Command Injections

Injection Operator Injection Character URL-Encoded Character Executed Command

Injection Operator	Injection Character	URL-Encoded Character	Executed Command
Semicolon	`;`	`%3b`	Both
New Line	`\n`	`%0a`	Both
Background	`&`	`%26`	Both (second output generally shown first)
Pipe	`\|`	`%7c`	Both (only second output is shown)
AND	`&&`	`%26%26`	Both (only if first succeeds)
OR	`\|\|`	`%7c%7c`	Second (only if first fails)
Sub-Shell	``	`%60%60`	Both (Linux-only)
Sub-Shell	`$()`	`%24%28%29`	Both (Linux-only)

Semicolon

;

%3b

Both

New Line

\n

%0a

Both

Background

&

%26

Both (second output generally shown first)

Pipe

|

%7c

Both (only second output is shown)

AND

&&

%26%26

Both (only if first succeeds)

||

%7c%7c

Second (only if first fails)

Sub-Shell

%60%60

Both (Linux-only)

Sub-Shell

$()

%24%28%29

Both (Linux-only)

Bypass filters :

${PATH:0:1} -> /
echo ${LS_COLORS:10:1} -> ;

Last updated 11 months ago