Pentester-in-training here,

I’m testing an upload feature on a page, here’s the server header:

X-Powered-By: PHP/5.4

Access-Control-Allow-Origin: *

Server: Apache

Also I find it curious that the header does not show any WAF… anyway I tried to disguise the php shell using magic bytes, MIME deception, fuZziNg, double extension, CaSe VaRIaTioN and nothing, if it has php in it, the WAF will puke it out.

So what other techniques I missed or I don’t know to defeat this WAF?

I wont bore you all with an annoying ad or summary of my tool as all the info about the tool is on github. But I’ll share a link to the github repo and just say I’d love to recieve feedback and see what people think! Autohack can be especially helpful to newer hackers/people getting into the hacking field and don’t know about all of the tools out there. Thanks 🙂

Link: https://github.com/dxrk-kali/autohack

If this is illegal please take it down, but is there a way, or a merit in attempting to pursue, downloading a web-based program to run it while offline? I’ll be in a remote location and use a resource known as SKYCIV but it’s online based.

Thanks for the advice.

I’m an CS student and wanted to create an app which communicates with my server. Now, I’m worried about when this app goes live, that due to my lake of knowledge about cybersecurity, my servers won’t stay online for long.

That’s why I asked my self if it makes sense for me to learn some hacking and hack my own servers to see where potential intruders can do something I don’t want them to do or if it’s just better to sign up for an cybersecurity class.

Thanks in advance for taking your time.