# Kupitisha Kinga za Proksi / WAF

Jifunze AWS hacking kutoka sifuri hadi shujaa na htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)!

Njia nyingine za kusaidia HackTricks: * Ikiwa unataka kuona **kampuni yako ikitangazwa kwenye HackTricks** au **kupakua HackTricks kwa PDF** Angalia [**MIPANGO YA KUJIUNGA**](https://github.com/sponsors/carlospolop)! * Pata [**bidhaa rasmi za PEASS & HackTricks**](https://peass.creator-spring.com) * Gundua [**Familia ya PEASS**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) ya kipekee * **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au kikundi cha [**telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks\_live)**.** * **Shiriki mbinu zako za kuhack kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.

{% embed url="https://websec.nl/" %} ## Kupitisha Sheria za ACL za Nginx kwa Kupotosha Jina la Njia Mbinu [kutoka kwa utafiti huu](https://rafa.hashnode.dev/exploiting-http-parsers-inconsistencies). Mfano wa sheria ya Nginx: ```plaintext location = /admin { deny all; } location = /admin/ { deny all; } ``` ### Kuzuia Bypasses Ili kuzuia kuzidi, Nginx hufanya upanuzi wa njia kabla ya kuikagua. Hata hivyo, ikiwa seva ya nyuma inafanya upanuzi tofauti (kuondoa herufi ambazo nginx haiondoi) inaweza kuwa inawezekana kuzidi ulinzi huu. ### **NodeJS - Express** | Toleo la Nginx | **Herufi za Kuzidi za Node.js** | | ------------- | ----------------------------- | | 1.22.0 | `\xA0` | | 1.21.6 | `\xA0` | | 1.20.2 | `\xA0`, `\x09`, `\x0C` | | 1.18.0 | `\xA0`, `\x09`, `\x0C` | | 1.16.1 | `\xA0`, `\x09`, `\x0C` | ### **Flask** | Toleo la Nginx | **Herufi za Kuzidi za Flask** | | ------------- | -------------------------------------------------------------- | | 1.22.0 | `\x85`, `\xA0` | | 1.21.6 | `\x85`, `\xA0` | | 1.20.2 | `\x85`, `\xA0`, `\x1F`, `\x1E`, `\x1D`, `\x1C`, `\x0C`, `\x0B` | | 1.18.0 | `\x85`, `\xA0`, `\x1F`, `\x1E`, `\x1D`, `\x1C`, `\x0C`, `\x0B` | | 1.16.1 | `\x85`, `\xA0`, `\x1F`, `\x1E`, `\x1D`, `\x1C`, `\x0C`, `\x0B` | ### **Spring Boot** | Toleo la Nginx | **Herufi za Kuzidi za Spring Boot** | | ------------- | --------------------------------- | | 1.22.0 | `;` | | 1.21.6 | `;` | | 1.20.2 | `\x09`, `;` | | 1.18.0 | `\x09`, `;` | | 1.16.1 | `\x09`, `;` | ### **PHP-FPM** Mipangilio ya Nginx FPM: ```plaintext location = /admin.php { deny all; } location ~ \.php$ { include snippets/fastcgi-php.conf; fastcgi_pass unix:/run/php/php8.1-fpm.sock; } ``` Nginx imeboreshwa kuzuia ufikiaji wa `/admin.php` lakini inawezekana kuidanganya kwa kufikia `/admin.php/index.php`. ### Jinsi ya kuzuia ```plaintext location ~* ^/admin { deny all; } ``` ## Kudukua Sheria za Mod Security ### Kuchanganyikiwa kwa Njia [Katika chapisho hili](https://blog.sicuranext.com/modsecurity-path-confusion-bugs-bypass/) imeelezwa kuwa ModSecurity v3 (hadi 3.0.12), **ilitekelezwa vibaya kwenye kipengele cha `REQUEST_FILENAME`** ambacho kilipaswa kuwa na njia iliyofikiwa (mpaka mwanzo wa vigezo). Hii ni kwa sababu ilifanya URL decode kupata njia.\ Hivyo, ombi kama `http://example.com/foo%3f';alert(1);foo=` katika mod security litadhani kuwa njia ni `/foo` kwa sababu `%3f` inabadilishwa kuwa `?` ikimaliza njia ya URL, lakini kwa kweli njia ambayo seva itapokea itakuwa `/foo%3f';alert(1);foo=`. Vipengele `REQUEST_BASENAME` na `PATH_INFO` pia vilikuwa vimeathiriwa na kosa hili. Kitu kama hicho kilitokea katika toleo la 2 la Mod Security ambalo liliruhusu kudukua ulinzi uliokuwa unazuia mtumiaji kupata faili zenye viendelezi maalum vinavyohusiana na faili za nakala za akiba (kama vile `.bak`) kwa kutuma tu dot URL iliyokodishwa katika `%2e`, kwa mfano: `https://example.com/backup%2ebak`. ## Kudukua AWS WAF ACL ### Kichwa Kilichoharibika [Utafiti huu](https://rafa.hashnode.dev/exploiting-http-parsers-inconsistencies) unataja kuwa ilikuwa inawezekana kudukua sheria za AWS WAF zilizotumika kwenye vichwa vya HTTP kwa kutuma kichwa "kilichoharibika" ambacho hakikuwa kimechambuliwa ipasavyo na AWS lakini kilikuwa na seva ya nyuma. Kwa mfano, kutuma ombi lifuatalo lenye sindano ya SQL kwenye kichwa X-Query: ```http GET / HTTP/1.1\r\n Host: target.com\r\n X-Query: Value\r\n \t' or '1'='1' -- \r\n Connection: close\r\n \r\n ``` Ilionekana kuwa inawezekana kudukua AWS WAF kwa sababu haingeweza kuelewa kuwa mstari ufuatao ni sehemu ya thamani ya kichwa wakati server ya NODEJS ilifanya (hii ilisuluhishwa). ## Marejeo * [https://rafa.hashnode.dev/exploiting-http-parsers-inconsistencies](https://rafa.hashnode.dev/exploiting-http-parsers-inconsistencies) * [https://blog.sicuranext.com/modsecurity-path-confusion-bugs-bypass/](https://blog.sicuranext.com/modsecurity-path-confusion-bugs-bypass/)

{% embed url="https://websec.nl/" %}

Jifunze kudukua AWS kutoka sifuri hadi shujaa na htARTE (HackTricks AWS Red Team Expert)!

Njia nyingine za kusaidia HackTricks: * Ikiwa unataka kuona **kampuni yako ikitangazwa kwenye HackTricks** au **kupakua HackTricks kwa PDF** Angalia [**MIPANGO YA KUJIUNGA**](https://github.com/sponsors/carlospolop)! * Pata [**swagi rasmi ya PEASS & HackTricks**](https://peass.creator-spring.com) * Gundua [**Familia ya PEASS**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) ya kipekee * **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au kikundi cha [**telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks\_live)**.** * **Shiriki mbinu zako za kudukua kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.