Command Injection

Command injection lets an attacker run operating-system commands on the host by abusing input that an application passes to a shell.

Command InjectionGenerate payloads Cheat SheetCopy-ready payloads Testing GuideStep by step

What it is

Command injection occurs when user input reaches a shell command unsanitised. Shell metacharacters (; | & `$()`) let the attacker append or substitute their own commands, running with the privileges of the application process.

How to test for it

Append command separators and benign commands, watching for changed output or timing. For blind cases, trigger out-of-band DNS or HTTP callbacks, and use encoding and whitespace tricks to bypass weak input filters.

How to prevent it

Avoid invoking a shell at all — call binaries directly with an argument array and no shell interpretation. If a shell is unavoidable, use strict allow-list validation and never interpolate raw user input into the command string.

In-depth articles

SSTI Exploitation: From Template Injection to Remote Code Execution15 min read File Upload Vulnerability Testing: Bypassing Filters and Getting RCE13 min read Command Injection Cheat Sheet: Blind, Out-of-Band, and Filter Bypass14 min read Insecure Deserialization: Java ysoserial, PHP Object Injection, and .NET Gadget Chains15 min read Redis Exploitation: From Unauthenticated Access to RCE and SSH Key Injection11 min read

Frequently asked questions

What is blind command injection?+

It's command injection where the command output isn't returned in the response; you confirm execution via time delays or out-of-band callbacks (DNS/HTTP) to infrastructure you control.

Is input escaping enough to stop command injection?+

Escaping is fragile and shell-specific. The robust fix is to avoid the shell entirely and pass arguments as a list to the target binary.

Level up your security testing

Install the CLI

npx payload-playground

Explore All Tools

Encoding, hashing, JWT & more

Browse Cheat Sheets

Quick-reference payload guides

$loading...