Bypassing the WebARX Web Application Firewall (WAF)

WebARX is a web application firewall where you can protect your website from malicious attacks. As you can see it was mentioned in TheHackerNews as well and has good ratings if you do some Googling.

It was found out that the WebARX WAF could be easily bypassed by passing a whitelist string. As you see the request won’t be processed by the WAF if it detects a whitelist string.

Let’s first try on their own website. This is a simple LFi payload.



LFi Freak – An Automated File Inclusion Exploiter

I am sure you know about exploiting file inclusion vulnerabilities. In file inclusion situations in common we can read files arbitrarily in the system or remotely depending on the permissions. In PHP environments commonly we poison the log files or inject malicious PHP into the user agent header and load the “/proc/self/environ” file. However when we encounter file inclusion situations in PHP environments we can use the in-built PHP wrappers to make our exploitations much easier or perhaps bypass existing filters.

There are lot of LFI exploitation tools available but I’ve written this tool mainly focusing on the usage of “php://input”, “php://filter” and “data://” methods.  Even though the title explicitly conveys “LFI Freak” this can be used for RFI vulnerabilities as well. This tool is written in Python 2.7 and I have included binaries for both Windows and Linux systems. If you are running from the source or want to modify this, you need the BeautifulSoup library.

Here is a small walkthrough of the features of the tool.

To test for local or remote file inclusions you can use the option one “Automated testing”. I am using DVWA in here. To test this tool create a small vulnerable file.

	echo "File included: ".$_REQUEST["page"]."<br>";
	$file =  $_REQUEST["page"];
	include $file;