Command Injections
To inject an additional command to the intended one, we may use any of the following operators:
Injection Operator
Injection Character
URL-Encoded Character
Executed Command
Semicolon
;
%3b
Both
New Line
%0a
Both
Background
&
%26
Both (second output generally shown first)
Pipe
|
%7c
Both (only second output is shown)
AND
&&
%26%26
Both (only if first succeeds)
OR
||
%7c%7c
Second (only if first fails)
Sub-Shell
``
%60%60
Both (Linux-only)
Sub-Shell
$()
%24%28%29
Both (Linux-only)
In addition to the above, there are a few unix-only operators, that would work on Linux and macOS, but would not work on Windows, such as wrapping our injected command with double backticks (``) or with a sub-shell operator ($()).
In general, for basic command injection, all of these operators can be used for command injections regardless of the web application language, framework, or back-end server. So, if we are injecting in a PHP web application running on a Linux server, or a .Net web application running on a Windows back-end server, or a NodeJS web application running on a macOS back-end server, our injections should work regardless.
The only exception may be the semi-colon ;, which will not work if the command was being executed with Windows Command Line (CMD), but would still work if it was being executed with Windows PowerShell.
Last updated