Running Whatwaf on Termux

[687766616e]

whatwaf --ra --tamper-int 10 --verbose -u "https://test.test.com/test-api/test?tedt=43842694568439726"

...
[02:10:44][DEBUG] loading plugin script 'zscaler'
[02:10:44][INFO] running firewall detection checks
[02:10:45][WARN] unknown firewall detected saving fingerprint to log file
[02:10:45][PROMPT] do you want to create an issue with the unknown firewall to possibly get it implemented[y/N]: y
[02:10:59][ERROR] whatwaf is currently not the newest version, please update to request a firewall script creation
$

[687766616e]

$ git pull
Already up to date.

[687766616e]

meituan yun waf? maybe

[687766616e]

www.test.test.zip log file

[Ekultek]

fixed via https://github.com/Ekultek/WhatWaf/commit/e04afbd1bcafbf26256ab042cae05a92051b3ea9

[687766616e]

what?... still can't...

[00:17:14][DEBUG] loading plugin script 'zscaler'
[00:17:14][INFO] running firewall detection checks
[00:17:14][WARN] unknown firewall detected saving fingerprint to log file
[00:17:14][PROMPT] do you want to create an issue with the unknown firewall to possibly get it implemented[y/N]: y
[00:19:02][FATAL] caught an exception while trying to process request: HTTP Error 401: Unauthorized, you can either create this issue manually, or try again. if you have decided to create the issue manually you can find the issue information in the following file: /data/data/com.termux/files/home/.whatwaf/unprocessed_issues/fTqaVcLYPRGdaghiVmyuWuUwwuPFhBAT.json
[00:19:02][INFO] for further analysis the WAF fingerprint can be found in: '/data/data/com.termux/files/home/.whatwaf/fingerprints/www.insurance.meituan.com'
[00:19:02][WARN] request counter failed to count correctly, deactivating
$

[687766616e]

Why is it aborted when it encounters an unknown firewall?

[Ekultek]

That's weird. Did you change any of the code? It's not aborted when it encounters unknow it creates an issue, try re-cloning it

[687766616e]

still cant

[Ekultek]

This has to be user error

python whatwaf.py --tor --ra --tamper-int 10 --verbose -u "https://test.test.com/test-api/test?tedt=43842694568439726" --skip

                              ,------.  
                             '  .--.  ' 
    ,--.   .--.   ,--.   .--.|  |  |  | 
    |  |   |  |   |  |   |  |'--'  |  | 
    |  |   |  |   |  |   |  |    __.  | 
    |  |.'.|  |   |  |.'.|  |   |   .'  
    |         |   |         |   |___|   
    |   ,'.   |hat|   ,'.   |af .---.   
    '--'   '--'   '--'   '--'   '---'  
"/><script>alert("WhatWaf?<|>v1.4.4($dev)");</script>

