大家好，我是讯享网，很高兴认识大家。



0X00 Fuzz/爆破

fuzz字典

1.Seclists/Fuzzing

https://github.com/danielmiessler/SecLists/tree/master/Fuzzing

2.Fuzz-DB/Attack

https://github.com/fuzzdb-project/fuzzdb/tree/master/attack

3.Other Payloads 可能会被ban ip，小心为妙。

https://github.com/foospidy/payloads

0X01 正则绕过

多少waf 使用正则匹配。

黑名单检测/bypass

Case: SQL 注入

• Step 1:

• Step 2:

• Step 3:

• Step 4:

• Step 5:

• Step 6:

• Step 7:

• Step 8:

• Step 9:

0X02 混淆/编码

1. 大小写

2. URL 编码

3. Unicode 编码

4. HTML 实体编码

5. 混合编码

混淆:

7. 双重URL编码

8. 通配符使用

9. 动态payload 生成

9. 垃圾字符

NOTE: 上述语句可能会破坏正则的匹配，达到绕过。

10. 插入换行符

11. 未定义变量

TIP: 随便写个不存在的变量就好。aaaa,sdayuhjbsad,

12. Tab 键和换行符

13. Token Breakers(翻译不了 看起来说的就是sql注入闭合)

TIP: 更多payload可以看这里 cheat sheet.

14. 其他格式混淆

Case: IIS

原始请求:

混淆请求 + URL Encoding:

TIP: 可以使用 这个小脚本 来转化编码

0X04 HTTP 参数污染

手法

下面是相关服务器对参数解释的比较

0X05 浏览器的缺陷

Charset Bugs:

Example request:

当站点加载时，将其编码为我们设置的UTF-32编码，然后由于页面的输出编码为UTF-8，将其呈现为: 从而触发xss

完整url编码后的 payload:

Null 空字节

空字节通常用作字符串终止符

解析错误

Unicode 分隔符

@Masato Kinugawafuzz 后发现如下

示例

使用其他非典型等效语法结构替换

找的waf开发人员没有注意到的语句进行攻击

一些WAF开发人员忽略的常见关键字:

SQL Operators

二进制数中包含1的个数。BIT_COUNT(10);因为10转成二进制是1010，所以该结果就是2

示例payloads:

讯享网

JSFuck

JJEncode

XChars.JS

滥用SSL/TLS密码:

Tool: abuse-ssl-bypass-waf

滥用 DNS 记录:

TIP: 一些在线资源 IP History 和 DNS Trails

Tool: bypass-firewalls-by-DNS-history

请求头欺骗

让waf以为请求来自于内部网络，进而不对其进行过滤。

添加如下请求头

Google Dorks Approach:

应对已知WAF的绕过

搜索语法:

Normal search:

Searching for specific version exploits:

For specific type bypass exploits:

On Exploit DB:

On 0Day Inject0r DB:

On Twitter:

On Pastebin

Airlock Ergon

AWS

SQLi Bypass by @enkaskal

Barracuda

Cross Site Scripting by @WAFNinja

HTML Injection by @Global-Evolution

XSS Bypass by @0xInfection

Barracuda Spam & Virus Firewall 5.1.3 - Remote Command Execution (Metasploit) by @xort

Cerber (WordPress)

Username Enumeration Protection Bypass by HTTP Verb Tampering by @ed0x21son

Protected Admin Scripts Bypass by @ed0x21son

REST API Disable Bypass by @ed0x21son

Citrix NetScaler

SQLi via HTTP Parameter Pollution (NS10.5) by @BGA Security

HTML Injection by @spyerror

XSS Bypass by @c0d3g33k

XSS Bypasses by @Bohdan Korzhynskyi

XSS Bypass by @RakeshMane10

XSS Bypass by @ArbazKiraak

XSS Bypass by @Ahmet Ümit

XSS Bypass by @Shiva Krishna

XSS Bypass by @Brute Logic

XSS Bypass by @RenwaX23 (Chrome only)

RCE Payload Detection Bypass by @theMiddle

Comodo

XSS Bypass by @0xInfection

SQLi by @WAFNinja

DotDefender

Firewall disable by (v5.0) by @hyp3rlinx

Remote Command Execution (v3.8-5) by @John Dos

Persistent XSS (v4.0) by @EnableSecurity

R-XSS Bypass by @WAFNinja

XSS Bypass by @0xInfection

POST - XSS Bypass (v4.02) by @DavidK

Fortinet Fortiweb

unvaidated XSS by @Benjamin Mejri

CSP Bypass by @Binar10

POST Type Query

GET Type Query

F5 ASM

XSS Bypass by @WAFNinja

F5 BIG-IP

XSS Bypass by @WAFNinja

XSS Bypass by @Aatif Khan

XSS by @NNPoster

POST Based XXE by @Anonymous

Directory Traversal by @Anastasios Monachos

Read Arbitrary File

F5 FirePass

SQLi Bypass from @Anonymous

ModSecurity

RCE Payloads Detection Bypass for PL3 by @theMiddle (v3.1)

RCE Payloads Detection Bypass for PL2 by @theMiddle (v3.1)

RCE Payloads for PL1 and PL2 by @theMiddle (v3.0)

RCE Payloads for PL3 by @theMiddle (v3.0)

SQLi Bypass by @Johannes Dahse (v2.2)

SQLi Bypass by @Yuri Goltsev (v2.2)

SQLi Bypass by @Ahmad Maulana (v2.2)

SQLi Bypass by @Roberto Salgado (v2.2)

SQLi Bypass by @Georgi Geshev (v2.2)

SQLi Bypass by @SQLMap Devs (v2.2)

SQLi Bypass by @HackPlayers (v2.2)

Imperva

Imperva SecureSphere 13 - Remote Command Execution by @rsp3ar

XSS Bypass by @David Y

XSS Bypass by @Emad Shanab

XSS Bypass by @WAFNinja

XSS Bypass by @i_bo0om

XSS Bypass by @c0d3g33k

SQLi Bypass by @DRK1WI

SQLi by @Giuseppe D’Amore

Kona SiteDefender

HTML Injection by @sp1d3rs

XSS Bypass by @Jonathan Bouman

XSS Bypass by @zseano

XSS Bypass by @0xInfection

XSS Bypass by @sp1d3rs

XSS Bypass by @Frans Rosén

XSS Bypass by @Ishaq Mohammed

Profense

GET Type CSRF Attack by @Michael Brooks (>= v.2.6.2)

Turn off Proface Machine

Add a proxy

XSS Bypass by @Michael Brooks (>= v.2.6.2)

XSS Bypass by @EnableSecurity (>= v2.4)

QuickDefense

XSS Bypass by @WAFNinja

Sucuri

Smuggling RCE Payloads by @theMiddle

Obfuscating RCE Payloads by @theMiddle

XSS Bypass by @Luka

XSS Bypass by @Brute Logic

URLScan

Directory Traversal by @ZeQ3uL (<= v3.1) (Only on ASP.NET)

WebARX

Cross Site Scripting by @0xInfection

WebKnight

Cross Site Scripting by @WAFNinja

SQLi by @WAFNinja

XSS Bypass by @Aatif Khan (v4.1)

SQLi Bypass by @ZeQ3uL

Wordfence

XSS Bypass by @brute Logic

XSS Bypass by @0xInfection

HTML Injection by @Voxel

XSS Exploit by @MustLive (>= v3.3.5)

Other XSS Bypasses

Apache Generic

Writing method type in lowercase by @i_bo0om

IIS Generic

Tabs before method by @i_bo0om