通过字符集编码绕过waf的burp插件
因为小伙伴在实战中有这么个需求(利用字符集编码绕过waf),所以我借着他的这个需求也学习了下burp插件的编写。
使用说明
其实这种方法很早就出来了,但并不通用,感觉也有IIS+ASP.NET的时候可以试一试。测试环境:Windows10 Burp版本:1.7.36 Jython版本:Jython-standalone-2.7.0
-
burp加载Python运行环境(Python)
![利用字符集编码绕过waf的burpsuite插件]( "利用字符集编码绕过waf的burpsuite插件")
-
加载此插件
![利用字符集编码绕过waf的burpsuite插件]( "利用字符集编码绕过waf的burpsuite插件")
-
在burp proxy或repeater等选项卡 中右键开启相关选项
![利用字符集编码绕过waf的burpsuite插件]( "利用字符集编码绕过waf的burpsuite插件")
不通用 Nginx+php No
Apache+php No
IIS+ASP.NET勉强能用
中文无解(比如上传场景)。。。
支持列表如下
| Target | Post (application/x-www-form-urlencoded) |
Note(s) |
|---|---|---|
| Nginx,uWSGI-Django-Python3 | IBM037, IBM500, cp875, IBM1026, IBM273 | [x] query string and body were encoded [x] url-decoded parameters in query string and body afterwards [x] equal sign and ampersand needed to be encoded as well (no url-encoding |
| Nginx,uWSGI-Django-Python2 | IBM037, IBM500, cp875, IBM1026, utf-16, utf-32, utf-32BE, IBM424 | [x] query string and body were encoded [x] url-encoded parameters in query string and body [x] equal sign and ampersand should not be encoded in any way |
| Apache-TOMCAT8-JVM1.8-JSP | IBM037, IBM500, IBM870, cp875, IBM1026, IBM01140, IBM01141, IBM01142, IBM01143, IBM01144, IBM01145, IBM01146, IBM01147, IBM01148, IBM01149, utf-16, utf-32, utf-32BE, IBM273, IBM277, IBM278, IBM280, IBM284, IBM285, IBM290, IBM297, IBM420, IBM424, IBM-Thai, IBM871, cp1025 | [x] query string in its original format (not encoded – could be url- encoded as usual) [x] equal sign and ampersand should not be encoded in any way [x] body could be sent with/without url-encoding |
| Apache-TOMCAT7-JVM1.6-JSP | IBM037, IBM500, IBM870, cp875, IBM1026, IBM01140, IBM01141, IBM01142, IBM01143, IBM01144, IBM01145, IBM01146, IBM01147, IBM01148, IBM01149, utf-16, utf-32, utf-32BE, IBM273, IBM277, IBM278, IBM280, IBM284, IBM285, IBM297, IBM420, IBM424, IBM-Thai, IBM871, cp1025 | [x] query string in its original format (not encoded) [x] equal sign and ampersand should not be encoded [x] body could be sent with/without url-encoding |
| Apache -PHP5(mod_php & FastCGI) | None | N/A |
| IIS8-PHP7.1-FastCGI | None | N/A |
| IIS6, 7.5, 8, 10 -ASP Classic | None | N/A |
| IIS6, 7.5, 8, 10 -ASPX (v4.x) | IBM037, IBM500, IBM870, cp875, IBM1026, IBM01047, IBM01140, IBM01141, IBM01142, IBM01143, IBM01144, IBM01145, IBM01146, IBM01147, IBM01148, IBM01149, utf-16, unicodeFFFE, utf-32, utf-32BE, IBM273, IBM277, IBM278, IBM280, IBM284, IBM285, IBM290, IBM297, IBM420,IBM423, IBM424, x-EBCDIC-KoreanExtended, IBM-Thai, IBM871, IBM880, IBM905, IBM00924, cp1025 | [x] query string and body were encoded [x] equal sign and ampersand should not be encoded [x] body could be sent with/without url-encoding |
参考资料
https://www.nccgroup.com/uk/about-us/newsroom-and-events/blogs/2017/august/request-encoding-to-bypass-web-application-firewalls/
食用说明
开袋不即食,需要蘸着jython吃
作者:GuoKerS
转载于:https://github.com/GuoKerS/Charset_encoding-Burp
本文始发于微信公众号(HACK之道):利用字符集编码绕过waf的burpsuite插件
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论