Pentester-in-training here,
I’m testing an upload feature on a page, here’s the server header:
X-Powered-By: PHP/5.4
Access-Control-Allow-Origin: *
Server: Apache
Also I find it curious that the header does not show any WAF… anyway I tried to disguise the php shell using magic bytes, MIME deception, fuZziNg, double extension, CaSe VaRIaTioN and nothing, if it has php in it, the WAF will puke it out.
So what other techniques I missed or I don’t know to defeat this WAF?
submitted by /u/Sascha_Wohler
[link] [comments]