记一次刨根问底的HTTP包WAF绕过

记一次刨根问底的HTTP包WAF绕过

一:具体的包

POST /sql/post.php HTTP/1.1
Host: 192.168.1.72
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://192.168.1.76
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.190 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://192.168.1.76/sql.html
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
Content-Type: multipart/form-data; boundary=--------1721837650
Content-Length: 156


----------1721837650
Content-Disposition: form-data; name="name\"; filename=";name='username'"
Content-Type: image/jpeg

admin
----------1721837650--

首先他是一个from-data的参数传递。并不上文件上传。因为\ 把双引号给注释起来了。然后name=”name; filename=”;

然后另外一个是name=’username’

猜测。两个只会选择最后一个进行参数传递。

二、Fastcgi 了解

https://segmentfault.com/a/1190000016901718

然后两台机器 WEB 192.168.1.72 PHP 192.168.1.70

PHP 服务器开启php-fpm 端口

WEB服务器通过192.168.1.70:9000 去连接PHP

然后进行抓包。 PHP 服务器抓WEB服务器发过来的包

tcpdump  src host  192.168.1.72 -w qq.cap

看看FastCgi 具体的一个from-data 的内容

.........................&SCRIPT_FILENAME/www/wwwroot/192.168.1.72/sql/post.php..QUERY_STRING..REQUEST_METHODPOST.0CONTENT_TYPEmultipart/form-data; boundary=--------1721837650..CONTENT_LENGTH156.
SCRIPT_NAME/sql/post.php.
REQUEST_URI/sql/post.php.
DOCUMENT_URI/sql/post.php
.DOCUMENT_ROOT/www/wwwroot/192.168.1.72..SERVER_PROTOCOLHTTP/1.1..REQUEST_SCHEMEhttp..GATEWAY_INTERFACECGI/1.1..SERVER_SOFTWAREnginx/1.18.0..REMOTE_ADDR192.168.1.75..REMOTE_PORT59676..SERVER_ADDR192.168.1.72..SERVER_PORT80..SERVER_NAME192.168.1.72..REDIRECT_STATUS200.&SCRIPT_FILENAME/www/wwwroot/192.168.1.72/sql/post.php.
SCRIPT_NAME/sql/post.php    .PATH_INFO  .HTTP_HOST192.168.1.72. HTTP_CACHE_CONTROLmax-age=0..HTTP_UPGRADE_INSECURE_REQUESTS1..HTTP_ORIGINhttp://192.168.1.76.sHTTP_USER_AGENTMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.190 Safari/537.36.....HTTP_ACCEPTtext/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9..HTTP_REFERERhttp://192.168.1.76/sql.html.
HTTP_ACCEPT_ENCODINGgzip, deflate..HTTP_ACCEPT_LANGUAGEzh-CN,zh;q=0.9..HTTP_CONNECTIONclose.0HTTP_CONTENT_TYPEmultipart/form-data; boundary=--------1721837650..HTTP_CONTENT_LENGTH156.....................
----------1721837650
Content-Disposition: form-data; name="name\"; filename=";name='username'"
Content-Type: image/jpeg

admin
----------1721837650--............

看到流量包的时候,感觉之前的东西是错了。前期和Yukion 师傅一直感觉是Nginx 做了处理,现在才明白其实最终是PHP进行了处理

三、Params 数据包参数整理

对于Fastcgi 协议。前面的文章介绍的很全了。

那么fastcgi 传递到PHP中PHP 是怎么处理的

参考文章:https://segmentfault.com/a/1190000016868502

从该文件中得到了具体的答案:

对于multipart/form-data,post_handler是rfc1867_post_handler。
由于它的代码过长,这里不再贴代码了。由于在body信息读取阶段,
钩子的post_reader是空,
所以rfc1867_post_handler会一边做FCGI_STDIN数据包的读取,
一边做解析存储工作,
最终将数据包中的key-value对存储到PG(http_globals)[0]中。
另外,该函数还会对上传的文件进行处理,有兴趣的同学可以读下这个函数。

