0x00: Preamble
I never thought it would be so difficult before doing it
0x01: suffix bypass
First look at how waf works. When a packet matches a waf rule, the packet will be discarded, like this
waf intercepts the suffix, first fuzz a wave of newlines
fail
multiple equal signs
fail
single double quotes replacement
Failed to remove quotes
fail
Overflowing the Content-Disposition field
Failed, and it is not clear whether it is due to server performance or rules. When this field is too long (the specific length is unclear), the normal upload image data packet will also be discarded.
[1> Acquisition of all resources<1] 1. More than 200 e-books in the series of network security (all you should have) 2. A full set of toolkits (the most complete Chinese version, which one you want to use) 3. 100 copies of src source code Technical documents (non-stop project learning, true knowledge from practice) 4. Introduction to network security basics, Linux, web security, offensive and defensive videos (2021 latest version) 5. Network security learning route (farewell to unrefined learning) 6. ctf win Analysis of flag competition (topic analysis and actual combat operation)
Multiple Content-Disposition fields
Failed Malformed Protocol
Fail to add or subtract spaces before boundary
Failed, and the server will not recognize the upload during the operation, resulting in the failure to upload normal files
DeleteContent-Type: image/jpeg
Failed to overflow filename
Failed, and there is also a limit here, too long will also cause normal uploads to fail. Accept-Encoding: Accept-Encoding: gzipAccept-Encoding: compressAccept-Encoding: deflateAccept-Encoding: brAccept-Encoding: identityAccept-Encoding: * both failed
chunked transfer
It seems that what waf intercepts is Transfer-Encoding: chunked, but removing chunked will request an exception
Wait, etc. I tried a bunch of them later, all of which failed. I took a look at the server and it was windows. I tried to use the windows file naming convention to bypass it .
As we all know, the file name of win cannot contain the following characters
But we can construct it when uploading, try to use slashes to bypass
The result is a bit unexpected, the last one to the server is actually .jpg, with forward and backward slashes like this
Change a symbol, try an asterisk, and get blocked. After trying everything, I found that only colons can
Visit to see if www.php exists
The file was indeed uploaded, but the problem came again, no content was written...
I found out later that the colon will empty the content of the file, and I have no clue for a while
Let's bypass the suffix.
0x02: content bypass
Isn't it the same to just pass 0kb and not pass it, so you still have to write the data in,
How to write it? I didn't know it at first, the good brother next to me said that three left angle brackets can be written into the file
like this
But it was also added to the rules by waf
......
There is no unparalleled road, three will not work, I will use four
I didn't expect that four of them could also write and laugh. I don't know why.
But the problem is that the file name is changed again, www.php will be blocked, adding a colon will empty the file, it seems to be in an endless loop, after a blind operation, I found that it was actually written in, although I don’t know Why, maybe some weird regular mechanism?
Now that I can write files, I thought it would be easy, but I didn't expect that the nightmare was just beginning
First of all, none of the fancy horses I had before passed, the only one that could pass, and the horse that I bypassed before could not run (this is a pit, I will talk about it later), although this horse can run in my local area, Maybe this is metaphysics, haha.
First of all, it can’t pass normal variables, and then it can’t pass when <?php tags are mixed with certain scenes. It also intercepts paired brackets. In short, it’s abnormal
for example:
Hence the strange horse above
The content bypass is also based on this basis. Originally, I was going to upload this masuoha directly, but the upload was uploaded, and it could not be executed. I would wait forever, but this waiting was not intercepted by waf. Because the php content is wrong, it cannot run normally, and it will always be stuck there.
Then why is there an error? After a wave of fuzz, I found out that the angle brackets must be closed on this server, otherwise it will explode directly. It is obviously the same php version, and I don’t know why this is the case. Only the first tag is passed. question,
Few closures will explode:
But the two tags at the end cannot be removed, they are used to confuse, even if you remove the direct waf
The scene fell into a stalemate. At this time, it seems unrealistic to pass a complete horse up. Let's do it step by step. First, try to see if you can execute the order.
As mentioned before, the rules do not allow paired brackets to appear, so even phpinfo cannot execute
Is it really impossible?
$a =<<< aaassasssasssasssasssasssasssasssasssasssasssassssaa;
copy code
This assignment method is a feature of php, which is used to solve the special situation that there are both single quotes and double quotes in the string. The aa name is meaningless, and it can be anything. In some php versions, the aa at the end No other statements can be added after, otherwise an error will be reported.
Because it will report an error, waf will not intercept it, so you can add php code after aa;
Coincidentally, this server can execute
Since phpinfo can be executed, system() must also work
Turned up again after passing
Here is another pitfall, because double quotes can be used or not in the system. When double quotes are used, it is generally like ls -l with spaces, but whoami does not need quotes, but here the access keeps turning It's obviously a grammatical error, so I'll just add it.
It's a tiankeng
There is no problem with the command execution, try to write a sentence,
Sure enough, it was blocked
try adding a comment
No problem, let's visit
turned again
I tried it locally, and found that the eval sentence cannot be followed by aa;, and it is another grammatical error
In this case, I can only enlarge the trick, which is the fopen method, which is to write a new file to the server through a php script file to bypass the traffic layer waf detection.
First write a txt to test the waters. If all characters can be released, it is best to separate them directly with comments.
Visit www.php
No problem, it means our code was indeed executed.
Since this is the case, it will be much easier to handle, just pass on a word
It's a pity that the plaintext transmission is directly suspended, and the traffic has to pass.
0x03: traffic bypass
Traffic bypass is relatively simple, just encode it multiple times, here is a horse decrypted by base64 three times
However, there is a problem with the Ant Sword encoder. It may be caused by multiple encodings, so I don’t know where the problem is. I upload the Ice Scorpion directly (here, I need to transfer the Ice Scorpion in two parts, and use the a parameter of fopen to splice the script) over
