Command Injection
Common Vulnerable Parameters
IP/hostname inputs:
ping,nslookup,dig,traceroute,whoisFile operations: backup, download, upload, convert, compress functions
System utilities:
git,zip,tar,imagemagick,ffmpegNetwork tools:
curl,wget,netstatScheduled tasks:
cronexpressions,atcommands
?cmd={payload}
?exec={payload}
?command={payload}
?execute{payload}
?ping={payload}
?query={payload}
?jump={payload}
?code={payload}
?reg={payload}
?do={payload}
?func={payload}
?arg={payload}
?option={payload}
?load={payload}
?process={payload}
?step={payload}
?read={payload}
?function={payload}
?req={payload}
?feature={payload}
?exe={payload}
?module={payload}
?payload={payload}
?run={payload}
?print={payload}
?file={payload}
?dest={payload}
?path={payload}
?folder={payload}
?url={payload}
?source={payload}
?email={payload}
?ip={payload}PHP Direct Functions and backtick operator
In PHP, Command Injection happens when a developer passes unsafe user input directly into a function that executes system commands.
system($cmd): Executes command and prints output directly to the browser.exec($cmd, $output): Executes command. Returns only the last line of output. If you see an array parameter (like$arr), the full output is stored there. You might need to print that array.passthru($cmd): Similar to system() but used for binary data (like images).shell_exec($cmd): Executes command and returns full output as a string. It does not print to the screen unless the code doesecho shell_exec(...). You might need toBlind Inject (OOB)if you can't see the variable.`cmd`(Backticks): Exactly identical toshell_exec().
Determine the Context
Is your input inside a quoted string or not?
Injection Operators
This are the standard breakout character. You use it to stop the current command execution so you can inject your command afterward.
Semicolon ;
Runs commands sequentially regardless of success/failure
Example:
; whoamiUsage:
ping -c 1 8.8.8.8; cat /etc/passwd
Pipe |
Passes the output of command A as input to command B
Example:
| cat /etc/passwdUsage:
ping -c 1 8.8.8.8 | cat /etc/passwd
AND operator &&
Runs command B only if command A succeeds
Example:
&& cat /etc/passwdUsage:
ping -c 1 8.8.8.8 && cat /etc/passwd
OR operator ||
Runs command B only if command A fails
Example:
|| cat /etc/passwdUsage:
ping -c 1 invalid-host || cat /etc/passwd
Command Substitution $()
Executes a command and substitutes its output in place
Example:
$(whoami)Usage:
ping -c 1 $(cat /etc/hostname)orecho $(ls)
Handle the rest of the Line
If the code adds characters after your injection ( echo $input . " --option"), you must neutralize them.
The Hash
#: Comments out the rest of the line:
The Quote
': Turns trailing characters into a harmless string:
The
ORoperator||: Often used to ensure the shell continues even if the previous command fails, or to handle the rest of the injected string:
PHP Callback Injection
These functions don't run commands themselves. However, if you can control the arguments passed to them, you can force them to call a command function for you.
preg_replace()
Used in PHP to perform regular expression-based replacements.
Syntax:
preg_replace(pattern, replacement, subject);If the
/emodifier (orPREG_REPLACE_EVAL) is used, the replacement string can be executed as PHP code before the replacement occurs.
Attack Technique
While the
/emodifier may not be explicitly present in the original code, it can be injected into the regular expression pattern through user input.If user input is used directly in the
preg_replace()function, attackers can manipulate requests to inject the/emodifier into the pattern, causing arbitrary PHP code execution.The
/emodifier was deprecated inPHP 5.5.0and removed inPHP 7.0, so this is primarily a legacy vulnerability now.Look for regex patterns on POST requests (
/)Some payload examples:
Blind Injections
Time-based Detection
Out-of-Band (OOB) Detection
Error-based Detection
Input special characters:
',",;,|,&
Python - eval()
The vulnerability arises from unsanitized user input being passed to the eval() function.
Payloads
Exploiting Curl
If you see curl being used in the User-Agent of the response you may be able to achieve command injection if the backend unsafely processes it. You may be able to:
Overwrite critical files (if they have write permissions)
Write web shells to web-accessible directories
This only works if
curlis being executed through a shell (likesystem(),exec(), etc.), not if it's being called directly.
Test outbound connections
Set a listener and curl your host to see if you can receive connections
The flag
-oallows to save the output ofcurlto a fileIf you have access to a web path as
/uploadsyou may be able to call awebshell
Filter Bypasses
${IFS} Bypass
IFSstands for Internal Field Separator. It is a variable used in Unix/Linux shells to determine how the shell splits strings into separate arguments (tokens).By default,
IFSis set to whitespace characters:space,tab, andnewline.Use
${IFS}wherever they would normally use a space
Bypassing Space Filters
Bypassing Slash Filters
Command Obfuscation
Wildcards & Globbing
Alternative Commands
cat→tac,head,tail,nl,more,lessls→dir,echo *whoami→id,who
Encoding Bypasses
Variable Expansion
Bypassing Character Limits
Bash Arithmetic Injection
In
Bash, the[[ ... ]]construct and$(( ... ))operator perform arithmetic evaluation. When user input is placed inside these constructs without proper sanitization,Bashwill:Evaluate the arithmetic expression
Execute any command substitutions within that expression
When the input contains $(command) or backticks, Bash executes the command before performing arithmetic evaluation.
If you control $user_input:
Detection Checklist
Payload Examples
Exploitation Scripts
Mitigation
Last updated