iis firewall sql injection defense (multi pose)

Posted by millikan at 2020-03-10

0X01 Preface

D-shield ﹣ IIS firewall, currently only supports Win2003 server. A few days ago, I saw the official blog saying that the new version of d-shield will be launched in the near future. I believe that the function will be more powerful. Let's share the previous test of SQL injection defense. D shield ﹣ IIS firewall injection defense strategy, as shown in the figure below, mainly defense get / post / cookie, file allows white list setting. Construct different test environments, IIS + (ASP / ASPX / PHP) + (MSSQL / MySQL), see the strategy here, main test ideas:

a. Whitelist B, bypass the detection of union select or select from



Building this Windows2003 + IIS + PHP + MySQL can take a lot of time, and the test process is quite smooth. First, take a screenshot:

Bypass pose one: white list

The path_info problem in PHP, in short, is

Http: / x.x.x.x/3. PHP? Id = 1 is equivalent to http://x.x.x.x/3.php/xxxxxxxxxx? Id = 1

Select any address from the white list and add it to the back. You can successfully bypass, Id = 1 union select 1,2, schema_name from information_schema.schema.schema

After testing, get, post and cookie are all valid and complete bypass

Bypass pose two: blank characters

The available blank characters in MySQL are:% 09,% 0A,% 0b,% 0C,% 0d,% 20,% A0;

After testing, basically [0x01-0x20] for MSSQL has been processed. Only one% A0 in MySQL can be used. You can see that% A0 is combined with select, which is unrecognized, so it can be bypassed.

id=1  union%a0select 1,2,3 from admin

Bypass pose three: N form

How to bypass union select and select from?

If the last pose is an exploration of the position between union and select, can we consider detecting in front of union?

For this reason, in the position of parameters and union, it is found that \ n can bypass the union select detection, and bypass the select from detection in the same way.

id=\Nunion(select 1,schema_name,\Nfrom information_schema.schemata)


Build the IIS + ASP / ASPX + MSSQL environment with the same idea, but with some differences between the language and database features. Continue with the D shield screenshot:

Bypass pose one: white list

ASP: no support, no path found, and D shield forbids executing script with illegal characters or special directory (/ 1. ASP / x), ending is useless

/ Admin. PHP /.. / 1. ASP? Id = 1 and 1 = 1 intercept

/ 1. ASP? B = admin. PHP & id = 1 and 1 = 1 intercept. It can be seen that D shield will recognize the location of the file. It's not as simple as detecting the existence of a white list in the URL...

Aspx: similar to PHP / 1.aspx/admin.php? Id = 1 union select 1, '2', table "'name from information"'schema.tables can pass successfully

Bypass pose two: blank characters

The blank characters that MSSQL can use are: 01,02,03,04,05,06,07,08,09,0a, 0b, 0C, 0d, 0e, 0f, 10,11,12,13,14,15,16,17,18,19,1a, 1b, 1C, 1D, 1e, 1f, 20

[0x01-0x20] all of them have been processed. Do you think MySQL% A0's leaky fish can be used?

ASP + MSSQL: Unsupported% A0, discarded...

Aspx + MSSQL:% A0 +% 0A cooperation can successfully bypass the detection of union select

 id=1 union%a0%0aselect 1,'2',TABLE_NAME %a0from INFORMATION_SCHEMA.TABLES

Bypass pose three: 1E form

MSSQL is of strong type. There are restrictions on bypassing here. The display bit before from is of numerical type. In this way, you can use 1efromto bypass select from.

It is only related to the database and not to the language. Therefore, ASP, like ASPX, can bypass, id = 1eunion select '1', table [name, 1efrominformation [schema. Tables

0X04 END

Different languages, middleware, databases, corresponding features are different, but the ideas are the same, practice out the truth, as long as you do to explore, there are more postures waiting to be mined.

The current test results can successfully bypass injection defense, such as security dog, cloud lock, 360 host guard, D shield ﹣ IIS firewall and other host protection software, as well as various cloud WAF, some gestures are in use.


Welcome to WeChat Bypass-- official account: dry cargo every week.