XORpass is an encoder to bypass WAF filters using XOR operations.

Installation & Usage

git clone https://github.com/devploit/XORpass 
cd XORpass

$ php encode.php STRING $
php decode.php "XORed STRING"

Example of bypass:

Using clear PHP function:

 

 

 

 

 

 

 

 

Using XOR bypass of that function:

$ php encode.php system # return A
$ php encode.php ls # return B

payload == A(B)

Why does PHP treat our payload as a string?

The ^ is the exclusive or operator, which means that we're in reality working with binary values. So lets break down what happens.

The XOR operator on binary values will return 1 where just one of the bits were 1, otherwise it returns 0 (0^0 = 0, 0^1 = 1, 1^0 = 1, 1^1 = 0). When you use XOR on characters, you're using their ASCII values. These ASCII values are integers, so we need to convert those to binary to see what's actually going on:

A = 65 = 1000001 
S = 83 = 1010011 
B = 66 = 1000010 

A        1000001
         ^
S        1010011
         ^ 
B        1000010 
---------------- 
result 0010010 = 80 = P 

A^S^B = P

If we do an 'echo "A"^"S"^"B";' PHP will return us a P as we see.


 

Contact

Telegram: @devploit

https://github.com/devploit/XORpass

Twitter: https://www.twitter.com/devploit

November 4, 2019

Leave a Reply

avatar

This site uses Akismet to reduce spam. Learn how your comment data is processed.

  Subscribe  
Notify of
© HAKIN9 MEDIA SP. Z O.O. SP. K. 2013