banner
毅种循环

毅种循环

请将那贻笑罪过以逐字吟咏 如对冰川投以游丝般倾诉

shiro-waf-bypass

This shiro has a WAF, and the specific situation is that the key can be found, but the chain cannot be found.

image.png

When the key exists but the chain cannot be found, capture the request to see.

The bypass ideas I know about shiro are the length of the rememberMe cookie and dirty data padding. The WAF will decrypt the rememberMe cookie and check for malicious behavior after decryption. The bypass strategy is to prevent the cookie from being decrypted. Since shiro's encryption and decryption method uses base64+aes, you only need to add certain special characters in the payload to bypass the WAF. The available characters are !, @, # (as long as they do not appear in the possible characters of BASE encoding).

First, detect the WAF rules#

image.png

This is the request packet sent when probing the chain, and it is a GET request.

There is no echo.

image.png

rememberMe exists, and rememberMe=deleteMe also exists.

So one thing can be determined, the WAF does intercept the cookie length.

There are ways to reduce the payload length, but I don't know how to do it. You can refer to this project: https://xz.aliyun.com/t/10824

Fill with dirty characters#

image.png

There is still no echo after filling with dirty characters.

Unknown HTTP method to bypass WAF#

Modify the GET request method for testing.

Finally, modify the request to XXX to execute successfully.
image.png

image.png

Note:#

At first, the unknown request was not allowed, and it was still intercepted by the WAF. The recognized WAF characteristics at the beginning were:

  1. Intercepting cookies with long data

  2. Intercepting pure POST

At that time, I successfully bypassed it using pseudo-protocols. I can try more in the future. The main idea is the process of fuzzing.

Loading...
Ownership of this post data is guaranteed by blockchain and smart contracts to the creator alone.