princebot/command-injection.sh

## command-injection.sh
# This is my stream-of-consciousness attempt to figure out why
# https://twitter.com/asdizzle_/status/890496680495374336 works.
#
# As the tweet says, many validator techniques (filters and WAFs?) prohibit
# spaces, $, {, or } and such. This uses shell-fu to get around that by using
# command substitution (the backticks).
#
# Basically, everything in backticks is evaluated before the shell executes
# the "real" command, uname.
#
# It uses a here-string to send a command to PHP interpreter; the result of
# the PHP command becomes the arguments/options for uname.
#
# Note: It uses backticks instead of $() for substitution, and instead of the
# shell's syntax for escape-string-literals — $'' — because dollar sign is
# expected to be a prohibited character.

# Command in example is uname`cat<<<'<?="\x20"?>'|php`-a
# The result is uname -a

# Breakdown:
# uname does not take any arguments, only short options, e.g., -a
uname
    # start a command substitution
    `cat<<<
    # <<< starts a string substitution, which evaluates a string or variable
    # and uses it as input to a command. the string we're substituting is the
    # ASCII code for a space: \x20 = hex 20 = 32 = space.
    '<?="\x20"?>'
    # cat sends the output of command to php, which evaluates the above as a
    # space and prints it; this becomes the result of the command substitution.
    |php`
-a

# Another example: uname`cat<<<'<?="\x2d\x61"?>'|php`
# This also resolves to uname -a. The only difference is this version uses PHP
# to generate the space, the dash, AND the a.
#
# You can do the same with any escape codes you can pipe through PHP.
	# This is my stream-of-consciousness attempt to figure out why
	# https://twitter.com/asdizzle_/status/890496680495374336 works.
	#
	# As the tweet says, many validator techniques (filters and WAFs?) prohibit
	# spaces, $, {, or } and such. This uses shell-fu to get around that by using
	# command substitution (the backticks).
	#
	# Basically, everything in backticks is evaluated before the shell executes
	# the "real" command, uname.
	#
	# It uses a here-string to send a command to PHP interpreter; the result of
	# the PHP command becomes the arguments/options for uname.
	#
	# Note: It uses backticks instead of $() for substitution, and instead of the
	# shell's syntax for escape-string-literals — $'' — because dollar sign is
	# expected to be a prohibited character.

	# Command in example is uname`cat<<<'<?="\x20"?>'\|php`-a
	# The result is uname -a

	# Breakdown:
	# uname does not take any arguments, only short options, e.g., -a
	uname
	# start a command substitution
	`cat<<<
	# <<< starts a string substitution, which evaluates a string or variable
	# and uses it as input to a command. the string we're substituting is the
	# ASCII code for a space: \x20 = hex 20 = 32 = space.
	'<?="\x20"?>'
	# cat sends the output of command to php, which evaluates the above as a
	# space and prints it; this becomes the result of the command substitution.
	\|php`
	-a

	# Another example: uname`cat<<<'<?="\x2d\x61"?>'\|php`
	# This also resolves to uname -a. The only difference is this version uses PHP
	# to generate the space, the dash, AND the a.
	#
	# You can do the same with any escape codes you can pipe through PHP.