四、函数跟踪

打开github

https://github.com/php/php-src/search?q=ALLOC_HASHTABLE

搜索rfc1867_post_handler


找到具体的函数实现方法

SAPI_API SAPI_POST_HANDLER_FUNC(rfc1867_post_handler) /* {{{ */
{
    char *boundary, *s = NULL, *boundary_end = NULL, *start_arr = NULL, *array_index = NULL;
    char *lbuf = NULL, *abuf = NULL;
    zend_string *temp_filename = NULL;
    int boundary_len = 0, cancel_upload = 0, is_arr_upload = 0;
    size_t array_len = 0;
    int64_t total_bytes = 0, max_file_size = 0;
    int skip_upload = 0, anonindex = 0, is_anonymous;
    HashTable *uploaded_files = NULL;
    multipart_buffer *mbuff;
    zval *array_ptr = (zval *) arg;
    int fd = -1;
    zend_llist header;
    void *event_extra_data = NULL;
    unsigned int llen = 0;
    int upload_cnt = INI_INT("max_file_uploads");
    const zend_encoding *internal_encoding = zend_multibyte_get_internal_encoding();
    php_rfc1867_getword_t getword;
    php_rfc1867_getword_conf_t getword_conf;
    php_rfc1867_basename_t _basename;
    zend_long count = 0;

    if (php_rfc1867_encoding_translation() && internal_encoding) {
        getword = php_rfc1867_getword;
        getword_conf = php_rfc1867_getword_conf;
        _basename = php_rfc1867_basename;
    } else {
        getword = php_ap_getword;
        getword_conf = php_ap_getword_conf;
        _basename = php_ap_basename;
    }

    if (SG(post_max_size) > 0 && SG(request_info).content_length > SG(post_max_size)) {
        sapi_module.sapi_error(E_WARNING, "POST Content-Length of " ZEND_LONG_FMT " bytes exceeds the limit of " ZEND_LONG_FMT " bytes", SG(request_info).content_length, SG(post_max_size));
        return;
    }

    /* Get the boundary */
    boundary = strstr(content_type_dup, "boundary");
    if (!boundary) {
        int content_type_len = (int)strlen(content_type_dup);
        char *content_type_lcase = estrndup(content_type_dup, content_type_len);

        php_strtolower(content_type_lcase, content_type_len);
        boundary = strstr(content_type_lcase, "boundary");
        if (boundary) {
            boundary = content_type_dup + (boundary - content_type_lcase);
        }
        efree(content_type_lcase);
    }

    if (!boundary || !(boundary = strchr(boundary, '='))) {
        sapi_module.sapi_error(E_WARNING, "Missing boundary in multipart/form-data POST data");
        return;
    }

    boundary++;
    boundary_len = (int)strlen(boundary);

    if (boundary[0] == '"') {
        boundary++;
        boundary_end = strchr(boundary, '"');
        if (!boundary_end) {
            sapi_module.sapi_error(E_WARNING, "Invalid boundary in multipart/form-data POST data");
            return;
        }
    } else {
        /* search for the end of the boundary */
        boundary_end = strpbrk(boundary, ",;");
    }
    if (boundary_end) {
        boundary_end[0] = '\0';
        boundary_len = boundary_end-boundary;
    }

    /* Initialize the buffer */
    if (!(mbuff = multipart_buffer_new(boundary, boundary_len))) {
        sapi_module.sapi_error(E_WARNING, "Unable to initialize the input buffer");
        return;
    }

    /* Initialize $_FILES[] */
    zend_hash_init(&PG(rfc1867_protected_variables), 8, NULL, NULL, 0);

    ALLOC_HASHTABLE(uploaded_files);
    zend_hash_init(uploaded_files, 8, NULL, free_filename, 0);
    SG(rfc1867_uploaded_files) = uploaded_files;

    if (Z_TYPE(PG(http_globals)[TRACK_VARS_FILES]) != IS_ARRAY) {
        /* php_auto_globals_create_files() might have already done that */
        array_init(&PG(http_globals)[TRACK_VARS_FILES]);
    }

    zend_llist_init(&header, sizeof(mime_header_entry), (llist_dtor_func_t) php_free_hdr_entry, 0);

    if (php_rfc1867_callback != NULL) {
        multipart_event_start event_start;

        event_start.content_length = SG(request_info).content_length;
        if (php_rfc1867_callback(MULTIPART_EVENT_START, &event_start, &event_extra_data) == FAILURE) {
            goto fileupload_done;
        }
    }

