https://slightlymore.co.uk/tags/hacking/Recent content in Hacking on slightlymoreHugoen-GB<a href="https://creativecommons.org/licenses/by/4.0/" target="_blank" rel="license">CC BY 4.0</a> by Clinton MontagueSun, 25 Jan 2026 00:14:01 +0000https://slightlymore.co.uk/techniques-for-bypassing-blocklisted-characters-for-command-injections/Thu, 08 Jan 2026 00:00:00 +0000https://slightlymore.co.uk/techniques-for-bypassing-blocklisted-characters-for-command-injections/<h2 id="whitespace">Whitespace</h2> <ul> <li><code>%0a</code>: newline</li> <li><code>%20</code>: space</li> <li><code>%09</code>: tab</li> <li><code>${IFS}</code>: <a href="https://en.wikipedia.org/wiki/Input_Field_Separators" target="_blank" rel="noopener">Input Field Separators ↗️</a> (typically space, tab, newline)</li> <li>bash bracket expansion: <code>{ls,-la}</code> turns into <code>ls -la</code></li> </ul> <h2 id="special-characters">Special characters</h2> <ul> <li>forward slash: <code>echo ${PATH:0:1}</code></li> <li>semicolon: <code>echo ${LS_COLORS:10:1}</code></li> <li>pipe: try using <code>&lt;&lt;&lt;</code></li> </ul> <h2 id="shifting-characters">Shifting characters</h2> <p>This command will shift a letter one to the right <code>echo $(tr '!-}' '&quot;-~'&lt;&lt;&lt;[)</code>. e.g. <code>~</code> becomes <code>!</code>.</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">shift_generator<span class="o">()</span> <span class="o">{</span> </span></span><span class="line"><span class="cl"> <span class="nb">local</span> <span class="nv">shift</span><span class="o">=</span><span class="nv">$1</span> </span></span><span class="line"><span class="cl"> <span class="nb">local</span> <span class="nv">char</span><span class="o">=</span><span class="nv">$2</span> </span></span><span class="line"><span class="cl"> <span class="nb">local</span> <span class="nv">second_start</span><span class="o">=</span><span class="k">$((</span><span class="m">33</span> <span class="o">+</span> <span class="nb">shift</span><span class="k">))</span> </span></span><span class="line"><span class="cl"> <span class="nb">local</span> <span class="nv">second_end</span><span class="o">=</span><span class="k">$((</span><span class="m">33</span> <span class="o">+</span> <span class="nb">shift</span> <span class="o">-</span> <span class="m">1</span><span class="k">))</span> </span></span><span class="line"><span class="cl"> <span class="nb">printf</span> <span class="s2">&#34;echo \$(tr &#39;\\!-~&#39; &#39;&#34;</span> </span></span><span class="line"><span class="cl"> <span class="nb">printf</span> <span class="s1">&#39;%b-~\\!-%b&#39;</span> <span class="s2">&#34;</span><span class="k">$(</span><span class="nb">printf</span> <span class="s1">&#39;\\%03o&#39;</span> <span class="nv">$second_start</span><span class="k">)</span><span class="s2">&#34;</span> <span class="s2">&#34;</span><span class="k">$(</span><span class="nb">printf</span> <span class="s1">&#39;\\%03o&#39;</span> <span class="nv">$second_end</span><span class="k">)</span><span class="s2">&#34;</span> </span></span><span class="line"><span class="cl"> <span class="nb">printf</span> <span class="s2">&#34;&#39;&lt;&lt;&lt;&#39;%s&#39;)\n&#34;</span> <span class="s2">&#34;</span><span class="nv">$char</span><span class="s2">&#34;</span> </span></span><span class="line"><span class="cl"><span class="o">}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># usage</span> </span></span><span class="line"><span class="cl">shift_generator <span class="m">1</span> <span class="s2">&#34;~&#34;</span> </span></span></code></pre></div><h2 id="tooling">Tooling</h2> <p>For more advanced obfuscation you can consider tools such as:</p>https://slightlymore.co.uk/fuzzing-tools/Sat, 27 Dec 2025 00:00:00 +0000https://slightlymore.co.uk/fuzzing-tools/<h2 id="some-example-ffuf-commands">Some example <code>ffuf</code> commands</h2> <p>In each case, <code>FUZZ</code> is the placeholder for word replacement.