MayIKissYou 2014/12/16 sons
0 x00 background
In the past, wooyun often saw some bypass methods, such as the anti-injection function of bypass Web program by using the features of mysql, or the direct construction of the bypass anti-injection re, and so on. While writing IPS features recently, it has been found that IPS protection can be bypassed in a number of other angles. Here is a summary of these other angles. Some basic knowledge of network level is involved in the description, which is not described separately here but emphasized in the use of posture.
Ps. The method does not mean that all IPS can be bypassed.
0 x01 bypass posture
IPS performance optimization results in IPS rule bypass
Any player who has taken an IPS test has probably heard the phrase, how can a manufacturer perform under the condition that the detection rate is 90%? Performance here is generally related to the performance test of new, concurrent, throughput and so on. These indicators are not described here.
The above shows that there is a balance between the detection effect and performance of the IPS. To describe some basic concepts, the first is the concept of data flow and sessions:
Quintuples are the source IP address, destination IP address, source port, destination port, and protocol number. If quintuples are the same, a session is considered to be the same. When you access www.wooyun.org in a browser, open the Wireshark tool to capture packets. Then follow the stream to find the following content. These are the sessions and flows described.
IPS is generally detected through sessions and streams. There is a second concept to know about how to detect this through sessions. The second concept is reorganization:
The maximum length of an Ethernet packet is 1518 bytes. For example, when we send a large attachment, the data will be divided into multiple packets and sent out. When the packets are forwarded on the Internet, they will be routed and forwarded, but when they are forwarded on the Internet, they will be out of order. As a result, some packets are sent to the IPS device first and some packets are sent to the IPS device later. In this case, the IPS needs to combine the packets. Because the combination can be convenient after the data analysis, extraction content. As shown below:
Now, the problem is that it should be ok to detect all the contents of every data flow, but it will certainly consume more resources to detect all the contents of every data flow, and most vendors will not detect all the packets of the data flow. So the question is, what size do you detect? Some use packet count while others use stream size. But this all leads to the same problem, which is bypass caused by performance optimization. As shown below:
In this data flow, for example, the first 20 packets are not detected by the IPS engine. Therefore, the contents after 20 packets are not detected by the IPS engine.
To use:
People, for example, when we were in the bypass the bypass will get submitted to submit post way, at the same time at the time of submission, add a lot of filling data, such as using the post way, uploading a large file, although this partly filled not by the server-side data processing, but will be resolved when through IPS equipment processing, The IPS detection may be bypassed.
Truncate the bypass IPS rule
Ips rules are commonly referred to as Ips features. Many Ips features are classified according to different protocols, such as HTTP, SMTP, POP3, TCP, and UDP. Each protocol can have different contents, such as COOKIES, headers, and MSgbody, etc.
These features are loaded into memory in an algorithm and then matched after the data stream is parsed. So here comes another basic concept: protocol parsing.
Why is protocol parsing? After the above reorganized information, extract the corresponding content and assign it to the protocol variable. For example, for HTTP protocol, HTTP standard content, such as COOKIE, header and method, will appear after the reorganization. Therefore, IPS will parse according to the standard content, and then assign values to the parsed content to variables such as HTTP_cookie and http_method. With these variables, IPS feature matching can be performed on data streams. The effect is shown below:
Parse out various HTTP related content, of course, different protocols parse out the content is different, some may be SMTP, TCP and so on.
However, in this process, if the programmer does not handle it properly, the IPS bypass will occur.
For example, the feature of a vulnerability is search{XXXX}, and the feature is compiled by using regulars. Search {} needs to be matched, and the parentheses are arbitrary. At this time, the attacker submits search{sada%00}, so that the result will be search{sada%00} when the protocol is parsed. This results in bypass.
The code bypasses the IPS rule
It is also possible for URL encoding to bypass IPS rules.
There may be multiple protocol variables for the same protocol in the IPS. For example, HTTP may have urL_decode protocol variables and urL_decode protocol variables. If the protocol variables are not correctly used, IPS rules may be bypassed.
Browsers encode URLS when sending data packets, and the encoding varies with browsers. For example, Chrome uses %27 for single quotes, but Internet Explorer does not encode single quotes, and browsers do not encode English characters.
In the IPS rule, the user uses the undecoded protocol variable to write the feature, for example, the feature contains the keyword search. In this case, we can bypass the rule and write the search as %73earch, so that when the packet passes through the IPS device, The content is still %73earch undecoded, does not match the rule, and when it reaches the server, is decoded as search.
Therefore, when doing web testing, try to code some English characters to submit, you may be surprised.
The request mode bypasses the IPS rule
The common HTTP request methods are GET and POST, and the common POST submission methods are WWW /urlencode and multipart, which are often used for file uploading. If you look at the source code of some CMS, you will often find similar code. The following code is taken from Dedecms:
#! php if (! Defined ('DEDEREQUEST')) {// Check and register the external submitted variable foreach($_REQUEST as $_k=>$_v) {if(strlen($_k)>0 && preg_match('/^(cfg_|GLOBALS)/',$_k) ) { exit('Request var not allow! '); } } foreach(Array('_GET','_POST','_COOKIE') as $_request) { foreach(? _request as $_k => $_v) ${$_k} = _RunMagicQuotes($_v); }}Copy the code
It can be seen that get submission, cookie submission and POST submission have the same effect on the Web server, but it is different for IPS. In the different IPS I have contacted, there are different protocol variables for different HTTP request parts, and different protocol variables can also be decoded or undecoded.
For example, a bug in Dedecms, uploadSafe.inc. PHP interface error filtering causes the Recommend.php page to be SQL injected. The POC provided on the Internet is usually a URL that can be pasted directly to the browser to obtain the administrator account password. Therefore, some IPS rules are usually written as httpurL decoding rules.
It is easy to change the submission method here and use post, either urlencode or form-data, to bypass this rule.
If the post method is found to be filtered, the content of the post is encoded and then submitted, and there is still a possibility to bypass.
Therefore, when writing payload, you can use encoded POST to submit the payload. It has a higher probability of success.
Ps. There was a binary submission mix-up on Wooyun before, but I don’t know why.
Bypass the IPS rule in other ways
1: Do not use the default userAgent for host and useraget modification. For example, use some custom or simulated HTTP-header fields of the browser. For example, sqlMap features may be specific to articles made by UserAgent.
2: character obfuscation Do not use the POC that is open on the Internet, but obfuscate characters for controllable parts of the payload and fill them with characters.
3: This vulnerability is caused by the uploadSafe.inc. PHP interface. In fact, there are also some pages on flink.php, etc. Therefore, pages using flink.php may bypass the defense of the dedecms IPS feature, such as dedesql.class.php variable override vulnerability, most of the poC on the web is based on download.php. In fact, erraddsave.php and other pages can also be used. Using some non-mainstream POC pages can also bypass the IPS feature. General IPS features are based on a page to write features to avoid false positives.
0 x02 summary
IPS and WAF network attack defense devices often abandon some functions for the sake of performance improvement. For example, I have seen that some IPS rules do not support regular expressions when written. It is possible that regular expression matching greatly affects performance. The abandonment of these functions inevitably leads to the bypass of various rules. As users need these protection devices, they also need to improve their own network security, such as server patches and real-time monitoring of relevant servers.