is almost collapsed, what to do? Very simple, open the music player, put a little apple to relax. Then copy down all the WAF filters and carefully analyze it! The saying goes, nothing is difficult, afraid of a conscientious.

For example, for example, when you analyze to the end and find that all the * are blank, it means that you cannot use inline annotations, and Union+select will return you with a 403 error, in which case you should make full use of the * is replaced with blanks:


In this case, * was filtered out, but Union+select was preserved. This is a common WAF bypass technique, of course, not just union+select, but other grammars are filtered to use this. Find the keyword that was replaced, and you'll find a way around it.

Some of the common bypass:

id=1+ (UnIoN) + (SelECT) +id=1+ (union+select) +id=1+ (UnI) (ON) + (SEL) (EcT) id=1+ ' UnI ' "on ' + ' SeL ' EcT ' <-mysql onlyid=1 + ' UnI ' | | ' On ' +select ' <-mssql only

Note: In mysql4.0 species, UNI/**/on+sel/**/ect is not available.

Conclusion: The posture of a WAF depends on the spread of your mind, and you can find a lot of fun in the process of WAF bypass, isn't it? More posture Welcome pm me.

A few books on SQL injection and web security are recommended:

"SQL injection attack and defense"

"Hacker attack and defense treasure-web actual Combat article"

PHP Security is a good fit for PHP developers to read

"Web Security"

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.