diff --git a/fenjing/context_vars.py b/fenjing/context_vars.py index 1885b4d..598e314 100644 --- a/fenjing/context_vars.py +++ b/fenjing/context_vars.py @@ -6,6 +6,7 @@ import logging import random import string +import re logger = logging.getLogger("context_vars") @@ -63,7 +64,7 @@ "ndr": "_", "sls": "/", }, - "{%set unn=lipsum|escape|batch(22)|list|first|last%}": {"unn": "_"}, + "{%set unn=lipsum|escape|batch(22)|first|last%}": {"unn": "_"}, "{%set perc=lipsum()|urlencode|first%}": {"perc": "%"}, "{%set percc=(lipsum[((({}|select()|trim|list)[24]))*2+" + "dict(globals=x)|join+((({}|select()|trim|list)[24]))*2][((({}|select()" @@ -151,6 +152,27 @@ def is_variable_exists(self, var_name: str) -> bool: all_vars = set(v for d in self.context_payloads.values() for v in d) return var_name in all_vars + def generate_related_variable_name(self, value: str) -> Union[str, None]: + """生成一个和value相关的变量名,如globals => gl或go,用于提升最终payload的可读性 + + Args: + value (str): 和变量名相关的字符串 + + Returns: + Union[str, None]: 结果 + """ + value = "".join(re.findall("[a-zA-Z]+", value)).lower() + if len(value) < 2: + return None + for c in value[1:]: + var_name = value[0] + c + if self.is_variable_exists(var_name): + continue + if not self.waf(var_name): + continue + return var_name + return None + def generate_random_variable_name(self) -> Union[str, None]: """生成一个可能的变量名 diff --git a/fenjing/full_payload_gen.py b/fenjing/full_payload_gen.py index 2c218fe..22bf394 100755 --- a/fenjing/full_payload_gen.py +++ b/fenjing/full_payload_gen.py @@ -205,7 +205,9 @@ def try_add_context_var_string(self, value: str, clean_cache=True) -> bool: expression, used_context, _ = ret # 变量名需要可以通过waf且不重复 - var_name = self.context_vars.generate_random_variable_name() + var_name = self.context_vars.generate_related_variable_name(value) + if not var_name: + var_name = self.context_vars.generate_random_variable_name() if not var_name: return False