WAF aka Web Application Firewalls.

WAF aka Web Application Firewalls.

• Vuln site.
• Tamper Data; https://addons.mozilla.org/sv-se/firefox...mper-data/
• Hackbar; https://addons.mozilla.org/en-us/firefox/addon/hackbar/
  

Today, I'll show you how to bypass a Web applications firewall.

First of all, check if the site got a vulnerabillity against LFI.
In order to do that, change your old vector /etc/passwd to %2fetc%2fpasswd.
Your whole URL aka 'Uniform Resource Locator' would look like this.

Quote:BeggfomercyIsanoob.com/index.php?filename=%2fetc%2fpasswd.

So basicly every '/' will be changed to'%2f' without quotes.
(/=%2f) That's a pretty eazy form to remember, keep that in mind.

This method is called 'URL Encoding.', It can be some kind of algorithm.
As the name says, it will encode the URL and bypass the filters if you got the luck with you.

To bypass the characther limit, you can just do it like this.

Quote:/../etc/passwd/./././././././././././././././././././././././././././././

Much more, It depends on the web server.

Null Bytes, this method is pretty eazy and can be really usefull.
Add this to the end of your URL.

Quote:

For exemple.

Quote:  .com/index.php?filename=/etc/passwd.

You can even add nullbytes instead. This will help you to get around the firewalls, but does'nt always work.

This is just a few methods, it exist so much more. I might cover that in another tutorial.

This does not cover everything, It's just the basics within WAF bypassing, It might of been an error in the tutorial
If so please report it to me.