XORpass - An encoder to bypass WAF
by
Admin
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjB3MW2Xl4nVsmbpebu1VQnkFf0dZ3LzQcJebp5hPz5t_EfxhfM47OF6rJM6kS2LTMPOufOC0rK_uGgUHwDnLWGvLy1pDR-wIiiOE3NLVNS1rtla-A_tg81XAPUrYI621pNuPVqtiDqanXV/w640-h214-rw/68747470733a2f2f692e696d6775722e636f6d2f6971653167724b2e706e67.png)
XORpass is an encoder to bypass WAF filters using XOR operations.
Installation & Usage
git clone https://github.com/devploit/XORpass
cd XORpass
$ python3 xorpass.py -h
Example of bypass: Using clear PHP function:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgKv4-cGstgnJJyC64QwTTllYXoNHbZfH7NEMOLAxKOv8ae616iJZMP4XhyYpGtwyJ37qfflThELDZhubxkhXzjsI38YqEUz3z-D2R5I8G8CWe57XpIF4TBeU4crHOHjg-TW13yUpGf8971/w640-h206-rw/68747470733a2f2f692e696d6775722e636f6d2f714d68477243412e706e67.png)
Using XOR bypass of that function:
$ python3 xorpass.py -e "system(ls)"
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgT21lSykhyphenhyphen7NmeRegnqiOXm8YFnXpmAMRTHLu4G0SPkQsxthEwCgEgNfyc9c_-pWCE6eX2vYsQgCiLk4rL6053zJ9Yzbl71YK5KNzDRGbknTC8qcSu4Trho7lrlvB-pOMZ9PWXd-zuvHXX/w640-h184-rw/68747470733a2f2f692e696d6775722e636f6d2f694c46327267372e706e67.png)
Why does PHP treat our payload as a string?
The ^ is the exclusive or operator, which means that we're in reality working with binary values. So let's break down what happens.
The XOR operator on binary values will return 1 where just one of the bits were 1, otherwise it returns 0 (0^0 = 0, 0^1 = 1, 1^0 = 1, 1^1 = 0). When you use XOR on characters, you're using their ASCII values. These ASCII values are integers, so we need to convert those to binary to see what's actually going on.
A = 65 = 1000001S = 83 = 1010011B = 66 = 1000010
A 1000001 ^S 1010011 ^B 1000010----------------result 1010000 = 80 = P
A^S^B = P
If we do an 'echo "A"^"S"^"B";' PHP will return us a P as we see.
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh37QpLk_3qcsBQduG5Z6U5h48hLCsh1lBXo-7Fbz3XNlVRyu2oxQVffvAPBZGILDSq_AbZko_czZY6gLC6PNNQDJrl-HesDz-5yoHkQHiv5jrQSHxXTNOmx7CWqokbvvj2GuihDO-cE4lC/w640-h294-rw/68747470733a2f2f692e696d6775722e636f6d2f37494144365a592e706e67.png)