Label: # # # Phenomenon: When we injected, found that there are dogs, there is a waf, really my little heart is broken down!! However, many times still have to calm down to analyze the filter system exactly what parameters are filtered, how to bypass. Using the tamper in Sqlmap brings us a lot of anti-filtering script bypass. Hint "The entry has a dangerous character and has been intercepted" Tip "Please do not attempt to inject illegal characters in
When we get the target server, we usually use artifact Mimkaz to fetch the clear-text password of the target server, but if the target server is configured Waf,mimikaz cannot crawl, it is possible to download the DMP file with account password to local to use Mimikaz crawl.Realize the same system environment as the target machine. Then use the following command to download the DMP file;Procdump.exe-accepteula-ma Lsass.exe%computername%_lsass.dmpThis p
Common URL encodings include UTF (% xx) and hexadecimal encoding (% xx). Most IDS and WAF can be identified and decoded before regular matching. However, in addition to the two types of encoding, the IIS web server also supports another non-standard encoding, namely, % u Encoding (% uxxxx ). For more information, see the original document. I have to say that some technologies will not be old. The key is that you do not care. That is to say, the reques
Introduction:First of all, we should all know the function and principle of WAF, the market is basically using Nginx+lua to do, here is no exception. But slightly different, the logic is not in Lua.Instead of using Elasticsearch for analysis, LUA only uses the analyzed IP address to block, greatly reducing the direct interruption caused by false positives and other failures.The architecture diagram is as follows:You can get the following useful data:1
||RootMySQL>Select{x (name)}from{x (Manager)}; + -- ------+ | | + -- ------+ | Admin | + -- ------+ 1 inch Set (0.00 sec)You can play it like this, remove the spaceIt's OK to use parentheses! as : Select (host) from (MySQL. User ); SELECT (Unhex (Unhex (333532453335324533323335)));The rules of certain WAF are matched directly with parenthesesSelect {x+table_name} fromhttps://twitter.com/Black2Fan/status/564746640138182656Http://dev.mysql.com/doc/re
Tags: single quotes english reading Google Kung fuSqlmap's Tamper directory has 41 scripts to bypass the WAF, and the online an article briefly describes how to use them, but it simply says a few of them. I use the documentation comments of these 41 scripts to simply mark each of their functions, or as before, Google Translate and then manually polished. In fact, there are examples of document comments, look at a glance will probably know the effect,
"--" followed by a random string and a newline character to replace the whitespace space2hash.py with the pound notation "#" followed by a random string and a newline character to replace the whitespace space2morehash.py with the pound notation "#" followed by a random string and a newline character to replace the whitespace space2mssqlblank.py replacing whitespace with random whitespace characters from a valid set of alternate character sets space2mssqlhash.py with the pound notation "#" follo
random whitespace characters in a valid set of alternate character sets
unionalltounion.py Replace "union ALL Select" with "union select"
unmagicquotes.py replacing whitespace with a multibyte combination%bf%27 and the end-of-general comment
varnish.py Add an HTTP Header "X-originating-ip" to bypass the WAF
versionedkeywords.py surround each non-function keyword with mysql annotations
versionedmorekeywords.py surround each keyword with MySQ
In this article, I will share with you several WAF bypass skills. For some tips that everyone knows, such :/*! */, SELECT [0x09, 0x0A-0x0D, 0x20, 0xA0] xx FROM does not recreate the wheel.
Mysql:
Tips1: Magic '(the controller of the output table in the format)
Space and some regular expressions.
mysql>select`version`()
->;
+----------------------+
|`version`()|
+----------------------+
|5.1.50-community-log|
+-------------------
I have studied waf at home and abroad. Share some amazing tricks.
Some skills that everyone knows are as follows :/*! */, SELECT [0x09, 0x0A-0x0D, 0x20, 0xA0] xx FROM does not recreate the wheel.
MysqlTips1: Magic '(the controller of the output table in the format)
Space and some regular expressions.
mysql> select`version`() -> ; +----------------------+ | `version`() | +----------------------+ | 5.1.50-community-log | +-------------
Download the System.Windows.Interactivity.dll file and introduce it into the project (as you can see in the reference list of the VS project).Using the DLL in XAMLXmlns:i= "Clr-namespace:system.windows.interactivity;assembly=system.windows.interactivity"get focus, lose focus event for TextBox control -TextBoxText= "Test"> i:interaction. Triggers> I:eventtriggerEventName= "LostFocus"> i:invokecommandactionCommand="{Binding Relativesource={relativesource ancestortype=window},p
Web Code saw http://sourceforge.net/projects/sqlxsswaf? Source = directory
Start read!
I. Main Functions
The process is clear,
1. the main function of WAF is an endless loop. In the while (1) code segment, after the code completes processing the current log Content, it sleeps for 10 ms and continues to process new content from get_pos.
2. When the second while processing log finds the log Content starting with get or post, it checks the commands sent
/addslashes feature —————————————————————————— –equaltolike.pylike instead of equals example:* input:select * from Users where Id=1* Output:select * from the users where id like 1Tested against:* Microsoft SQL Server 2005* MySQL 4, 5.0 and 5.5 —————————————————————————-keyword before comment halfversionedmorekeywords.pyexample:* input:value ' UNION all SELECT CONCAT (CHAR (58,107,112,113,58), Ifnull (CAST (Current_User () as Char), char (+)), char (58,97,110,121,58)), NULL, null# and ' qdwa ' =
China Telecom Jiangxi main site can be accessed by getshell over waf
Verify getshell
Address: http ://**. **. **. **/res/active/4G/upload. jsp (login required) Upload Vulnerability is also installed with security software, so I killed all my horsesHowever, this is not the focus.Upload pony first
POST http://**.**.**.**/AttachmentServlet?backUrl=/service/upload/img_upload.jsp HTTP/1.1Host: **.**.**.**Connection: keep-aliveContent-Length: 1912Cache-Cont
Original address: http://bbs.10hst.com/viewthread.php? Tid = 39 extra = page % 3D1====== Bypass the anti-injection system, including the test code of WAF ======Solution 1: Replace the space in the test code with/**/or + (Note:/**/and + do not perform url encoding)?
To copy the Code as it is, double-click the code and right-click the code to copy it.
010203
For example, id = 1 or 1 = 1Id = 1/**/or/**/1 = 1Id = 1 + or + 1 = 1
SQL Injection for DBA permissions on the WAF web game main site (only two databases of the current database are viewed, with more than 2 million user information)
Web game master site DBA permission SQL injection (tens of millions of user information, recharge records, novice card leakage) (involving well-known games such as the wild, storm, and Master)
Web Game Web site: http://www.wa3.com/It says:
Wow web games, the most distinctive web game platfor
403 Request Denied with special charactersWhite list rule syntax:Basicrule wl:id [Negative] [mz:[$URL: target_url]|[ match_zone]| [$ARGS _var:varname]| [$BODY _vars:varname]| [$HEADERS _var:varname]| [NAME]]Wl:id (white list ID) which interception rules will go to whitelistwl:0: Add all the interception rules to whitelistWl:42: Whitelist the interception rule with ID 42Wl:42,41,43: Whitelist the interception rules with IDs 42, 41, and 43WL:-42: Add all interception rules to whitelist except for
Tips:Injection point used: Support Union can error support multi-line execution, executable system command, HTTP request, and other advantages other than the above type, you may need a brute force guess. When you are guessing, you may encounter some limitations. All the attackers have to do is break them up. 1. Binary is typically used to find a single character by bypassing the greatest function, which cannot be used to guess the size of a symbol. Mysql> Select ASCII (Mid (User (),) SQL Injecti
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.