This one blew my mind. An old trick applied in a new way: Shell brace expansion. Simplify your payloads and filter bypass for command execution. No need for spaces or input field separators.
$ file m.{exe,dll}
m.exe: PE32+ executable (console) x86-64, for MS Windows
m.dll: PE32+ executable (DLL) (console) x86-64, for MS Windows
$ {which,-a,curl}
/usr/bin/curl
/bin/curl
You have likely used shell brace expansion to run one command on multiple arguments. Include the command itself in the brace expansion. Learned this the other night from @ippsec.
This is much cleaner than fuzzing character encoding or splitting the command with ${IFS}
.
Using the Metasploit encoder: