Let’s say there is a Host Checker application where user can input an IP address and the back-end server will execute ping -c 1 USER_INPUT.
Instead of injecting IP address such as 127.0.0.1, we can inject 127.0.0.1; whoami to execute both original and injected command.
AND Operator
Both the original and injected command gets executed:
ping -c 1 127.0.0.1 && whoamiOR Operator
The OR operator only executes the second command if the first command fails to execute.
Below command will only execute the first command and ignore the whoami command:
21y4d@htb[/htb]$ ping -c 1 127.0.0.1 || whoamiHowever, below code will only execute whoami command since the first part of the command is broken:
21y4d@htb[/htb]$ ping -c 1 || whoami
ping: usage error: Destination address required
21y4dBelow is the list of the most common operators that can be used for injections:
| Injection Type | Operators |
|---|---|
| SQL Injection | ' , ; -- /* */ |
| Command Injection | ; && |
| LDAP Injection | * ( ) & | |
| XPath Injection | ' or and not substring concat count |
| OS Command Injection | ; & | |
| Code Injection | ' ; -- /* */ $() ${} #{} %{} ^ |
| Directory Traversal/File Path Traversal | ../ ..\\ %00 |
| Object Injection | ; & | |
| XQuery Injection | ' ; -- /* */ |
| Shellcode Injection | \x \u %u %n |
| Header Injection | \n \r\n \t %0d %0a %09 |