TSRC challenge: waf SQL Injection bypass challenge record

TSRC challenge: waf SQL Injection bypass challenge record
Blog Author: lol [TSRC white hats] Author: Conqu3r, if flowers bloom from the team: [Pax. mac Team] was invited to participate in the tsrc waf defense bypass challenge. Since we had previously participated in the WAF challenge with our Team partners, we also had a lot of opportunities to access WAF at ordinary times, there is still some accumulation of WAF bypass methods. The competition rules bypass four tencent WAF-protected test servers (apache GET, apache POST, nginx GET, and nginx POST ). One method can be used to bypass one of them. If any SQL statement can be executed as a general bypass, it is considered as a high risk. If there are other condition restrictions, it is considered as a medium or low risk. Before the competition, you should first be familiar with the tencent WAF deployment environment, whether at the network layer or at the application layer, if the application layer is before or after reaching apache (or nginx. Different deployment environments determine different bypass methods. By viewing mainstream WAF Architecture Analysis and Exploration on TSRC, I learned how tencent WAF is implemented in the security module of the server. In this case, it is similar to a decimal IP address that bypasses the network layer WAF protection, gzip, and so on. First, try LOL/SQL. php through malformed http packets? Id = 1 and 1 = 1 HTTP/1.1 and so on. It is found that all of them are filtered by the server. This shows that tencent WAF has learned a lot from its development experience. Failed to detect malformed data packets, parameter contamination, and other methods. I can only focus on some of the syntax features of mysql. The following several ideas are basically implemented using the syntax features of mysql. First, we will introduce the concept of bypassing Pax. Mac Team's cool-bits and pity-using % a0. Id =-1 union % a0select 1, 2. The server checks whether the union and select statements contain spaces. If the union select statements exist simultaneously and contain spaces, it is regarded as an SQL injection attack. However, there are many methods that can be bypassed, such as union/**/select and union % 0dselect. These methods are basically filtered out, but I don't know whether developers are careless or deliberately releasing water, except union % a0select, which is not filtered. Except for union % a0select, it seems that there are no other methods that can bypass the detection. fuzz should be true again this time, but it is hard to understand, -- union/* % aa */select appears in a magic method. Why? This does not belong to/* xxx */and should be protected. Why? This feature is used by Chinese characters. Chinese characters are used with all the rules of the annotator bypass. The bypass detection can be completed using % e4 and so on as long as it starts with a Chinese character! % A0 and so on. Test found. Union select can coexist, as long as the detection is not considered as a union space select. So here we construct a special string. We use union + "special characters" + select to spell out a new string, so that the regular expression thinks this is similar to unionxxooselect, rather than union select. In this way, the bypass detection can be performed. However, to let the database identify this, we need to find a way to eliminate this extra character. The service does not take/**/as the attack feature during detection. Of course, this is not a feature, but if we use this symbol to kill this extra character, the statement can be executed normally. Because, here we use union/* Chinese character */select, full bypass. Of course, make sure that this Chinese character cannot be a Chinese character. This method comes from the Conqu3r of the Pax. MacTeam. Both of the above methods can bypass union select and select from for arbitrary injection. The following describes some of these methods, which can only bypass mysql function restrictions for loadfile, or obtain some environment information. Because WAF detects sensitive functions, functions such as version () and load_file () cannot be used. However, due to regular matching, % 0b can be used for easy bypass. For example, version () % 0b (the space between % and 0b is required for editing and display, but does not exist). Other special characters are filtered out, % 0b has become a fish in the Internet. In the same way of bypassing functions, we can use the 'version' () method to avoid regular matching of WAF again. Because of the mysql syntax, the 'function name' () is equivalent to the function name () again, the perfect bypass. How can we select a function without passing through the function name? Here we need to use hexadecimal blind Note: id = 1 and (select 'Load _ file' (0x2f6574632f706173737764) is not null) first determine whether a file on the server exists, for example, we use the/etc/passwd file. 0x2f6574632f706173737764 is the hexadecimal format of/etc/passwd. After determining whether the file exists, we can use: id = 1 and (select 'Load _ file' (0x2f6574632f706173737764)> 0x0000f66) return the hexadecimal value after the modification is greater than the number on the page to obtain the hexadecimal content of the file. The last idea is to get the configuration information of the server and get the global variable through id = instr (@ global. version, 1. @ Global contains a lot of sensitive information. It filters out ascii and substr functions and can still use instr for blind injection. The above are some of my summary and thoughts on this tencent WAF bypass challenge. I hope you can actively point out the shortcomings. If there are other "tricks and tricks" that bypass WAF, you are welcome to discuss them with me.