Trash Bin
0%

XSStrike源码-waf检测

Posted on Edited on In
Symbols count in article: 3.2k Reading time ≈ 3 mins.

Pre:

waf检测是为了之后的bypass.

源码:

该功能比较简单,所以直接贴源码.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
import json
import re
import sys

from core.requester import requester
from core.log import setup_logger

logger = setup_logger(__name__)


def wafDetector(url, params, headers, GET, delay, timeout):
    with open(sys.path[0] + '/db/wafSignatures.json', 'r') as file:
        wafSignatures = json.load(file)
    # a payload which is noisy enough to provoke the WAF
    noise = '<script>alert("XSS")</script>' # 明显的payload
    params['xss'] = noise
    # Opens the noise injected payload
    response = requester(url, params, headers, GET, delay, timeout)
    page = response.text # 返回包源码
    code = str(response.status_code) # 状态码
    headers = str(response.headers) # 头部
    logger.debug('Waf Detector code: {}'.format(code))
    logger.debug_json('Waf Detector headers:', response.headers)

    if int(code) >= 400:
        bestMatch = [0, None]
        for wafName, wafSignature in wafSignatures.items():
            score = 0
            pageSign = wafSignature['page']
            codeSign = wafSignature['code']
            headersSign = wafSignature['headers']
            if pageSign:
                if re.search(pageSign, page, re.I):
                    score += 1
            if codeSign:
                if re.search(codeSign, code, re.I):
                    score += 0.5  # increase the overall score by a smaller amount because http codes aren't strong indicators         # 状态码权重较低,因为不是一个特别准确的判断标识
            if headersSign:
                if re.search(headersSign, headers, re.I):
                    score += 1
            # if the overall score of the waf is higher than the previous one
            if score > bestMatch[0]: # 保留权重最高的
                del bestMatch[:]  # delete the previous one
                bestMatch.extend([score, wafName])  # and add this one
        if bestMatch[0] != 0:
            return bestMatch[1]
        else:
            return None
    else:
        return None

主要流程

发送明显的恶意payload:

1
2
3
4
5
# a payload which is noisy enough to provoke the WAF
noise = '<script>alert("XSS")</script>' # 明显的payload
params['xss'] = noise
# Opens the noise injected payload
response = requester(url, params, headers, GET, delay, timeout)

发送一段足够明显的xss payload,连参数名都是xss,试图触发server的waf机制.

判断逻辑:

通过3个指标来正则匹配并计算匹配度得分,然后保留一个得分最高的作为最终的判定结果

  1. page 返回包源码

  2. code 状态码

  3. headers 返回包头部

正则匹配:

目前这个版本有66种waf的指纹、特征.

详细请看.https://github.com/s0md3v/XSStrike/blob/470f138db5fc0943e8a90a0de4052ddb7c03efab/db/wafSignatures.json

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
{
	"360 Web Application Firewall (360)" : {
		"code" : "493",
		"page" : "/wzws-waf-cgi/",
		"headers" : "X-Powered-By-360wzb"
	},
	"aeSecure" : {
		"code" : "",
		"page" : "aesecure_denied.png",
		"headers" : "aeSecure-code"
	},
	"Airlock (Phion/Ergon)" : {
		"code" : "",
		"page" : "",
		"headers" : "AL[_-]?(SESS|LB)"
	},
	.... 省略
}

计算匹配度分数:

1
2
3
4
5
6
7
8
9
10
11
12
13
if pageSign:
    if re.search(pageSign, page, re.I):
        score += 1
if codeSign:
    if re.search(codeSign, code, re.I):
        score += 0.5  # increase the overall score by a smaller amount because http codes aren't strong indicators         # 状态码权重较低,因为不是一个特别准确的判断标识
if headersSign:
    if re.search(headersSign, headers, re.I):
        score += 1
# if the overall score of the waf is higher than the previous one
if score > bestMatch[0]: # 保留权重最高的
    del bestMatch[:]  # delete the previous one
    bestMatch.extend([score, wafName])  # and add this one

分别在返回包源码,状态码,返回包头部里正则匹配.

其中状态码的得分(权重)最低,因为状态码不是一个特别准确的判断标识

然后保留一个得分最高的,作为最终结果.

Related Posts