Server two-tier architecture
The server has two parts: The first part is for the engine jsp tomcat server type, the second part is the engine of php apache server, web server is really provide php server. Workflow: client access server can directly access to the tomcat server, then the server again apache tomcat server requests data.
HTTP Parameter Handling
In the process of interacting with the server, the client will often take parameters GET / POST request. Usually in a request, the parameters of the same name only once, but allow multiple occurrences of the same name parameter in the HTTP protocol.
FIG assumed above request is a server, for example index.php? Id = 1 & id = 2, by the first client requests the first parameter parsing tomcat, tomcat next request to the server apache, and the last parameter parsing apache. The actual service is apache server, it is returned to the client id = 2.
The following table several server parameters parsed:
| web server | The parameter acquisition function | Acquired parameters |
|---|---|---|
| PHP/Apache | $ _ GET ( "with") | Last |
| JSP/Tmocat | Request.getParameter(“par”) | First |
| Perl(CGI)/Apache | Frm ( "on") | First |
| Python/Apache | getvalue(“par”) | All(List) |
| ASP / IIS | Request.QueryString(“par”) | All(comma-delimited string) |
HTTP parameter pollution
If a website for data filtering and processing only in the tomcat server, we can use different analytical parameters of the WAF detection bypassed.
Attack payload:index.php?id=-1' union select 1,database(),3--+
union select ... tomcat server will be recognized as malicious attacks and blocks, and if the payload is as follows:
Attack payload:index.php?id=1&id=-1' union select 1,database(),3--+
n select 1,database(),3–+```
tomcat after the server detects the first argument found no abnormalities, submitted to the apache server. Successful intercept bypass WAF