    while (!multipart_buffer_eof(mbuff))
    {
        char buff[FILLUNIT];
        char *cd = NULL, *param = NULL, *filename = NULL, *tmp = NULL;
        size_t blen = 0, wlen = 0;
        zend_off_t offset;

        zend_llist_clean(&header);

        if (!multipart_buffer_headers(mbuff, &header)) {
            goto fileupload_done;
        }

        if ((cd = php_mime_get_hdr_value(header, "Content-Disposition"))) {
            char *pair = NULL;
            int end = 0;

            while (isspace(*cd)) {
                ++cd;
            }

            while (*cd && (pair = getword(mbuff->input_encoding, &cd, ';')))
            {
                char *key = NULL, *word = pair;

                while (isspace(*cd)) {
                    ++cd;
                }

                if (strchr(pair, '=')) {
                    key = getword(mbuff->input_encoding, &pair, '=');

                    if (!strcasecmp(key, "name")) {
                        if (param) {
                            efree(param);
                        }
                        param = getword_conf(mbuff->input_encoding, pair);
                        if (mbuff->input_encoding && internal_encoding) {
                            unsigned char *new_param;
                            size_t new_param_len;
                            if ((size_t)-1 != zend_multibyte_encoding_converter(&new_param, &new_param_len, (unsigned char *)param, strlen(param), internal_encoding, mbuff->input_encoding)) {
                                efree(param);
                                param = (char *)new_param;
                            }
                        }
                    } else if (!strcasecmp(key, "filename")) {
                        if (filename) {
                            efree(filename);
                        }
                        filename = getword_conf(mbuff->input_encoding, pair);
                        if (mbuff->input_encoding && internal_encoding) {
                            unsigned char *new_filename;
                            size_t new_filename_len;
                            if ((size_t)-1 != zend_multibyte_encoding_converter(&new_filename, &new_filename_len, (unsigned char *)filename, strlen(filename), internal_encoding, mbuff->input_encoding)) {
                                efree(filename);
                                filename = (char *)new_filename;
                            }
                        }
                    }
                }
                if (key) {
                    efree(key);
                }
                efree(word);
            }

            /* Normal form variable, safe to read all data into memory */
            if (!filename && param) {
                size_t value_len;
                char *value = multipart_buffer_read_body(mbuff, &value_len);
                size_t new_val_len; /* Dummy variable */

                if (!value) {
                    value = estrdup("");
                    value_len = 0;
                }

                if (mbuff->input_encoding && internal_encoding) {
                    unsigned char *new_value;
                    size_t new_value_len;
                    if ((size_t)-1 != zend_multibyte_encoding_converter(&new_value, &new_value_len, (unsigned char *)value, value_len, internal_encoding, mbuff->input_encoding)) {
                        efree(value);
                        value = (char *)new_value;
                        value_len = new_value_len;
                    }
                }

                if (++count <= PG(max_input_vars) && sapi_module.input_filter(PARSE_POST, param, &value, value_len, &new_val_len)) {
                    if (php_rfc1867_callback != NULL) {
                        multipart_event_formdata event_formdata;
                        size_t newlength = new_val_len;

                        event_formdata.post_bytes_processed = SG(read_post_bytes);
                        event_formdata.name = param;
                        event_formdata.value = &value;
                        event_formdata.length = new_val_len;
                        event_formdata.newlength = &newlength;
                        if (php_rfc1867_callback(MULTIPART_EVENT_FORMDATA, &event_formdata, &event_extra_data) == FAILURE) {
                            efree(param);
                            efree(value);
                            continue;
                        }
                        new_val_len = newlength;
                    }
                    safe_php_register_variable(param, value, new_val_len, array_ptr, 0);
                } else {
                    if (count == PG(max_input_vars) + 1) {
                        php_error_docref(NULL, E_WARNING, "Input variables exceeded " ZEND_LONG_FMT ". To increase the limit change max_input_vars in php.ini.", PG(max_input_vars));
                    }

                    if (php_rfc1867_callback != NULL) {
                        multipart_event_formdata event_formdata;

                        event_formdata.post_bytes_processed = SG(read_post_bytes);
                        event_formdata.name = param;
                        event_formdata.value = &value;
                        event_formdata.length = value_len;
                        event_formdata.newlength = NULL;
                        php_rfc1867_callback(MULTIPART_EVENT_FORMDATA, &event_formdata, &event_extra_data);
                    }
                }

                if (!strcasecmp(param, "MAX_FILE_SIZE")) {
                    max_file_size = strtoll(value, NULL, 10);
                }

                efree(param);
                efree(value);
                continue;
            }

