Tips:from Chicken Captain
This time to play the HCTF finals, with this own write Waf,web basically did not hit, was hit the loophole is the file contains loopholes, this function in my this WAF really is catching urgent, because just simple detection. and php[35]{0,1}, causing the game to lose points once on the Web due to file containment vulnerabilities. But I don't really want to improve it now. This is a game-specific WAF with a commercial value of almost 0.
If the framework is written out of the web is very well deployed, directly require in the rewrite files or database files, if it is fragmented PHP files, there is a way, if it is fastcgi (Nginx, IIS is more common) running PHP is in. User.ini add a sentence, specific Baidu. User.ini the back door, the same principle. In other cases, you can also write a script to force a sentence in front of each PHP, script code sample will be released. (Of course, Apache can.) htaccess forcibly rewrite to the WAF and back to the original page, but in case the environment is not rewritten.
The specific code is as follows:
<?php//error_reporting (E_all);//ini_set (' display_errors ', 1);/*** offline PHP version waf**** Author: Fall *//* detection Request mode, Intercept and write logs in addition to get and post. */if ($_server[' request_method ']! = ' POST ' && $_server[' request_method ']! = ' GET ') {write_attack_log ("METHOD") ;} $url = $_server[' Request_uri '); Gets the URI to detect $data = file_get_contents (' php://input '); Gets the data of the post, whether it is Mutipart$headers = Get_all_headers (); Get Headerfilter_attack_keyword (filter_invisible (UrlDecode (filter_0x25 ($url))); The URL is detected, the problem is intercepted and recorded Filter_attack_keyword (Filter_invisible (UrlDecode (filter_0x25 ($data))); Post content detection, problem interception and record/* detected the input is simply filtered */foreach ($_get as $key = = $value) {$_get[$key] = filter_dangerous_words ($ value);} foreach ($_post as $key = = $value) {$_post[$key] = filter_dangerous_words ($value);} foreach ($headers as $key = + $value) {Filter_attack_keyword (filter_invisible (UrlDecode (filter_0x25 ($value))); HTTP request header for detection, problem interception and recording $_server[$key] = filter_dangerous_words ($value); Simple filtering}/* Gets the HTTP request header andWrite array */function get_all_headers () {$headers = array (); foreach ($_server as $key = = $value) {if (substr ($key, 0, 5) = = = ' Http_ ') {$headers [$key] = $value; }} return $headers; }/* detects truncation and bypass effects caused by invisible characters, note that Web requests with Chinese need to be easily modified */function filter_invisible ($STR) {for ($i =0; $i <strlen ($STR); $i + +) {$asci i = Ord ($str [$i]); if ($ascii >126 | | $ascii < 32) {//have Chinese here to modify if (!in_array ($ascii, Array (9,10,13))) {Write_att Ack_log ("interrupt"); }else{$str = Str_replace ($ascii, "", $str); }}} $str = Str_replace (Array ("'", "|", ";", ","), "", $str); return $STR;} /* The%25 bypass caused by a two-pass encoding bypass is detected by the site program, where the loop replaces%25 with% until there is no%25*/function filter_0x25 ($str) {if (Strpos ($str, "%25")!== false) { $str = Str_replace ("%25", "%", $str); Return filter_0x25 ($STR); }else{return $str; }}/* attack keyword detection, where a special character is previously replaced with a space, even if there is a bypass feature that bypasses the regular \b*/function Filter_attack_keyword ($str) {if (Preg_match ("/select\b|insert\b|update\b|drop\b|delete\b|dumpfile\b|outfile\b|load_file|rename\b|floor\ (| extractvalue|updatexml|name_const|multipoint\ (/I ", $str)) {Write_attack_log (" sqli "); }//This file contains the detection I really do not write, ask the expert pointing ... if (Substr_count ($str, $_server[' php_self ') < 2) {$tmp = Str_replace ($_server[' php_self '], "", $str); if (Preg_match ("/\.\.|"). *\.php[35]{0,1}/i ", $tmp)) {Write_attack_log (" Lfi/lfr ");; }}else{Write_attack_log ("Lfi/lfr"); } if (Preg_match ("/base64_decode|eval\ (|assert\ (/i", $str)) {Write_attack_log ("EXEC"); } if (Preg_match ("/flag/i", $str)) {Write_attack_log ("Getflag"); }}/* Simple to replace the characters prone to problems with the Chinese */function filter_dangerous_words ($str) {$str = Str_replace ("'", "'", $str); $str = Str_replace ("\" "," "", $str); $str = Str_replace ("<", "" ", $str); $str = Str_replace (">", "" ", $str); return $STR;} /* Get HTTP request packet, meaning to get someone else's attack payload*/function Get_http_raw () {$raw = "; $raw. = $_server[' Request_method '). ' '. $_server[' Request_uri '. ' '. $_server[' Server_protocol ']. " \ r \ n "; foreach ($_server as $key = = $value) {if (substr ($key, 0, 5) = = = ' Http_ ') {$key = substr ($key, 5); $key = Str_replace (' _ ', '-', $key); $raw. = $key. ': '. $value. " \ r \ n "; }} $raw. = "\ r \ n"; $raw. = file_get_contents (' php://input '); return $raw; }/* here intercepts and logs the attack payload*/function Write_attack_log ($alert) {$data = Date ("Y/m/d h:i:s"). "--[". $alert. "]". " \ r \ n ". Get_http_raw ()." \r\n\r\n "; $FFFF = fopen (' Log_is_a_secret_file.txt ', ' a '); Log path fwrite ($FFFF, $data); Fclose ($FFFF); if ($alert = = ' Getflag ') {echo "hctf{aaaa}";//If the request has a flag keyword, the false flag is displayed. (2333333)}else{sleep (15);//delay 15 seconds before intercept} exit (0); >
PHP WAF has rlfi vulnerability when HCTF