[12:04:13][WARN] you've chosen to skip bypass checks and chosen an amount of tamper to display, tampers will be skipped
[12:04:13][INFO] running behind proxy 'socks5://127.0.0.1:9050'
[12:04:13][INFO] using User-Agent 'Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.7.9) Gecko/20050711 Firefox/1.0.5'
...
[12:05:06][DEBUG] trying: https://test.test.com/Default.htm
[PAYLOAD] '))) AND 1=1,SELECT * FROM information_schema.tables ((('
[12:05:11][DEBUG] trying: 'https://test.test.com/test-api/test?tedt=43842694568439726'))) AND 1=1,SELECT * FROM information_schema.tables (((''
[12:05:16][DEBUG] trying: https://test.test.com/index.exe
[PAYLOAD] ' )) AND 1=1 (( ' -- rgzd
[12:05:21][DEBUG] trying: 'https://test.test.com/test-api/test?tedt=43842694568439726' )) AND 1=1 (( ' -- rgzd'
[12:05:26][DEBUG] trying: https://test.test.com/index.shtml
[PAYLOAD] ;SELECT * FROM information_schema.tables WHERE 2>1 AND 1=1 OR 2=2 -- qdEf '
[12:05:30][DEBUG] trying: 'https://test.test.com/test-api/test?tedt=43842694568439726;SELECT * FROM information_schema.tables WHERE 2>1 AND 1=1 OR 2=2 -- qdEf ''
[12:05:35][DEBUG] trying: https://test.test.com/home.html
[PAYLOAD] ' OR '1'=1 '"
[12:05:40][DEBUG] trying: 'https://test.test.com/test-api/test?tedt=43842694568439726' OR '1'=1 '"'
[12:05:45][DEBUG] trying: https://test.test.com/index.htm
...
[12:06:23][DEBUG] loading plugin script 'barikode'
[12:06:23][DEBUG] loading plugin script 'barracuda'
[12:06:23][DEBUG] loading plugin script 'bigip'
[12:06:23][DEBUG] loading plugin script 'binarysec'
[12:06:23][DEBUG] loading plugin script 'blockdos'
[12:06:23][DEBUG] loading plugin script 'chuangyu'
[12:06:23][DEBUG] loading plugin script 'ciscoacexml'
[12:06:23][DEBUG] loading plugin script 'cloudflare'
[12:06:23][DEBUG] loading plugin script 'cloudfront'
[12:06:23][DEBUG] loading plugin script 'codeigniter'
[12:06:23][DEBUG] loading plugin script 'comodo'
[12:06:23][DEBUG] loading plugin script 'datapower'
[12:06:23][DEBUG] loading plugin script 'denyall'
[12:06:23][DEBUG] loading plugin script 'dodenterpriseprotection'
[12:06:23][DEBUG] loading plugin script 'dosarrest'
[12:06:23][DEBUG] loading plugin script 'dotdefender'
[12:06:23][DEBUG] loading plugin script 'dw'
[12:06:23][DEBUG] loading plugin script 'edgecast'
[12:06:23][DEBUG] loading plugin script 'expressionengine'
[12:06:23][DEBUG] loading plugin script 'fortigate'
[12:06:23][DEBUG] loading plugin script 'gladius'
[12:06:23][DEBUG] loading plugin script 'incapsula'
[12:06:23][DEBUG] loading plugin script 'infosafe'
[12:06:23][DEBUG] loading plugin script 'janusec'
[12:06:23][DEBUG] loading plugin script 'modsecurity'
[12:06:23][DEBUG] loading plugin script 'modsecurityowasp'
[12:06:23][DEBUG] loading plugin script 'nginx'
[12:06:23][DEBUG] loading plugin script 'paloalto'
[12:06:23][DEBUG] loading plugin script 'perimx'
[12:06:23][DEBUG] loading plugin script 'pk'
[12:06:23][DEBUG] loading plugin script 'powerful'
[12:06:23][DEBUG] loading plugin script 'radware'
[12:06:23][DEBUG] loading plugin script 'sabre'
[12:06:23][DEBUG] loading plugin script 'safedog'
...
[12:06:23][DEBUG] loading plugin script 'zscaler'
[12:06:23][INFO] running firewall detection checks
[12:06:24][SUCCESS] multiple protections identified on target:
[12:06:24][SUCCESS] #1 'Nginx Generic Protection'
[12:06:24][SUCCESS] #2 'DOSarrest (DOSarrest Internet Security)'
[12:06:24][WARN] skipping bypass tests
[12:06:24][INFO] URL has been cached for future use
[12:06:24][INFO] total requests sent: 25

[687766616e]

Is it related to the execution of "source ~/.bash_profile"?

[687766616e]

bad english hah

[Ekultek]

@huitc I'm running the execution script right now hang on

[Ekultek]

Seems to work still

whatwaf --tor --ra --tamper-int 10 --verbose -u "https://test.test.com/test-api/test?tedt=43842694568439726" --skip

                              ,------.  
                             '  .--.  ' 
    ,--.   .--.   ,--.   .--.|  |  |  | 
    |  |   |  |   |  |   |  |'--'  |  | 
    |  |   |  |   |  |   |  |    __.  | 
    |  |.'.|  |   |  |.'.|  |   |   .'  
    |         |   |         |   |___|   
    |   ,'.   |hat|   ,'.   |af .---.   
    '--'   '--'   '--'   '--'   '---'  
"/><script>alert("WhatWaf?<|>v1.4.4($dev)");</script>

