OS command injection is a flaw where an application passes unsanitized user input into a system shell, letting an attacker run arbitrary operating-system commands with the app's privileges. It typically appears in features that shell out to tools like ping, ImageMagick, or zip. The Command Injection generator builds payloads using shell separators and encoding.
It chains your command onto the original using shell metacharacters: semicolon ; runs sequentially, && and || run conditionally, and a pipe | feeds output. Backticks `cmd` or $(cmd) trigger inline substitution, and a newline %0a works when only part of the input is filtered. Pick separators matching the target shell.
When the response shows nothing, use out-of-band or time-based techniques. Inject sleep 10 or ping -c 10 127.0.0.1 and watch for a delayed response to confirm execution. For data exfiltration, force a DNS or HTTP callback with nslookup or curl to a server you control, such as a Burp Collaborator or interactsh endpoint.
Yes, it is free and runs 100% in your browser; the commands and separators you generate are never uploaded to any server. It is meant strictly for authorized penetration testing, bug bounties, and CTF practice on systems you have explicit permission to assess.