Possible Payload:

%E2%81%BB{7*7}}

Explanation:

When you enter the expression {{7*7}}, the Web Application Firewall detects and blocks it by replacing the left curly brackets with WAF_BLOCKED. To bypass this sanitization, you can take advantage of the Unicode compatibility process. Although the UTF-8 decoder is unicode aware the application only accepts US-ASCII characters and will utilize byte truncation to convert non-ASCII characters into their closest ASCII equivalents. Unicode characters will be truncated, keeping only the least significant byte or the last two characters of the codepoint. The Unicode code point for the left curly bracket is U+007B. Find a Unicode character that has the same lower byte. For example, the superscript minus ⁻ has a Unicode code point of U+207B. The superscript minus will be converted to a regular left curly bracket { when processed by the application as they both have the same lower byte. This transliteration process between the WAF and the application code interpreter creates an impedance mismatch where the string inspected by the WAF does not match the modified string processed by the application. Replace the first left curly bracket in your expression with the superscript minus and encode the character using UTF-8 encoding. Enter the encoded expression %E2%81%BB{7*7}} into the input field to bypass the WAF and perform server-side template injection. With this example payload a successful SSTI would result in the integer value “49” in the html input field. Other Unicode characters and mathematical expressions can also be used.

WAF Bypass - Codepoint Truncation

WAF Bypass - Unicode to ASCII Byte Truncation

Description

Goal

Important Note

Hints

Solution