[12:08:30][WARN] you've chosen to skip bypass checks and chosen an amount of tamper to display, tampers will be skipped
[12:08:30][INFO] running behind proxy 'socks5://127.0.0.1:9050'
[12:08:30][INFO] using User-Agent 'Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.11) Gecko/2009060310 Linux Mint/6 (Felicia) Firefox/3.0.11'
[12:08:30][INFO] using default payloads
[12:08:30][INFO] testing connection to target URL before starting attack
[12:08:39][SUCCESS] connection succeeded, continuing
[12:08:39][INFO] running single web application 'https://test.test.com/test-api/test?tedt=43842694568439726'
[12:08:39][INFO] request type: GET
[12:08:39][INFO] gathering HTTP responses
[PAYLOAD] <frameset><frame src=\"javascript:alert('XSS');\"></frameset>
[12:08:39][DEBUG] trying: 'https://test.test.com/test-api/test?tedt=43842694568439726<frameset><frame src=\"javascript:alert('XSS');\"></frameset>'
[12:08:44][DEBUG] trying: https://test.test.com/index.php
[PAYLOAD] AND 1=1 ORDERBY(1,2,3,4,5) --;
[12:08:49][DEBUG] trying: 'https://test.test.com/test-api/test?tedt=43842694568439726AND 1=1 ORDERBY(1,2,3,4,5) --;'
[12:08:54][DEBUG] trying: https://test.test.com/placeholder.html
[PAYLOAD] ><script>alert("testing");</script>
...
[12:10:41][DEBUG] loading plugin script 'aspnetgeneric'
[12:10:41][DEBUG] loading plugin script 'aws'
[12:10:41][DEBUG] loading plugin script 'baidu'
[12:10:41][DEBUG] loading plugin script 'barikode'
[12:10:41][DEBUG] loading plugin script 'barracuda'
[12:10:41][DEBUG] loading plugin script 'bigip'
[12:10:41][DEBUG] loading plugin script 'binarysec'
[12:10:41][DEBUG] loading plugin script 'blockdos'
[12:10:41][DEBUG] loading plugin script 'chuangyu'
[12:10:41][DEBUG] loading plugin script 'ciscoacexml'
[12:10:41][DEBUG] loading plugin script 'cloudflare'
[12:10:41][DEBUG] loading plugin script 'cloudfront'
[12:10:41][DEBUG] loading plugin script 'codeigniter'
[12:10:41][DEBUG] loading plugin script 'comodo'
...
[12:10:41][INFO] running firewall detection checks
[12:10:41][SUCCESS] multiple protections identified on target:
[12:10:41][SUCCESS] #1 'Nginx Generic Protection'
[12:10:41][SUCCESS] #2 'DOSarrest (DOSarrest Internet Security)'
[12:10:41][WARN] skipping bypass tests
[12:10:41][INFO] total requests sent: 25

Do the following:

admin@Hades:~/whatwaf$ python whatwaf.py --clean
[12:11:51][WARN] cleaning the home folder: /Users/admin/.whatwaf, if you have installed with setup.sh, this will erase the executable script along with everything inside of the /Users/admin/.whatwaf directory (fingerprints, scripts, copies of whatwaf, etc) if you are sure you want to do this press ENTER now. If you changed your mind press CNTRL-C now

[12:11:54][INFO] attempting to clean home folder
[12:11:54][INFO] home folder removed
admin@Hades:~/whatwaf$ bash setup.sh install
                              ,------.   
                             '  .--.  '  
    ,--.   .--.   ,--.   .--.|  |  |  |  
    |  |   |  |   |  |   |  |'--'  |  |  
    |  |   |  |   |  |   |  |    __.  |  
    |  |.'.|  |   |  |.'.|  |   |   .'   
    |         |   |         |   |___|    
    |   ,'.   |hat|   ,'.   |af .---.    
    '--'   '--'   '--'   '--'   '---'    v(1.4.4)
 Installing:
copying files over..
creating executable
editing file stats
installed, you need to run: source ~/.bash_profile if you notice that the installation does not work as expected
admin@Hades:~/whatwaf$ source ~/.bash_profile

And try again, see if that changes anything

[687766616e]

I'm using this app to run it: https://play.google.com/store/apps/details?id=com.termux

[Ekultek]

it's not designed for termux. im thinking that chances are there's probably some bugs since the websites are reading you as mobile. i can look into it and see what i can do for you though.

[687766616e]

But I have use --ra option!...

[Ekultek]

I realize that but once again it's not designed for termux

[687766616e]

try using termux to run whatwaf?😊

[687766616e]

Also, I can use sqlmap normally...

[Ekultek]

@huitc what does sqlmap have to do with this? i'm looking into it and will update accordingly

[687766616e]

That is, you can run Python applications on Termux.