**</p> <h3 id="fuzzing-for-specific-extensions">Fuzzing for specific extensions</h3> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">ffuf <span class="se">\ </span></span></span><span class="line"><span class="cl"> -w /usr/share/seclists/Discovery/Web-Content/common.txt <span class="se">\ </span></span></span><span class="line"><span class="cl"> -u http://example.com/target_dir/FUZZ </span></span><span class="line"><span class="cl"> -e .txt,.html,.bak <span class="c1"># etc </span> </span></span></code></pre></div><h3 id="recursive-fuzzing">Recursive fuzzing</h3> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">ffuf <span class="se">\ </span></span></span><span class="line"><span class="cl"> -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt <span class="se">\ </span></span></span><span class="line"><span class="cl"> -u http://example.com/target_dir/FUZZ <span class="se">\ </span></span></span><span class="line"><span class="cl"> -recursion </span></span></code></pre></div><h3 id="fuzzing-a-post-parameter">Fuzzing a <code>POST</code> parameter</h3> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">ffuf <span class="se">\ </span></span></span><span class="line"><span class="cl"> -w /usr/share/seclists/Discovery/Web-Content/common.txt <span class="se">\ </span></span></span><span class="line"><span class="cl"> -u http://example.com/example.php <span class="se">\ </span></span></span><span class="line"><span class="cl"> -X POST <span class="se">\ </span></span></span><span class="line"><span class="cl"> -H <span class="s2">&#34;Content-Type: application/x-www-form-urlencoded&#34;</span> <span class="se">\ </span></span></span><span class="line"><span class="cl"> -d <span class="s2">&#34;y=FUZZ&#34;</span> </span></span><span class="line"><span class="cl"> -ic </span></span></code></pre></div><h3 id="fuzzing-a-get-parameter">Fuzzing a <code>GET</code> parameter</h3> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">ffuf <span class="se">\ </span></span></span><span class="line"><span class="cl"> -w /usr/share/seclists/Discovery/Web-Content/common.txt <span class="se">\ </span></span></span><span class="line"><span class="cl"> -u http://example.com/example.php?x<span class="o">=</span>FUZZ <span class="se">\ </span></span></span><span class="line"><span class="cl"> -ic </span></span></code></pre></div><h2 id="references">References</h2> <ul> <li><a href="https://slightlymore.co.uk/brute-forcing-subdomain-enumeration">Brute forcing subdomain enumeration 🌿</a> </li> </ul>https://slightlymore.co.uk/useful-search-engines/Thu, 27 Nov 2025 00:00:00 +0000https://slightlymore.co.uk/useful-search-engines/<h2 id="meta-search">Meta search</h2> <ul> <li><a href="https://www.kagi.com" target="_blank" rel="noopener">Kagi ↗️</a> premium (paid for and ad-free) search prioritising privacy and user experience. Reminiscent of the good-old-days</li> <li><a href="https://github.com/searxng/searxng" target="_blank" rel="noopener">SearXNG ↗️</a> self-hostable, open-source metasearch engine that aggregates results from 200+ engines. There are hosted versions but privacy or veracity is not guaranteed</li> </ul> <h2 id="specialist">Specialist</h2> <ul> <li><a href="https://www.virustotal.com/" target="_blank" rel="noopener">Virus Total ↗️</a> meta engine for checking files and their hashes against virus databases</li> <li><a href="https://www.shodan.io/" target="_blank" rel="noopener">Shodan ↗️</a> is an engine to find devices connected to the internet</li> <li><a href="https://search.censys.io/" target="_blank" rel="noopener">Censys ↗️</a> searches hosts, IPs, certificates</li> </ul> <h2 id="exploits-and-cve-databases">Exploits and CVE databases</h2> <ul> <li><a href="https://www.exploit-db.com/" target="_blank" rel="noopener">ExploitDB ↗️</a> </li> <li><a href="https://www.rapid7.com/db/" target="_blank" rel="noopener">Rapid7 ↗️</a> </li> <li><a href="https://www.vulnerability-lab.com/" target="_blank" rel="noopener">Vulnerability Lab ↗️</a> </li> <li><a href="https://nvd.nist.gov/search" target="_blank" rel="noopener">NIST NVD ↗️</a> </li> <li><a href="https://gtfobins.github.io/" target="_blank" rel="noopener">GTFOBins ↗️</a> </li> <li><a href="https://cirt.net/passwords/" target="_blank" rel="noopener">Default password database ↗️</a> </li> </ul>