| 1 | #!/bin/bash |
| 2 | # WAF bypass probe - tests common evasion techniques against pqcrypta-proxy |
| 3 | SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" |
| 4 | source "$SCRIPT_DIR/../config.sh" |
| 5 | OUT="$OUT/waf_bypass" |
| 6 | mkdir -p "$OUT" |
| 7 | |
| 8 | echo '=== WAF BYPASS TESTS ===' | tee "$OUT/summary.txt" |
| 9 | |
| 10 | # Safe URL encoder โ pipes payload via stdin, handles all special chars including quotes |
| 11 | url_encode() { printf '%s' "$1" | python3 -c "import sys,urllib.parse; print(urllib.parse.quote(sys.stdin.read().strip()))"; } |
| 12 | |
| 13 | # 1. SQL injection patterns (should be blocked) |
| 14 | SQL_PAYLOADS=( |
| 15 | "' OR 1=1--" |
| 16 | "1; DROP TABLE users--" |
| 17 | "' UNION SELECT * FROM information_schema.tables--" |
| 18 | "admin'--" |
| 19 | "1' AND SLEEP(5)--" |
| 20 | "1 OR 1=1" |
| 21 | "'; EXEC xp_cmdshell('dir')--" |
| 22 | ) |
| 23 | |
| 24 | echo '' | tee -a "$OUT/summary.txt" |
| 25 | echo '--- SQL Injection Probes ---' | tee -a "$OUT/summary.txt" |
| 26 | for payload in "${SQL_PAYLOADS[@]}"; do |
| 27 | encoded=$(url_encode "$payload") |
| 28 | resp=$(curl -sk -o /dev/null -w '%{http_code}' --max-time 10 "$TARGET/?id=$encoded") |
| 29 | echo "[$resp] SQL: $payload" | tee -a "$OUT/summary.txt" |
| 30 | done |
| 31 | |
| 32 | # 2. XSS payloads (should be blocked) |
| 33 | XSS_PAYLOADS=( |
| 34 | '<script>alert(1)</script>' |
| 35 | '<img src=x onerror=alert(1)>' |
| 36 | 'javascript:alert(1)' |
| 37 | '<svg onload=alert(1)>' |
| 38 | '"><script>alert(document.cookie)</script>' |
| 39 | ) |
| 40 | |
| 41 | echo '' | tee -a "$OUT/summary.txt" |
| 42 | echo '--- XSS Probes ---' | tee -a "$OUT/summary.txt" |
| 43 | for payload in "${XSS_PAYLOADS[@]}"; do |
| 44 | encoded=$(url_encode "$payload") |
| 45 | resp=$(curl -sk -o /dev/null -w '%{http_code}' --max-time 10 "$TARGET/?q=$encoded") |
| 46 | echo "[$resp] XSS: $payload" | tee -a "$OUT/summary.txt" |
| 47 | done |
| 48 | |
| 49 | # 3. Path traversal (should be blocked) |
| 50 | TRAVERSAL_PAYLOADS=( |
| 51 | '../../../etc/passwd' |
| 52 | '..%2F..%2F..%2Fetc%2Fpasswd' |
| 53 | '%2e%2e/%2e%2e/%2e%2e/etc/passwd' |
| 54 | '....//....//etc/passwd' |
| 55 | '%252e%252e%252fetc%252fpasswd' |
| 56 | ) |
| 57 | |
| 58 | echo '' | tee -a "$OUT/summary.txt" |
| 59 | echo '--- Path Traversal Probes ---' | tee -a "$OUT/summary.txt" |
| 60 | for payload in "${TRAVERSAL_PAYLOADS[@]}"; do |
| 61 | resp=$(curl -sk -o /dev/null -w '%{http_code}' --max-time 10 "$TARGET/$payload") |
| 62 | echo "[$resp] Traversal: $payload" | tee -a "$OUT/summary.txt" |
| 63 | done |
| 64 | |
| 65 | # 4. Command injection (should be blocked) |
| 66 | CMD_PAYLOADS=( |
| 67 | '; cat /etc/passwd' |
| 68 | '| whoami' |
| 69 | '`id`' |
| 70 | '$(id)' |
| 71 | '; ls -la /' |
| 72 | ) |
| 73 | |
| 74 | echo '' | tee -a "$OUT/summary.txt" |
| 75 | echo '--- Command Injection Probes ---' | tee -a "$OUT/summary.txt" |
| 76 | for payload in "${CMD_PAYLOADS[@]}"; do |
| 77 | encoded=$(url_encode "$payload") |
| 78 | resp=$(curl -sk -o /dev/null -w '%{http_code}' --max-time 10 "$TARGET/?cmd=$encoded") |
| 79 | echo "[$resp] CMD: $payload" | tee -a "$OUT/summary.txt" |
| 80 | done |
| 81 | |
| 82 | cat "$OUT/summary.txt" |
| 83 |
Script Viewer
Red Team Suite › 01_waf_bypass.sh