I originally found/reported to Palo Alto in 2018.
You can use the default Kali Linux aspx webshell to get RCE on a server protected by Palo Alto Networks... as long as you change the "m" in cmd.exe to an "M".
That's it! That's the whole hack..! It bypasses the whitelist.
So my discovery process...
While I was trying to upload my webshell, I noticed the font of the error looked different than the rest of the application. I googled the wording, trying to figure out what service was displaying it. It looked similar to an image of a Palo Alto dialog:
Mine:
Theirs:
Close enough - I assumed I was
dealing with a Palo Alto firewall.
The logs confirmed this was true. The bypass worked and eventually I upgraded my webshell to a Meterpreter shell. The Palo Alto WAF bypass process wasn't fancy, but it was instrumental in owning the server.
