Command Injection
Command injection is a vulnerability that allows the execution of arbitrary commands on the host server, potentially leading to unauthorized access, data theft, or system compromise.
Chaining and Invoking
Combining commands can be achieved (on both, Windows and Linux systems) using these operators
Its also possible to inject command via command substitution, where the output of a command is captured and used in another context
Bypasses
Space Bypass
It is possible to use the Internal Field Separator $IFS
to avoid using spaces on commands
Blacklisted Words
References
https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Command%20Injection https://book.hacktricks.xyz/pentesting-web/command-injection
Last updated