Ips bypass posture
0x00 background
Previously, wooyun often saw some bypass methods, such as the Anti-injection function of the bypass web program using the features of mysql, and the direct construction of bypass anti-injection regular expressions. Recently, when writing IPS features, we found that IPS protection can be bypassed in some other aspects. Here we will summarize these other aspects. Some basic knowledge of the network layer is involved in the description, which is not described separately here.
Ps. The method does not indicate that all IPS can be bypass.
0x01 bypass posture IPS rule bypass caused by performance optimization
Players who have done the IPS test should have heard such a sentence: What is the performance of the manufacturer when the detection rate is 90%. The performance mentioned here is generally the new, concurrent, throughput and other indicators involved in performance testing. These metrics are not described here.
We can see from the above that there is a balance between the detection effect and performance of IPS. First, describe some basic concepts. The first concept is the concept of data stream and Session:
There is a quintuple concept in the basic network, that is, the source address, Destination Address, source port, destination port, and Protocol number. If the quintuple is the same, it is considered to be the same session, when you access www.wooyun.org in a browser, enable the wireshark packet capture tool to capture packets. Then, you can find the following content in the follow stream. This is the session and stream described.
IPS is usually detected through sessions and streams. How can we detect through sessions? Here is the second concept that needs to be understood. The second concept is restructuring:
Why is restructuring? The maximum length of an Ethernet packet is 1518 bytes. For example, if we send a large attachment at this time, the data is divided into multiple data packets and sent, packets are forwarded by the route when they are forwarded over the internet. Otherwise, some packets are first sent to the IPS device and some are then forwarded to the IPS device, in this case, IPS need to combine the sent data packets completely. After the combination, you can easily analyze and extract the following data. As shown in:
Now the problem arises. If all the content of each data stream is checked, it should be okay, but all the content of each data stream is checked, certainly, the more resources are consumed. Most vendors should not detect all packages of data streams. Therefore, a problem occurs. What is the size of the detection? When dealing with this problem, some use the number of packages, and some use the stream size method. However, this will all lead to the aforementioned problem, namely the bypass caused by performance optimization. As shown in:
In this data stream, features are not found in the first multiple packages, for example, 20 packets. The content after 20 packets is no longer checked by ips, in this way, the features in the later package are not detected by the IPS engine.
Exploitation:
For example, when we bypass, we manually change the get method to the post method for submission, and add a large amount of data to be filled during submission, such as using the post method, upload a large file. Although this part of the filled data is not processed by the server, it will be parsed and processed when it passes through the IPS device, it is possible that bypass has dropped the ips detection.
Intercept IPS rules
Ips rules are commonly referred to as ips features. Many of the IPS features we have seen are divided based on different protocols, such as http, smtp, pop3, tcp, and udp, each protocol can have different content, such as cookie, header, and msgbody in http.
These features are all loaded into the memory using an algorithm, and then matched after the data stream is parsed. Therefore, a basic concept is involved here: Protocol parsing.
Why is Protocol Resolution? After the preceding information is reorganized, the corresponding content is extracted and assigned to the Protocol variable. For example, after the http protocol is restructured, the http standard content, http cookie, header, method, and so on will certainly appear. Therefore, IPS will parse the standard content, then, assign the parsed content to a variable similar to http_cookie and http_method. With these variables, you can perform IPS feature matching on the data stream. Shows the effect:
Parse various http-related content. Of course, the content parsed by different protocols is different, and some may be smtp or tcp.
However, in this process, if the programmer does not handle well, IPS bypass may occur.
For example, if the feature of a vulnerability is search {xxxx} and the feature is written using regular expressions, search {} needs to be matched and the content in the brackets is random, the attacker submitted search {sada % 00}. In this way, the result of protocol Parsing is search {sada, which does not match the following} symbol, resulting in bypass.
Code bypass IPS rules
Url encoding is also possible to bypass IPS rules.
Multiple Protocol variables may exist for the same protocol in IPS. For example, there may be url_decode protocol variables and url_decode protocol variables in HTTP, otherwise, IPS rules are bypassed.
When the browser sends a data packet, it will encode the url, and the encoding of different browsers is not the same. For example, chrome encodes single quotes into % 27, but IE does not encode single quotes, at the same time, the browser does not encode English characters.
Previously, I came across an example. In IPS rules, feature writers use undecoded protocol variables to write features. For example, if a feature contains a search keyword, we can use this bypass rule, write search as % 73 earch, so that when the data packet passes through the IPS device, the content is not decoded or % 73 earch, And the rule is not matched, but to the server, decoded as search.
Therefore, we may be pleasantly surprised to try to encode some English characters for submission during web testing.
Request Method to bypass IPS rules
Common http request methods include GET and POST. Common POST requests include www/urlencode and multipart requests, which are often used for file upload. Check the source code of some CMS and often find similar code. The following code is excerpted from dedecms:
If (! Defined ('derequest ') {// check and register the externally submitted variable foreach ($ _ REQUEST as $ _ k = >$ _ v) {if (strlen ($ _ k)> 0 & preg_match ('/^ (cfg _ | GLOBALS)/', $ _ k )) {exit ('request var not allow! ');} Foreach (Array (' _ get', '_ Post',' _ COOKIE ') as $ _ request) {foreach ($ _ request as $ _ k = >$ _ v) $ {$ _ k} = _ RunMagicQuotes ($ _ v );}}
It can be seen that no matter whether get is submitted, cookie is submitted, or post is submitted on the web server, the results are the same, but IPS is different. In different ips I have come into contact with, different protocol variables are available for different http request sections, and different protocol variables are also divided into decoding and undecoding.
For example, if a vulnerability in dedecms occurs, the uploadsafe. inc. php interface is incorrectly filtered, resulting in SQL Injection on the recommend. php page. The POC provided on the Internet is usually a url that can be directly pasted into the browser to obtain the Administrator account and password. Therefore, some IPS rules usually directly write an httpurl decoding rule.
It is easy to change the submission method here. The post method can be used to bypass this rule, whether it is urlencode or form-data.
If the post method is filtered out, the post content is encoded and submitted again, which can be bypassed.
Therefore, when writing payload, try to use the encoded post method for submission. The probability of success is higher.
Ps. Previously, wooyun saw a binary file submitted for obfuscation bypass. I didn't think of why.
Other methods to bypass IPS rules
1: Do not use the default useragent for modification of host and useraget. For example, use custom or simulate the http-header field of the browser. For example, the features of sqlmap may be articles for useragent.
2: try not to use the poc published on the internet for character obfuscation, such as character obfuscation and character filling for some controllable parts of payload.
3: vulnerability exploitation methods, for example, the dedecms recommend injection vulnerability, which is caused by uploadsafe. inc. the php interface actually uses the flink page. php and so on. The most recommend poc is used on the Internet, so flink is used. php pages may bypass dededecms ips feature defense, such as dedesql of niub. class. php variable Overwrite Vulnerability. Most of the online poc is based on download. in php, erraddsave. other pages such as php can also be used. When using non-mainstream POC pages, you can also use bypass to remove ips features. Generally, IPS features are written based on a page to avoid false positives.
0x02 Summary
IPS and WAF protection devices often give up some features for their own performance improvement. For example, I have seen that some IPS rules do not support regular expressions when writing them. It may be that regular expression matching will greatly affect the performance. The abandonment of these functions will inevitably lead to the bypass of various rules. As users, they both need these protective devices and also need to improve their network security, such as server patches, real-time Monitoring of related servers.