Professional firewall of zhichuang website can be bypassed in some web Environments
Detailed Description: with the emergence of various tools, it is easy to exploit web vulnerabilities, and many web programmers do not know all web vulnerabilities very well, and the training cost is also very high. Therefore, some sites rely on third-party programs to make the site as secure as possible. Third-party programs, in order to be compatible with various web environments, are generally protected at the network layer, similar to waf and so on. However, it should be regarded as a kind of intellectual innovation. In theory, this protection is very good. Even if there are many background program vulnerabilities, the attack requests will be intercepted by waf at the network layer before the vulnerability is triggered.
However, waf itself is a number of rules. If the matching rule fails, it will be released. If one case is not taken into account, it will be bypassed.
The predecessors have already summarized a lot and won't talk about it here. Here, we mainly use iis to perform url Decoding on asp post-parameter strings to bypass the smart innovation firewall.
Construct the following request:
Http://www.51qljr.com/xinxi/shownews.asp? Id = % 28-575% 29 UNION % 20% 28 SELECT % 201, username, 3, 4, passwd, 6, 7, 8, 9, 10, 11, 12, 13, 16, 17, 18% 20 from % 28 admin % 29% 29
Return to the following page:
This indicates that the injection has been successfully intercepted.
Therefore, construct the following request:
Http://www.51qljr.com/xinxi/shownews.asp? Id = % 28-575% 29 UNION % 20% 28SEL % E % CT % 201, username, 3, 4, passwd, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18% 20 from % 28 admin % 29% 29
The following interface is returned:
Bypassed successfully. here, SEL % E % CT is used to replace select. Simply put, this network layer waf fails to perform url Decoding on SEL % E % CT and then becomes SEL % E % CT matching select, and enter asp. dll decodes the url of SEL % E % CT but changes it to select
In this way, the asp program will use select to query the database, so the injection is successful. I don't know...
Summary:
Asp. when the dll file decodes the url of the Post-asp file parameter string, it will directly filter out 09-0d (09 is the tab key, 0d is the carriage return), 20 (Space) and % (one or more of the following two characters is not in hexadecimal format.
Therefore, protection at the network layer will be bypassed as long as the built-in rules are larger than two characters. If the built-in rule is..., you can use. %. to bypass.
Detailed analysis: http://www.bkjia.com/Article/201209/153591.html