Skip to content

Conversation

@0liverFlow
Copy link
Contributor

No description provided.

@github-actions

This comment was marked as outdated.

@github-actions

This comment was marked as outdated.

@0liverFlow 0liverFlow closed this Oct 7, 2025
@0liverFlow 0liverFlow reopened this Oct 7, 2025
@github-actions

This comment was marked as outdated.

@github-actions

This comment was marked as outdated.

@github-actions

This comment was marked as outdated.

@github-actions

This comment was marked as outdated.

@github-actions

This comment was marked as outdated.

Final version after applying the bot's modifications

- Identify and assess the command injection points.
- Identify and assess command injection points.
- Bypass special characters and OS commands filters.
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Either commands or filters should be singular, they shouldn't both be plural.

- Bypass special characters and OS commands filters.

## How to Test

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Revert

In this case, we have successfully performed an OS injection attack.

## Special Characters for Command Injection

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Revert

- `cmd1&cmd2` : cmd2 will be executed whether cmd1 succeeds or not.

Note that, `;` will work on Unix-based systems and PowerShell. However, it will not work on Windows Command Prompt (cmd).
Furthermore, you can use Bash command substitution `$(cmd)` or ``cmd`` to execute commands on Unix-based systems.
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Double backtick doesn't do what you're after. You'll have to lookup how to escape them, or use HTML Entities.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I used HTML entities

Comment on lines 119 to 120
## Filter Evasion
To prevent OS command injection, web developers often use filters. However, these filters are sometimes not properly implemented which allows attackers to bypass them.
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Needs a blank line


#### Character Insertion
Characters like `\`; `$@`, `'` can be inserted to Linux OS commands without affecting the normal execution of the command.
For example, `who\ami`, `w$@hoami` or `wh'o'ami` will all execute the `whoami` command
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
For example, `who\ami`, `w$@hoami` or `wh'o'ami` will all execute the `whoami` command
For example, `who\ami`, `w$@hoami`, or `wh'o'ami` will all execute the `whoami` command


The URL and form data needs to be sanitized for invalid characters. A deny list of characters is an option but it may be difficult to think of all of the characters to validate against. Also there may be some that were not discovered as of yet. An allow list containing only allowable characters or command list should be created to validate the user input. Characters that were missed, as well as undiscovered threats, should be eliminated by this list.
The URL's query parameters and form data need to be validated and sanitized to prevent the injection of malicious characters.
A blacklist of characters is an option but it may be difficult to think of all of the characters to validate against. Also there may be some that were not discovered as of yet.
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

blocklist

The URL and form data needs to be sanitized for invalid characters. A deny list of characters is an option but it may be difficult to think of all of the characters to validate against. Also there may be some that were not discovered as of yet. An allow list containing only allowable characters or command list should be created to validate the user input. Characters that were missed, as well as undiscovered threats, should be eliminated by this list.
The URL's query parameters and form data need to be validated and sanitized to prevent the injection of malicious characters.
A blacklist of characters is an option but it may be difficult to think of all of the characters to validate against. Also there may be some that were not discovered as of yet.
A whitelist containing only authorized characters or commands should be created to validate the user input. Characters that were missed, as well as undiscovered threats, should be eliminated by this list.
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

An allowlist

0liverFlow and others added 4 commits October 7, 2025 10:59
…n_Testing/12-Testing_for_Command_Injection.md

Co-authored-by: Rick M <[email protected]>
…n_Testing/12-Testing_for_Command_Injection.md

Co-authored-by: Rick M <[email protected]>
…n_Testing/12-Testing_for_Command_Injection.md

Co-authored-by: Rick M <[email protected]>
@github-actions

This comment was marked as resolved.

@kingthorin kingthorin added the revise Needs quality review, updates, or revision label Oct 8, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

revise Needs quality review, updates, or revision

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants