From c2d1ab5364c88563bdc19f31b92859d1abb45d5e Mon Sep 17 00:00:00 2001
From: stasinopoulos <an.stasinopoulos@gmail.com>
Date: Fri, 9 Apr 2021 09:32:00 +0300
Subject: [PATCH] Added a new tamper script "slash2env.py" that replaces
 slashes ("/") with environment variable value "${PATH%%u*}"

---
 doc/CHANGELOG.md                         |  1 +
 src/core/injections/controller/checks.py | 15 ++++++-
 src/core/tamper/slash2env.py             | 56 ++++++++++++++++++++++++
 src/utils/settings.py                    |  5 ++-
 4 files changed, 74 insertions(+), 3 deletions(-)
 create mode 100644 src/core/tamper/slash2env.py

diff --git a/doc/CHANGELOG.md b/doc/CHANGELOG.md
index 55c61fce7b..49e03b8530 100755
--- a/doc/CHANGELOG.md
+++ b/doc/CHANGELOG.md
@@ -1,4 +1,5 @@
 ## Version 3.2 (upcoming)
+* Added: New tamper script "slash2env.py" that replaces slashes ("/") with environment variable value "${PATH%%u*}" (for *nix targets).
 * Revised: Minor improvement regarding session handler for supporting Python 3.4+.
 * Revised: Minor improvement regarding `--web-root` option.
 * Added: New tamper script "uninitializedvariable.py" that adds uninitialized bash variables between the characters of each command of the generated payloads (for *nix targets).
diff --git a/src/core/injections/controller/checks.py b/src/core/injections/controller/checks.py
index e5a977b729..0e67a87abe 100755
--- a/src/core/injections/controller/checks.py
+++ b/src/core/injections/controller/checks.py
@@ -1050,6 +1050,16 @@ def other_symbols(payload):
     from src.core.tamper import uninitializedvariable
     payload = uninitializedvariable.tamper(payload)
 
+  # Check for environment variable value variable
+  if payload.count("${PATH%%u*}") >= 2:
+    if not settings.TAMPER_SCRIPTS['slash2env']:
+      if menu.options.tamper:
+        menu.options.tamper = menu.options.tamper + ",slash2env"
+      else:
+        menu.options.tamper = "slash2env"  
+    from src.core.tamper import slash2env
+    payload = slash2env.tamper(payload)
+
 """
 Check for (multiple) added back slashes between the characters of the generated payloads.
 """
@@ -1178,9 +1188,12 @@ def perform_payload_modification(payload):
       from src.core.tamper import sleep2usleep
       payload = sleep2usleep.tamper(payload)
     # Add uninitialized variable.
-    elif encode_type == 'uninitializedvariable':
+    if encode_type == 'uninitializedvariable':
       from src.core.tamper import uninitializedvariable
       payload = uninitializedvariable.tamper(payload) 
+    if encode_type == 'slash2env':
+      from src.core.tamper import slash2env
+      payload = slash2env.tamper(payload) 
     # Add double-quotes.
     if encode_type == 'doublequotes':
       from src.core.tamper import doublequotes
diff --git a/src/core/tamper/slash2env.py b/src/core/tamper/slash2env.py
new file mode 100644
index 0000000000..144198e69d
--- /dev/null
+++ b/src/core/tamper/slash2env.py
@@ -0,0 +1,56 @@
+#!/usr/bin/env python
+# encoding: UTF-8
+
+"""
+This file is part of Commix Project (https://commixproject.com).
+Copyright (c) 2014-2021 Anastasios Stasinopoulos (@ancst).
+This program is free software: you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation, either version 3 of the License, or
+(at your option) any later version.
+For more see the file 'readme/COPYING' for copying permission.
+"""
+
+import sys
+from src.utils import settings
+
+"""
+About: Replaces slashes (/) with environment variable value "${PATH%%u*}".
+Notes: This tamper script works against *nix targets.
+Reference: https://www.secjuice.com/bypass-strict-input-validation-with-remove-suffix-and-prefix-pattern/
+"""
+
+__tamper__ = "slash2env"
+
+if not settings.TAMPER_SCRIPTS[__tamper__]:
+  settings.TAMPER_SCRIPTS[__tamper__] = True
+
+def tamper(payload):
+  def add_slash2env(payload):
+    settings.TAMPER_SCRIPTS[__tamper__] = True
+    payload = payload.replace("/", "${PATH%%u*}")
+    return payload
+
+  if settings.TARGET_OS != "win":
+    if settings.EVAL_BASED_STATE != False:
+      if settings.TRANFROM_PAYLOAD == None:
+        settings.TRANFROM_PAYLOAD = False
+        warn_msg = "The dynamic code evaluation technique, does not support the '"+ __tamper__  +".py' tamper script."
+        sys.stdout.write("\r" + settings.print_warning_msg(warn_msg))
+        sys.stdout.flush() 
+        print
+    else:
+      settings.TRANFROM_PAYLOAD = True
+      if settings.TRANFROM_PAYLOAD:
+        payload = add_slash2env(payload)
+
+  else:
+    if settings.TRANFROM_PAYLOAD == None:
+      settings.TRANFROM_PAYLOAD = False
+      warn_msg = "Windows target host(s), does not support the '"+ __tamper__  +".py' tamper script."
+      sys.stdout.write("\r" + settings.print_warning_msg(warn_msg))
+      sys.stdout.flush() 
+      print
+
+  return payload
+  
\ No newline at end of file
diff --git a/src/utils/settings.py b/src/utils/settings.py
index c65346cbc2..ae481bb329 100755
--- a/src/utils/settings.py
+++ b/src/utils/settings.py
@@ -203,7 +203,7 @@ def sys_argv_errors():
 DESCRIPTION_FULL = "Automated All-in-One OS Command Injection Exploitation Tool"
 DESCRIPTION = "The command injection exploiter"
 AUTHOR  = "Anastasios Stasinopoulos"
-VERSION_NUM = "3.2.97"
+VERSION_NUM = "3.2.98"
 STABLE_VERSION = False
 if STABLE_VERSION:
   VERSION = "v" + VERSION_NUM[:3] + "-stable"
@@ -870,7 +870,8 @@ def sys_argv_errors():
                   "sleep2timeout": False,
                   "xforwardedfor": False,
                   "dollaratsigns": False,
-                  "uninitializedvariable": False
+                  "uninitializedvariable": False,
+                  "slash2env":False
                  }
 
 # HTTP Errors