WAF bypass method summary

Time:2022-5-6

1. Inline annotation bypass

In MySQL syntax, there are three annotation methods:--And # (single line comment) and / * * / (multi line comment) if you add an exclamation mark after / *! The statement in / * * / will be executed1′ and /*!1*/=/*!1*/ #

In MySQL/*! ....*/It is not a comment. In order to maintain compatibility, MySQL puts some unique statements only used on MySQL in/*!....*/In this way, these statements will not be executed in other databases, but they will be executed in MySQL. The following statement/*!50001 select * from test */; 50001 here means that if the database is version 5.00.01 or above, the statement will be executed.

But order by (here, order is not intercepted, by is not intercepted, but by after order will be intercepted). So we still bypass the previous inline annotation test and find thatAnd the inline comments that can be passed have arrivedOrder by doesn’t work,According to the characteristics of inlining introduced at the beginning, add numbers to the inlining for testing. You can prepare more five digits here, because some commonly used ones have been stopped by the safety dog. After a simple fuzz, I found a large number of version numbers that can be bypassed, or through 1 ‘order / *%%! ASD%%%% * / by 3 — + dogs that can succeed: 10440 – 10449 13440-13449 14400-14499 15440-15449 16440-16449 17440-17449 18440-18449, etc.

The union select bypass can be inlined directly, because the security dog focuses on keywords. To bypass, you only need to add some interference in the middle, but you need to put two inlining in the middle of the union select, which is the case later.

union%20/*!11440%20select*/%201,2#

1’order%20/*!11440%20by*/%201,2#

 

union%20/! 77777cz//! 77777cz /% 20select% 201,2#, found unable to bypass WAF

 

But you can use inline to bypass, just put() put it in the inline or simply deform it

-1'  union /*!77777cz*//*!77777cz*/ select database/*!77777a*/(),2#

 

Select xxx from XXX (select any character from followed by any character will also be intercepted). Here, select table_ Name and from information_ schema. Tables is tested separately, and it is found that it will not be intercepted, but select table is used_ name,2 from information_ schema. This combination will be intercepted when tested. Re test select xxx from XXX and find that it is intercepted. Note: select followed by any character plus from plus any character will be intercepted. You only need to put the select into the inline to bypass it

Table name:

union  /*!11440select*/  group_concat(table_name),2 from information_schema.tables where table_schema=database/*!77777cz*/()#

You can also use the new feature of MySQL > 5.6. The MySQL library has two new tables, InnoDB_ index_ Stats and InnoDB_ table_ Stats, which are automatically set by the database, are used to record changes and newly created database and table information, but to be precise, they are used to save the latest database change records. The security dog does not restrict these two keywords.

2. Equivalent substitution method:

union%20/*! 11440% 20select * /% 201, @ @ version, 3#, found unable to bypass

4. Boolen equivalent substitution method:

Construct 1 ‘& & ture–+

 

Bypass the safety dog

5. Line feed bypass:

Newline bypass:% 23% 0A,% 2D% 2D% 0A
%23 is the # (that is, the line comment in MySQL) in the URL encoding
%0A is a line feed in URL encoding
%23 AAAA — > corresponds to #aaaa (which is equivalent to commenting out this line)
Plus%0a (that is, line feed, the following statements can be executed successfully again)

 

6. Space bypass:

The structure statement bypassing the space is to add some garbage characters in the middle of the comment to interfere with the safe dog detection

7. Use case:

WAF is likely to be detected according to lowercase when splicing. At this time, case complementarity can be used to bypass the detection

8. Double write replacement:

For example:

http://www.***.com/index.php?page_id=-15 UNIunionON SELselectECT 1,2,3,4….

This method is applicable to some WAFS that will replace union select. After WAF filtering, it will become union select 1,2,3,4

9. Combination of coding and similar syntax

 

Encode and (& &) in burpsuite to get

 

The equal sign can be replaced by in or like. 1 = 1 can be changed into 1 in 1 or 1 like 1 or 1 in 2 or 1 like 2. With some modifications, this sentence can also be changed into – 1 # in – 1 or – 1 like – 2. After experiments, it is found that – 1 like – 2 can successfully bypass the safety dog

 

10. The remainder function mod() bypasses

 

The above statement is: id = 1 or mod (6,5) in (1), exposing the whole database. WAF cannot write algorithm detection and remainder here. Moreover, a large number of data access is not conducive to writing algorithm detection, so statements can be constructed to bypass.

There is a strange phenomenon that WAF is not intercepted when we execute a single quotation mark where there is injection

 

This is because in the background language, when some functions are called, or when variables, parameters, strings and so on often need to be spliced, single quotation marks need to be used to realize the splicing function. Therefore, WAF does not add single quotation marks to the detection rules by default.

Recommended Today

Big data Hadoop — spark SQL + spark streaming

catalogue 1、 Spark SQL overview 2、 Sparksql version 1) Evolution of sparksql 2) Comparison between shark and sparksql 3)SparkSession 3、 RDD, dataframes and dataset 1) Relationship between the three 1)RDD 1. Core concept 2. RDD simple operation 3、RDD API 1)Transformation 2)Action 4. Actual operation 2)DataFrames 1. DSL style syntax operation 1) Dataframe creation 2. SQL […]