            /* If file_uploads=off, skip the file part */
            if (!PG(file_uploads)) {
                skip_upload = 1;
            } else if (upload_cnt <= 0) {
                skip_upload = 1;
                sapi_module.sapi_error(E_WARNING, "Maximum number of allowable file uploads has been exceeded");
            }

            /* Return with an error if the posted data is garbled */
            if (!param && !filename) {
                sapi_module.sapi_error(E_WARNING, "File Upload Mime headers garbled");
                goto fileupload_done;
            }

            if (!param) {
                is_anonymous = 1;
                param = emalloc(MAX_SIZE_ANONNAME);
                snprintf(param, MAX_SIZE_ANONNAME, "%u", anonindex++);
            } else {
                is_anonymous = 0;
            }

            /* New Rule: never repair potential malicious user input */
            if (!skip_upload) {
                long c = 0;
                tmp = param;

                while (*tmp) {
                    if (*tmp == '[') {
                        c++;
                    } else if (*tmp == ']') {
                        c--;
                        if (tmp[1] && tmp[1] != '[') {
                            skip_upload = 1;
                            break;
                        }
                    }
                    if (c < 0) {
                        skip_upload = 1;
                        break;
                    }
                    tmp++;
                }
                /* Brackets should always be closed */
                if(c != 0) {
                    skip_upload = 1;
                }
            }

            total_bytes = cancel_upload = 0;
            temp_filename = NULL;
            fd = -1;

            if (!skip_upload && php_rfc1867_callback != NULL) {
                multipart_event_file_start event_file_start;

                event_file_start.post_bytes_processed = SG(read_post_bytes);
                event_file_start.name = param;
                event_file_start.filename = &filename;
                if (php_rfc1867_callback(MULTIPART_EVENT_FILE_START, &event_file_start, &event_extra_data) == FAILURE) {
                    temp_filename = NULL;
                    efree(param);
                    efree(filename);
                    continue;
                }
            }

            if (skip_upload) {
                efree(param);
                efree(filename);
                continue;
            }

            if (filename[0] == '\0') {
#if DEBUG_FILE_UPLOAD
                sapi_module.sapi_error(E_NOTICE, "No file uploaded");
#endif
                cancel_upload = UPLOAD_ERROR_D;
            }

            offset = 0;
            end = 0;

            if (!cancel_upload) {
                /* only bother to open temp file if we have data */
                blen = multipart_buffer_read(mbuff, buff, sizeof(buff), &end);
#if DEBUG_FILE_UPLOAD
                if (blen > 0) {
#else
                /* in non-debug mode we have no problem with 0-length files */
                {
#endif
                    fd = php_open_temporary_fd_ex(PG(upload_tmp_dir), "php", &temp_filename, PHP_TMP_FILE_OPEN_BASEDIR_CHECK_ON_FALLBACK);
                    upload_cnt--;
                    if (fd == -1) {
                        sapi_module.sapi_error(E_WARNING, "File upload error - unable to create a temporary file");
                        cancel_upload = UPLOAD_ERROR_E;
                    }
                }
            }

            while (!cancel_upload && (blen > 0))
            {
                if (php_rfc1867_callback != NULL) {
                    multipart_event_file_data event_file_data;

                    event_file_data.post_bytes_processed = SG(read_post_bytes);
                    event_file_data.offset = offset;
                    event_file_data.data = buff;
                    event_file_data.length = blen;
                    event_file_data.newlength = &blen;
                    if (php_rfc1867_callback(MULTIPART_EVENT_FILE_DATA, &event_file_data, &event_extra_data) == FAILURE) {
                        cancel_upload = UPLOAD_ERROR_X;
                        continue;
                    }
                }

