Bypassing Other Blacklisted Characters

Anyone could help me? I am stucked at Bypassing Other Blacklisted Characters of command injection.

I tryied a lot of combinations to bypass the input validation using Environment Variables. But none of them brings me the return of the commands, for example: ${SESSION_MANAGER:0:1}${SHELL:7:1}${PATH:0:5}. I tryed that on my terminal, and it works on my local machine.

I need to know how to get the return of this commands on burp sweet, seens they are bypassing the filter once ping returns.

I already tryied other things that are presented on de module like {ls, -la} or \n %0a , again ping runs, but no return of the command execution

Hello. It is not mandatory that your env on local machine is the same with AIM’s one. Hint: look into aim’s env and then play simpler

I think it’s too late, but here you are:

We’ve discovered that with ${LS_COLORS:10:1}, we can generate a semicolon (;).

Now, the hint from the question says, “Use the PATH environment variable along with the injection character you identified earlier.”

Having completed the previous task, we now understand that we need to use %0a for “New Line” along with {ls, -la}.

Now, we need to combine everything we’ve learned along this path.

  • ${LS_COLORS:10:1} = ;

  • %0a = New line (\n)

  • {ls,-la} = ls -la

  • ${IFS} = Tab + Space

  • ${PATH:0:1} = /

  • Home = Directory

*** this is the full script

ip=127.0.0.1${LS_COLORS:10:1}%0a{ls,-la}${IFS}${PATH:0:1}home

5 Likes
  • ${LS_COLORS:10:1} = ; this is not needed in your query, it’s confusing, because the injection its actually made by new line = \n .

Your script flows well. Double-check the newline %0a placement to avoid breaking the command chain.