Some summary and thinking of WAF bypass

WAF classification:

1. Network Layer Class

2. Most common and easy-to-deploy application tier classes (before Apache, after Apache)

The application layer waf– leverages the WAF's own flaws and MySQL syntax features and combines the actual bypass:

WAF most common detection method: keyword Detection For example, if a [space]union[space] Such an SQL statement is considered a malicious request, discard this packet, XSS code the same.

Common Types of Bypass:

Type 1:

Data packet---WAF (using string storage request parameters, decoding after detection), APACHE

C language, such as the use of a storage structure such as string storage request, when decoding,%00 will become NULL and then truncate the request content.

So for example, Id=1%00%20and%201=1 becomes? id=1 thereby bypassing the WAF detection

Type 2:

WAF->apache with data packets

Bypass logic:

WAF special release for certain user-agent (such as the UA of Baidu Spider)

WAF special release for certain post packages (file Upload package)

Example: "Safe dog version Bypass" (http://zone.wooyun.org/content/17331)

Type 3:

WAF->apache with data packets

Using the syntax of MySQL and the special way of writing HTML code, the browser's rendering method bypasses. Because the actual detection logic of the WAF is not clear during the actual penetration test, using fuzz is the best approach, which is also the most common way to circumvent WAF.

Fuzz Dictionary:

%a0union%a0 (WAF expression \s does not match%a0 but MySQL sees it as a space)%0aunion%0a%0bunion%0b (WAF expression \s \ t does not recognize matching%0b)%09union%09/**/union /**/%0dunion%0d/*%e4*/union/*%e4*/(half of the Zhong Wenjing in UTF8 expression in any match (.) Cannot match the content) ' version ' (MySQL syntax attribute function can be written as ' function name ' ())/*!union*/8e0union (MySQL syntax feature, detected as floating point after the end of the context, as a space, under 2 same) 8.0union\ nunion.1union/*.1*/...

A fuzz instance of the MySQL class: Is it really safe to process strings with htmlspecialchars () and Htmlentities () in a database query? "(Http://www.nohackair.net/167.shit)

An fuzz instance of the XSS class:

"Fuzz to detect what characters can be seamlessly connected before onerror"

Write the fuzzz.php and fuzz.php code as follows

fuzzz.php:

Run fuzzz.php for automatic fuzz with the result:
0c,0d,2f,0a,20,09
In the same vein, you can fuzz special characters that can be inserted in other places of various labels.
SQL statement blank character fuzz result (http://zone.wooyun.org/content/15953)
sqlite3:0a,0d,0c,09,20
mysql5:09,0a,0b,0c,0d,a0,20
posgressql:0a,0d,0c,09,20
oracle_11g:00,0a,0d,0c,09,20
mssql:01,02,03,04,05,06,07,08,09,0a,0b,0c,0d,0e,0f,10,11,12,13,14,15,16,17,18,19,1a,1b,1c,1d,1e,1f,20
Type 4:
WAF->apache with data packets
This is what WAF can't take into account ...
Multiple malicious code detection and processing of hidden dangers:
Example (fixed):
Vulnerability Name: crm2.qq.com XSS
Submission Time: 2015-03-30 13:39:31
"This time met your fans waf,<script> decisive 501 Ah, collapsed for half an hour, a little fuzz, found%0a will ignore, success bypass WAF"
The last constructed XSS is:
Http://crm2.qq.com/page/portalpage/wpa.php?uin=40012345&f=5&ty=6666&ap=%23&debug=1&bt=\ X3csc%0aript\x3eale%0art ()
There is a Tencent WAF, which also has a certain defensive detection of XSS code, triggering a WAF when a GET request appears <script>, alert (), <svg> and other keywords, and returns an error code of 501
However, due to the parameter after the WAF detection, through the PHP $_get[] function, and continue to filter the keyword, after the author of a fuzz, found that it will match the newline character%0a and discarded after the output, so in this logic:
<scri%0apt>aler%0at ()
Through the WAF, the detection (and no keywords), and then after the PHP string processing, still output malicious code.
Type 5:
WAF->apache with data packets
Malformed HTTP packet,
leverages Apache's compatibility with HTTP packets and WAF's incompatibility with malformed HTTP packets bypass WAF
Summarize:
For the general application layer Waf,fuzz is a good way to test the WAF, using some of MySQL syntax features and some of the browser's rendering methods to construct a powerful fuzz dictionary, perhaps you can bypass the WAF keyword detection.
At the same time, the connection flexibility of WAF and PHP code is also worth considering, for example, type 4, many times the processing of incoming data is easy to leave a hidden trouble.
Some summary and thinking of WAF bypass