We read every piece of feedback, and take your input very seriously.
To see all available qualifiers, see our documentation.
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
使用命令:./mac_x_waf --target test.http --target-https=false --waf-block-regex payload sql
./mac_x_waf --target test.http --target-https=false --waf-block-regex payload sql
read response, error: unexpected eof(p=13, pe=1024)read response, error: unexpected eof(p=13, pe=1024)read response, error: unexpected eof(p=13, pe=1024)read response, error: unexpected eof(p=13, pe=1024)read response, error: unexpected eof(p=13, pe=1024)read response, error: unexpected eof(p=13, pe=1024)read response, error: unexpected eof(p=13, pe=1024)read response, error: unexpected eof(p=13, pe=1024)read6 / 10000000 [>__________________________________________________________________________________________________________________________________________________________________________________] 0.00% ? p/sread response, error: unexpected eof(p=13, pe=1024)read response, error: unexpected eof(p=13, pe=1024)read response, error: unexpected eof(p=13, pe=1024)read response, error: unexpected eof(p=13, pe=1024)read response, error: unexpected eof(p=13, pe=1024)read response, error: unexpected eof(p=13, pe=1024)read response, error: unexpected eof(p=13, pe=1024)read response, error: unexpected eof(p=13, pe=1024)read response, error: unexpected eof(p=13, pe=1024)read response, error: unexpected eof(p=13, pe=1024)read response, error: unexpected eof(p=13, pe=1024)read response, error: unexpected eof(p=13, pe=1024)read r51 / 10000000 [>_________________________________________________________________________________________________________________________________________________________________________________] 0.00% ? p/sread response, error: unexpected eof(p=13, pe=1024)read response, error: unexpected eof(p=13, pe=1024)read response, error: unexpected eof(p=13, pe=1024)read response, error: unexpected eof(p=13, pe=1024)read response, error: unexpected eof(p=13, pe=1024)read response, error: unexpected eof(p=13, pe=1024)read response, error: unexpected eof(p=13, pe=1024)read response, error: unexpected eof(p=13, pe=1024)read241 / 10000000 [>________________________________________________________________________________________________________________________________________________________________________________] 0.00% ? p/sread response, error: unexpected eof(p=13, pe=1024)read response, error: unexpected eof(p=13, pe=1024)read response, error: unexpected eof(p=13, pe=1024)read response, error: unexpected eof(p=13, pe=1024)read response, error: unexpected eof(p=13, pe=1024)read response, error: unexpected eof(p=13, pe=1024)read response, error: unexpected eof(p=13, pe=1024)read response, error: unexpected eof(p=13, pe=1024)read382 / 10000000 [>______________________________________________________________________________________________________________________________________________________________________________] 0.00% 627 p/sread response, error: unexpected eof(p=13, pe=1024)read response, error: unexpected eof(p=13, pe=1024)read response, error: unexpected eof(p=13, pe=1024)read response, error: unexpected eof(p=13, pe=1024)read response, error: unexpected eof(p=13, pe=1024)read response, error: unexpected eof(p=13, pe=1024)read response, error: unexpected eof(p=13, pe=1024)read response, error: unexpected eof(p=13, pe=1024)read554 / 10000000 [>______________________________________________________________________________________________________________________________________________________________________________] 0.01% 627 p/sread response, error: unexpected eof(p=13, pe=1024)read response, error: unexpected eof(p=13, pe=1024)read response, error: unexpected eof(p=13, pe=1024)read response, error: unexpected eof(p=13, pe=1024)read response, error: unexpected eof(p=13, pe=1024)read response, error: unexpected eof(p=13, pe=1024)read response, error: unexpected eof(p=13, pe=1024)read response, error: unexpected eof(p=13, pe=1024)read response, error: unexpected eof(p=13, pe=1024)read response, error: unexpected eof(p=13, pe=1024)read response, error: unexpected eof(p=13, pe=1024)read response, error: unexpected eof(p=13, pe=1024)read r583 / 10000000 [>______________________________________________________________________________________________________________________________________________________________________________] 0.01% 627 p/sread response, error: unexpected eof(p=13, pe=1024)read response, error: unexpected eof(p=13, pe=1024)read response, error: unexpected eof(p=13, pe=1024)read response, error: unexpected eof(p=13, pe=1024)read response, error: unexpected eof(p=13, pe=1024)read response, error: unexpected eof(p=13, pe=1024)read response, error: unexpected eof(p=13, pe=1024)read response, error: unexpected eof(p=13, pe=1024)read704 / 10000000 [>______________________________________________________________________________________________________________________________________________________________________________] 0.01% 621 p/sread response, error: unexpected eof(p=13, pe=1024)read response, error: unexpected eof(p=13, pe=1024)read response, error: unexpected eof(p=13, pe=1024)read response, error: unexpected eof(p=13, pe=1024)read response, error: unexpected eof(p=13, pe=1024)read response, error: unexpected eof(p=13, pe=1024)read response, error: unexpected eof(p=13, pe=1024)read response, error: unexpected eof(p=13, pe=1024)read797 / 10000000 [>______________________________________________________________________________________________________________________________________________________________________________] 0.01% 621 p/sread response, error: unexpected eof(p=13, pe=1024)read response, error: unexpected eof(p=13, pe=1024)read response, error: unexpected eof(p=13, pe=1024)read response, error: unexpected eof(p=13, pe=1024)read response, error: unexpected eof(p=13, pe=1024)read response, error: unexpected eof(p=13, pe=1024)read response, error: unexpected eof(p=13, pe=1024)read response, error: unexpected eof(p=13, pe=1024)read945 / 10000000 [>______________________________________________________________________________________________________________________________________________________________________________] 0.01% 621 p/sread response, error: unexpected eof(p=13, pe=1024)read response, error: unexpected eof(p=13, pe=1024)read response, error: unexpected eof(p=13, pe=1024)read response, error: unexpected eof(p=13, pe=1024)read response, error: unexpected eof(p=13, pe=1024)read response, error: unexpected eof(p=13, pe=1024)read response, error: unexpected eof(p=13, pe=1024)read response, error: unexpected eof(p=13, pe=1024)read1011 / 10000000 [>_____________________________________________________________________________________________________________________________________________________________________________] 0.01% 614 p/sread response, error: unexpected eof(p=13, pe=1024)read response, error: unexpected eof(p=13, pe=1024)read response, error: unexpected eof(p=13, pe=1024)read response, error: unexpected eof(p=13, pe=1024)read response, error: unexpected eof(p=13, pe=1024)read response, error: unexpected eof(p=13, pe=1024)read response, error: unexpected eof(p=13, pe=1024)read response, error: unexpected eof(p=13, pe=1024)read1062 / 10000000 [>_____________________________________________________________________________________________________________________________________________________________________________] 0.01% 614 p/sread response, error: unexpected eof(p=13, pe=1024)read response, error: unexpected eof(p=13, pe=1024)read response, error: unexpected eof(p=13, pe=1024)read response, error: unexpected eof(p=13, pe=1024)read response, error: unexpected eof(p=13, pe=1024)read response, error: unexpected eof(p=13, pe=1024)read response, error: unexpected eof(p=13, pe=1024)read response, error: unexpected eof(p=13, pe=1024)read response, error: unexpected eof(p=13, pe=1024)read response, error: unexpected eof(p=13, pe=1024)^C
以下是 test.http 文件
GET /sqli/jdbc/vul1?username=test&password=%{{1}}%&type=add HTTP/1.1 Host: localhost Accept: */* Accept-Language: en-US,en Cache-Control: no-cache Connection: keep-alive Content-Type: application/x-www-form-urlencoded;charset=UTF-8 Cookie: ADMINCONSOLESESSION=qsjkmZLpXJ5pP2LYbngHg96ycCpnRD404H26RfdgBhL1zJfP0Qqh!-411300354; Idea-c08dd7dc=fabc9384-9fc2-412f-a711-eb8ea8425043; JSESSIONID=EE08FFE0E3DD6AB3C7E02B314683E255 Pragma: no-cache Referer: http://localhost/sqli/jdbc/jdbcVul Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin Sec-GPC: 1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36 X-Requested-With: XMLHttpRequest sec-ch-ua: "Brave";v="131", "Chromium";v="131", "Not_A Brand";v="24" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "macOS"
以下是使用 Wireshark 抓包的 x_waf 发出的 http 包
GET /sqli/jdbc/vul1?username=test&password=select+%5CZ%27user%27%2C-%C2%A85+from+mysql.%2F%2A%21user%2A%2F%3B&type=add HTTP/1.1 Host: localhost Accept: */* Accept-Language: en-US,en Cache-Control: no-cache Connection: keep-alive Content-Type: application/x-www-form-urlencoded;charset=UTF-8 Cookie: ADMINCONSOLESESSION=qsjkmZLpXJ5pP2LYbngHg96ycCpnRD404H26RfdgBhL1zJfP0Qqh!-411300354; Idea-c08dd7dc=fabc9384-9fc2-412f-a711-eb8ea8425043; JSESSIONID=EE08FFE0E3DD6AB3C7E02B314683E255 Pragma: no-cache Referer: http://localhost/sqli/jdbc/jdbcVul Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin Sec-GPC: 1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36 X-Requested-With: XMLHttpRequest sec-ch-ua: "Brave";v="131", "Chromium";v="131", "Not_A Brand";v="24" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "macOS" Connection: close HTTP/1.1 400 Content-Type: text/html;charset=utf-8 Content-Language: en Content-Length: 435 Date: Mon, 13 Jan 2025 10:20:34 GMT Connection: close <!doctype html><html lang="en"><head><title>HTTP Status 400 ... Bad Request</title><style type="text/css">body {font-family:Tahoma,Arial,sans-serif;} h1, h2, h3, b {color:white;background-color:#525D76;} h1 {font-size:22px;} h2 {font-size:16px;} h3 {font-size:14px;} p {font-size:12px;} a {color:black;} .line {height:1px;background-color:#525D76;border:none;}</style></head><body><h1>HTTP Status 400 ... Bad Request</h1></body></html>
使用 BurpSuite 重发是可以正常发送的
The text was updated successfully, but these errors were encountered:
响应400和unexpected eof是两个不同的问题,原因和解决办法不同 1、响应400,估计是请求文件\n而不是\r\n导致的。你可以用unix2dos test.http转换一下文件 2、unexpected eof,估计是x-waf发包依赖的库的bug。
unexpected eof
unix2dos test.http
万能解决办法是: 1、用 --justOutPutPayload 参数把payload导出到payloads.txt 2、使用burpsuite爆破
--justOutPutPayload
Sorry, something went wrong.
师傅,你可以把test.http文件作为附件上传一下吗? @ReaJason
后缀有限制,我换成 txt 后缀了,这个已经执行完 unix2dos 这个命令了, test.txt
No branches or pull requests
使用命令:
./mac_x_waf --target test.http --target-https=false --waf-block-regex payload sql以下是 test.http 文件
以下是使用 Wireshark 抓包的 x_waf 发出的 http 包
使用 BurpSuite 重发是可以正常发送的
The text was updated successfully, but these errors were encountered: