XORpass is an encoder to bypass WAF filters using XOR operations.


Installation & Usage

git clone https://github.com/devploit/XORpass 
cd XORpass

$ php encode.php STRING $
php decode.php "XORed STRING"

Example of bypass:

Using clear PHP function:









Using XOR bypass of that function:

$ php encode.php system # return A
$ php encode.php ls # return B

payload == A(B)

Why does PHP treat our payload as a string?

The ^ is the exclusive or operator, which means that we're in reality working with binary values. So lets break down what happens.

The XOR operator on binary values will return 1 where just one of the bits were 1, otherwise it returns 0 (0^0 = 0, 0^1 = 1, 1^0 = 1, 1^1 = 0). When you use XOR on characters, you're using their ASCII values. These ASCII values are integers, so we need to convert those to binary to see what's actually going on:

A = 65 = 1000001 
S = 83 = 1010011 
B = 66 = 1000010 

A        1000001
S        1010011
B        1000010 
result 0010010 = 80 = P 

A^S^B = P

If we do an 'echo "A"^"S"^"B";' PHP will return us a P as we see.



Telegram: @devploit


Twitter: https://www.twitter.com/devploit

November 4, 2019


Hakin9 TEAM
Hakin9 is a monthly magazine dedicated to hacking and cybersecurity. In every edition, we try to focus on different approaches to show various techniques - defensive and offensive. This knowledge will help you understand how most popular attacks are performed and how to protect your data from them. Our tutorials, case studies and online courses will prepare you for the upcoming, potential threats in the cyber security world. We collaborate with many individuals and universities and public institutions, but also with companies such as Xento Systems, CATO Networks, EY, CIPHER Intelligence LAB, redBorder, TSG, and others.
Notify of

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Inline Feedbacks
View all comments
© HAKIN9 MEDIA SP. Z O.O. SP. K. 2023