                if (PG(upload_max_filesize) > 0 && (zend_long)(total_bytes+blen) > PG(upload_max_filesize)) {
#if DEBUG_FILE_UPLOAD
                    sapi_module.sapi_error(E_NOTICE, "upload_max_filesize of " ZEND_LONG_FMT " bytes exceeded - file [%s=%s] not saved", PG(upload_max_filesize), param, filename);
#endif
                    cancel_upload = UPLOAD_ERROR_A;
                } else if (max_file_size && ((zend_long)(total_bytes+blen) > max_file_size)) {
#if DEBUG_FILE_UPLOAD
                    sapi_module.sapi_error(E_NOTICE, "MAX_FILE_SIZE of %" PRId64 " bytes exceeded - file [%s=%s] not saved", max_file_size, param, filename);
#endif
                    cancel_upload = UPLOAD_ERROR_B;
                } else if (blen > 0) {
#ifdef PHP_WIN32
                    wlen = write(fd, buff, (unsigned int)blen);
#else
                    wlen = write(fd, buff, blen);
#endif

                    if (wlen == (size_t)-1) {
                        /* write failed */
#if DEBUG_FILE_UPLOAD
                        sapi_module.sapi_error(E_NOTICE, "write() failed - %s", strerror(errno));
#endif
                        cancel_upload = UPLOAD_ERROR_F;
                    } 

本文来源于: https://xz.aliyun.com/t/9432

相关推荐

Burpsuite新手教程(一)Burpsuite在各场景下的抓包应用

1.网页抓包 1.1 火狐浏览器抓包 环境需求: 火狐浏览器 代理插件 (1) 打开测试工具BurpSuite,默认工具拦截功能是开启的,颜色较深,我们点击取消拦截。 下图取消拦截状态,数据包可以自由通过: (2) 按下图顺序点击选显卡

Internal System wp2021hfctf

代码审计 const express = require('express') const router = express.Router() const axios = require('axios') const isIp = requ

58集团白盒代码审计系统建设实践2:深入理解SAST

背景 源代码安全检测是安全开发流程(SDL)中非常重要的一部分,在58集团的CI/CD流程中每天有数千次量级的构建及发布,白盒检测的自动化能力显得极为重要。企业级的白盒代码审计系统就不仅仅面临漏洞发现的需求,也需要适应企业CI/CD流程。由

cs bypass卡巴斯基内存查杀 2

cs bypass卡巴斯基内存查杀 上次看到yansu大佬写了一篇cs bypass卡巴斯基内存查杀,这次正好有时间我也不要脸的跟跟风,所以同样发在先知社区 yansu大佬是通过对cs的特征进行bypass,这次让我们换一种思路,尝试从另一

浅谈XSS

XSS漏洞 绕过推荐 XSS绕过可以看看该文章:XSS过滤绕过速查表 0.介绍 跨站攻击,即Cross Site Script Execution(通常简写为XSS),是前端的漏洞,产生在浏览器一端的漏洞。它是指攻击者在网页中嵌入客户端脚本

CVE-2021-21975&CVE-2021-21983 VMware vRealize SSRF、任意文件上传漏洞分析

CVE-2021-21975 漏洞复现 漏洞分析 位于casa/WEB-INF/classes/com/vmware/ops/casa/api/ClusterDefinitionController.class有一个路由/nodes/thu

记一次对某收费协同办公系统的审计(.Net审计)

概述 这系统是二、三月份的时候朋友发我的,叫我审计一下,大概看了一下漏洞挺多的,引擎搜索了一下发现没人报出来,但应该不少人知道了,以为只是一个小型的系统,但没想到关键字一查有1W多个,算中型了,由于是收费的系统,不好透露,怕厂商警告,这里简

ThinkPHP3.2.3 反序列化&sql注入漏洞分析

ThinkPHP3.2.3 反序列化&sql注入漏洞分析 环境 php5.6.9 thinkphp3.2.3 漏洞分析 首先全局搜索 __destruct,这里的 $this->img 可控,可以利用其来调用 其他类的destroy() 方

网络层ICMP隧道研究

网络层ICMP隧道研究 [TOC] ICMP隧道概念 介绍:ICMP协议常用于我们判断网络是否可达的ping命令,它不同于其他通讯协议的地方在于:它在进行通讯时不需要开放端口,并且计算机防火墙不会屏蔽ping数据包,实现不受限制的网络访问。

test

测试

大数据框架Hue命令执行技巧

目前大数据是一个流行趋势,多数企业采用开源大数据框架来处理复杂的大体量数据,大数据管理平台Hue 是一个Web应用,用来简化用户和Hadoop集群的交互,技术架构从总体上来讲采用的是B/S架构,该web应用的后台采用python编程语言编写