Shell on slightlymorehttps://slightlymore.co.uk/tags/shell/Recent content in Shell on slightlymoreHugoen-GB<a href="https://creativecommons.org/licenses/by/4.0/" target="_blank" rel="license">CC BY 4.0</a> by Clinton MontagueSat, 10 Jan 2026 10:52:01 +0000Techniques for bypassing blocklist words for command injectionshttps://slightlymore.co.uk/techniques-for-bypassing-blocklist-words-for-command-injections/Thu, 08 Jan 2026 00:00:00 +0000https://slightlymore.co.uk/techniques-for-bypassing-blocklist-words-for-command-injections/<h2 id="inserting-noop-characters">Inserting noop characters</h2> <p>Quotes (even number of non-mixed) will be ignored by bash. <code>$ c'a't</code> becomes <code>$ cat</code>. Similar for <code>$ c&quot;a&quot;t</code></p> <p>Backslashing chars (other than <code>\n</code> etc, obs) will have no effect. <code>$ c\at</code> becomes <code>$ cat</code>.</p> <p>Use the positional param character <code>$ c$@at</code> becomes <code>$ cat</code></p> <h2 id="manipulate-the-characters">Manipulate the characters</h2> <p><code>$(rev&lt;&lt;&lt;'tac')</code> becomes <code>cat</code>. Experiment with other things like rot13.</p> <h2 id="encode-the-command">Encode the command</h2> <p><code>$(base64 -d&lt;&lt;&lt;&quot;Y2F0Cg==&quot;)</code> becomes <code>cat</code></p>Techniques for bypassing blocklisted characters for command injectionshttps://slightlymore.co.uk/techniques-for-bypassing-blocklisted-characters-for-command-injections/Thu, 08 Jan 2026 00:00:00 +0000https://slightlymore.co.uk/techniques-for-bypassing-blocklisted-characters-for-command-injections/<h2 id="whitespace">Whitespace</h2> <ul> <li><code>%0a</code>: newline</li> <li><code>%20</code>: space</li> <li><code>%09</code>: tab</li> <li><code>${IFS}</code>: <a href="https://en.wikipedia.org/wiki/Input_Field_Separators" target="_blank" rel="noopener">Input Field Separators ↗️</a> (typically space, tab, newline)</li> <li>bash bracket expansion: <code>{ls,-la}</code> turns into <code>ls -la</code></li> </ul> <h2 id="special-characters">Special characters</h2> <ul> <li>forward slash: <code>echo ${PATH:0:1}</code></li> <li>semicolon: <code>echo ${LS_COLORS:10:1}</code></li> <li>pipe: try using <code>&lt;&lt;&lt;</code></li> </ul> <h2 id="shifting-characters">Shifting characters</h2> <p>This command will shift a letter one to the right <code>echo $(tr '!-}' '&quot;-~'&lt;&lt;&lt;[)</code>. e.g. <code>~</code> becomes <code>!</code>.</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">shift_generator<span class="o">()</span> <span class="o">{</span> </span></span><span class="line"><span class="cl"> <span class="nb">local</span> <span class="nv">shift</span><span class="o">=</span><span class="nv">$1</span> </span></span><span class="line"><span class="cl"> <span class="nb">local</span> <span class="nv">char</span><span class="o">=</span><span class="nv">$2</span> </span></span><span class="line"><span class="cl"> <span class="nb">local</span> <span class="nv">second_start</span><span class="o">=</span><span class="k">$((</span><span class="m">33</span> <span class="o">+</span> <span class="nb">shift</span><span class="k">))</span> </span></span><span class="line"><span class="cl"> <span class="nb">local</span> <span class="nv">second_end</span><span class="o">=</span><span class="k">$((</span><span class="m">33</span> <span class="o">+</span> <span class="nb">shift</span> <span class="o">-</span> <span class="m">1</span><span class="k">))</span> </span></span><span class="line"><span class="cl"> <span class="nb">printf</span> <span class="s2">&#34;echo \$(tr &#39;\\!-~&#39; &#39;&#34;</span> </span></span><span class="line"><span class="cl"> <span class="nb">printf</span> <span class="s1">&#39;%b-~\\!-%b&#39;</span> <span class="s2">&#34;</span><span class="k">$(</span><span class="nb">printf</span> <span class="s1">&#39;\\%03o&#39;</span> <span class="nv">$second_start</span><span class="k">)</span><span class="s2">&#34;</span> <span class="s2">&#34;</span><span class="k">$(</span><span class="nb">printf</span> <span class="s1">&#39;\\%03o&#39;</span> <span class="nv">$second_end</span><span class="k">)</span><span class="s2">&#34;</span> </span></span><span class="line"><span class="cl"> <span class="nb">printf</span> <span class="s2">&#34;&#39;&lt;&lt;&lt;&#39;%s&#39;)\n&#34;</span> <span class="s2">&#34;</span><span class="nv">$char</span><span class="s2">&#34;</span> </span></span><span class="line"><span class="cl"><span class="o">}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># usage</span> </span></span><span class="line"><span class="cl">shift_generator <span class="m">1</span> <span class="s2">&#34;~&#34;</span> </span></span></code></pre></div><h2 id="tooling">Tooling</h2> <p>For more advanced obfuscation you can consider tools such as:</p>