Quotes and expansions

Quotes

In payloads, double quotes and single quotes are used to enclose strings, and they have different effects on how Bash interprets the enclosed text.

Double quotes (") allow Bash to interpret certain characters within the enclosed text, including variables, command substitutions, and backslashes. When a variable or command substitution appears inside double quotes, Bash expands it and replaces it with its value before executing the command. For example:

$ greeting="Hello"
$ echo "$greeting, world!"
Hello, world!

$ echo "The time is $(date +%H:%M:%S)."
The time is 12:30:45.

Single quotes ('), on the other hand, prevent Bash from interpreting any special characters within the enclosed text, and the text is treated literally. This means that variables and command substitutions are not expanded, and backslashes are treated as regular characters. For example:

$ greeting="Hello"
$ echo '$greeting, world!'
$greeting, world!

$ echo 'The time is $(date +%H:%M:%S).'
The time is $(date +%H:%M:%S).

In summary, double quotes allow for variable and command substitution, while single quotes preserve the exact string as-is without any interpretation.

Expansion

Variable expansion is a feature in payloads that allows you to reference the value of a variable in your commands or scripts. When you use a variable in a command, Bash replaces the variable name with its value before executing the command. Variable expansion is one of the most important features in payload scripting, as it allows you to create flexible and dynamic scripts that can handle different inputs and scenarios.

To reference a variable in Bash, you need to precede the variable name with a dollar sign $. For example, if you have a variable called name, you can reference it in a command like this:

$ name="John"
$ echo "Hello, $name!"
Hello, John!

In this example, the variable $name is expanded to its value ("John") before the echo command is executed. The result is that the string "Hello, John!" is printed to the terminal.

Variables may also be encased in curly braces ({}), such as in:

$ name="Suzy"
$ echo "Hello, ${name}!"
Hello, Suzy!

Curly braces help tell Bash where the end of the variable name is; for instance the code:

$ name="Banana"
$ echo "$nameFoFana"

This will print an empty line - there is no variable named nameFoFana. However, with the use of curly braces around the variable name:

$ name="Banana"
$ echo "${name}FoFana"

We will now get what we expect: BananaFoFana.

Curly braces are also mandatory when expanding array variables, positional variables for function arguments above 9, such as ${10}, ${11}, and so on, and for parameter expansion with replacement.

Parameter Expansion

Parameter expansion allows manipulation of the content of variables without using external tools at all. Some useful parameter options include:

Substrings

Substring slicing allows manipulating the content of variables directly:

name="John"
echo "${name}"
echo "${name/J/j}"    # Prints "john" (substituting 'j' for 'J')
echo "${name:0:2}"    # Prints "Jo" (slicing a string from 0 to 2)
echo "${name::2}"     # Prints "Jo" (slicing the first 2 characters)
echo "${name::-1}"    # Prints "Joh" (removing the last character)
echo "${name:(-2)}"   # Prints "hn" (slicing from right)

Path manipulation

Pattern matching can be used to directly manipulate paths:

data="/usb/squirrel/data/foo.txt"
echo "${data%.txt}"    # Prints /usb/squirrel/data/foo
echo "${data%/*}"      # Prints /usb/squirrel/data

echo "${data##*.}"     # Prints txt (the file extension)
echo "${data##*/}"     # Prints foo.txt (just the file name)

String manipulation

String case can be changed easily as well:

hack="HACK THE PLANET!"
echo "${hack,}"   # Prints "hACK THE PLANET!" (lowercases the first letter)
echo "${hack,,}"  # Prints "hack the planet!" (all lowercase)

hack="hack the planet!"
echo "${hack^}"   # Prints "Hack the planet!" (uppercase first letter)
echo "${hack^^}"  # Prints "HACK THE PLANET!" (all uppercase)

Command expansion

You can execute a command and obtain the output by using the $( ) syntax. For example:

$ now=$(date)
$ echo "$now"
Mon Apr 17 08:44:56 PM EDT 2023

This can be used to get the output of any command.

Arithmetic expansion

You can also perform arithmetic operations within the variable expansion, using the $(( )) syntax. For example:

$ x=5
$ y=10
$ echo "The sum of $x and $y is $((x + y))."
The sum of 5 and 10 is 15.

In this example, the $((x + y)) expression is evaluated to 15 before the echo command is executed. The result is that the string "The sum of 5 and 10 is 15." is printed to the terminal.

Variable expansion can be very useful in payloads, as it allows you to use variables to store and manipulate data, and reference that data later in your scripts. By combining variables with other features like conditionals and loops, you can create powerful and flexible scripts that can automate complex tasks.