waf绕过：WAF绕过tips—%u encoding |

显示不全请点击全屏阅读

常用的URL编码有UTF（%xx%xx）和十六进制编码（%xx），大部分IDS和WAF都可以识别并解码，然后再做正则匹配。但是IIS web服务器除了支持这两种编码之外，还支持另外一种非标准的编码，也就是这里说的%u编码（%uxxxx）。更具体的内容可以查看原文。不得不说有些技术不会老，关键是你还在乎不。也就是说请求abc.as%u0070,实际上是请求的abc.asp。如果这样的话，在IIS的环境下就是一种绕过的方法，如果你的waf傻傻分不清楚的话。

下面是修改的一个ruby脚本，可以将字符转换为上面的%u编码。

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108

require 'uri' def unicode_url(string) lookuptable = Hash.new lookuptable ={ ‘ ‘ => ‘%u0020’, ‘/’ => ‘%u002f’, ‘\\’ => ‘%u005c’, “‘” => '%u0027', ‘”‘ => ‘%u0022’, ‘>’ => ‘%u003e’, ‘<‘ => ‘%u003c’, ‘#’ => ‘%u0023’, ‘!’ => ‘%u0021’, ‘$’ => ‘%u0024’, ‘*’ => ‘%u002a’, ‘@’ => ‘%u0040’, ‘.’ => ‘%u002e’, ‘_’ => ‘%u0095’, ‘(‘ => ‘%u0028’, ‘)’ => ‘%u0029’, ‘,’ => ‘%u002c’, ‘%’ => ‘%u0025’, ‘-‘ => ‘%u002d’, ‘;’ => ‘%u003b’, ‘:’ => ‘%u003a’, ‘|’ => ‘%u007c’, ‘&’ => ‘%u0026’, ‘+’ => ‘%u002b’, ‘=’ => ‘%u003d’, ‘a’ => ‘%u0061’, ‘A’ => ‘%u0041’, ‘b’ => ‘%u0062’, ‘B’ => ‘%u0042’, ‘c’ => ‘%u0063’, ‘C’ => ‘%u0043’, ‘d’ => ‘%u0064’, ‘D’ => ‘%u0044’, ‘e’ => ‘%u0065’, ‘E’ => ‘%u0045’, ‘f’ => ‘%u0066’, ‘F’ => ‘%u0046’, ‘g’ => ‘%u0067’, ‘G’ => ‘%u0047’, ‘h’ => ‘%u0068’, ‘H’ => ‘%u0048’, ‘i’ => ‘%u0069’, ‘I’ => ‘%u0049’, ‘j’ => ‘%u006a’, ‘J’ => ‘%u004a’, ‘k’ => ‘%u006b’, ‘K’ => ‘%u004b’, ‘l’ => ‘%u006c’, ‘L’ => ‘%u004c’, ‘m’ => ‘%u006d’, ‘M’ => ‘%u004d’, ‘n’ => ‘%u006e’, ‘N’ => ‘%u004e’, ‘o’ => ‘%u006f’, ‘O’ => ‘%u004f’, ‘p’ => ‘%u0070’, ‘P’ => ‘%u0050’, ‘q’ => ‘%u0071’, ‘Q’ => ‘%u0051’, ‘r’ => ‘%u0072’, ‘R’ => ‘%u0052’, ‘s’ => ‘%u0073’, ‘S’ => ‘%u0053’, ‘t’ => ‘%u0074’, ‘T’ => ‘%u0054’, ‘u’ => ‘%u0075’, ‘U’ => ‘%u0055’, ‘v’ => ‘%u0076’, ‘V’ => ‘%u0056’, ‘w’ => ‘%u0077’, ‘W’ => ‘%u0057’, ‘x’ => ‘%u0078’, ‘X’ => ‘%u0058’, ‘y’ => ‘%u0079’, ‘Y’ => ‘%u0059’, ‘z’ => ‘%u007a’, ‘Z’ => ‘%u005a’, ‘0’ => ‘%u0030’, ‘1’ => ‘%u0031’, ‘2’ => ‘%u0032’, ‘3’ => ‘%u0033’, ‘4’ => ‘%u0034’, ‘5’ => ‘%u0035’, ‘6’ => ‘%u0036’, ‘7’ => ‘%u0037’, ‘8’ => ‘%u0038’, ‘9’ => ‘%u0039’} # Convert string to array of chars chararray = string.scan(/./) newstr = String.new chararray.each do |c| if lookuptable.has_key? c newstr = newstr + lookuptable else newstr = newstr + URI.escape(c) end endreturn newstr end print “Enter string to URL Unicode:” puts unicode_url(gets)

ps：  感觉编码在很多地方很强大，但是没掌握到其精髓，还处于模糊阶段

作者：qingsh4n

Tags：

waf绕过,

如果您喜欢我的博客，欢迎点击图片定订阅到邮箱 也可以点击链接【订阅到鲜果】

如果我的想法或工具帮助到了你，也可微信扫下方二维码打赏本人一杯咖啡