-
-
[求助]分析一个老WAF
-
2024-4-16 20:21 1242
-
一个非常老的WAF,在一个古董项目里面发现的,靠正则表达式过滤
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 | <?php / * 云体检通用漏洞防护补丁v1. 1 更新时间: 2013 - 05 - 25 功能说明:防护XSS,SQL,代码执行,文件包含等多种高危漏洞 * / $url_arr = array( 'xss' = > "\\=\\+\\/v(?:8|9|\\+|\\/)|\\%0acontent\\-(?:id|location|type|transfer\\-encoding)" , ); $args_arr = array( 'xss' = > "[\\'\\\"\\;\\*\\<\\>].*\\bon[a-zA-Z]{3,15}[\\s\\r\\n\\v\\f]*\\=|\\b(?:expression)\\(|\\<script[\\s\\\\\\/]|\\<\\!\\[cdata\\[|\\b(?:eval|alert|prompt|msgbox)\\s*\\(|url\\((?:\\#|data|javascript)" , 'sql' = > "[^\\{\\s]{1}(\\s|\\b)+(?:select\\b|update\\b|insert(?:(\\/\\*.*?\\*\\/)|(\\s)|(\\+))+into\\b).+?(?:from\\b|set\\b)|[^\\{\\s]{1}(\\s|\\b)+(?:create|delete|drop|truncate|rename|desc)(?:(\\/\\*.*?\\*\\/)|(\\s)|(\\+))+(?:table\\b|from\\b|database\\b)|into(?:(\\/\\*.*?\\*\\/)|\\s|\\+)+(?:dump|out)file\\b|\\bsleep\\([\\s]*[\\d]+[\\s]*\\)|benchmark\\(([^\\,]*)\\,([^\\,]*)\\)|(?:declare|set|select)\\b.*@|union\\b.*(?:select|all)\\b|(?:select|update|insert|create|delete|drop|grant|truncate|rename|exec|desc|from|table|database|set|where)\\b.*(charset|ascii|bin|char|uncompress|concat|concat_ws|conv|export_set|hex|instr|left|load_file|locate|mid|sub|substring|oct|reverse|right|unhex)\\(|(?:master\\.\\.sysdatabases|msysaccessobjects|msysqueries|sysmodules|mysql\\.db|sys\\.database_name|information_schema\\.|sysobjects|sp_makewebtask|xp_cmdshell|sp_oamethod|sp_addextendedproc|sp_oacreate|xp_regread|sys\\.dbms_export_extension)" , 'other' = > "\\.\\.[\\\\\\/].*\\%00([^0-9a-fA-F]|$)|%00[\\'\\\"\\.]" ); $referer = empty($_SERVER[ 'HTTP_REFERER' ]) ? array() : array($_SERVER[ 'HTTP_REFERER' ]); $query_string = empty($_SERVER[ "QUERY_STRING" ]) ? array() : array($_SERVER[ "QUERY_STRING" ]); check_data($query_string,$url_arr); check_data($_GET,$args_arr); check_data($_POST,$args_arr); check_data($_COOKIE,$args_arr); check_data($referer,$args_arr); function W_log($log) { $logpath = $_SERVER[ "DOCUMENT_ROOT" ]. "/log.txt" ; $log_f = fopen($logpath, "a+" ); fputs($log_f,$log. "\r\n" ); fclose($log_f); } function check_data($arr,$v) { foreach($arr as $key = >$value) { if (!is_array($key)) { / / check($key,$v); } else { check_data($key,$v);} if (!is_array($value)) { / / check($value,$v); } else { / / check_data($value,$v); } } } function check($ str ,$v) { foreach($v as $key = >$value) { if (preg_match( "/" .$value. "/is" ,$ str ) = = 1 ||preg_match( "/" .$value. "/is" ,urlencode($ str )) = = 1 ) { / / W_log( "<br>IP: " .$_SERVER[ "REMOTE_ADDR" ]. "<br>时间: " .strftime( "%Y-%m-%d %H:%M:%S" ). "<br>页面:" .$_SERVER[ "PHP_SELF" ]. "<br>提交方式: " .$_SERVER[ "REQUEST_METHOD" ]. "<br>提交数据: " .$ str ); header( 'Content-type:text/html;charset=utf-8' ); print "您的提交带有不合法参数,谢谢合作" ; exit(); } } } ?> |
针对SQL注入过滤似乎挺严格的,试了/**/等都没法绕过select...from, information_schema的过滤
1 | i = 1 AND (SELECT COUNT( * ) FROM information_schema.tables WHERE table_schema = DATABASE()) = xxx |
有什么办法可以绕过基于正则的表达式执行类似于上面这个语句?
[CTF入门培训]顶尖高校博士及硕士团队亲授《30小时教你玩转CTF》,视频+靶场+题目!助力进入CTF世界
赞赏
他的文章
[求助]分析一个老WAF
1243
看原图