Skip to main content

Command Injection

We can often determine whether or not Command Injection is possible by the Behavior's of an Application. Applications that use User Input to populate System Commands with data can often be combined in unintended behavior.

  • The Shell Operators will combine two or more System Commands and execute them Both.
;
&
&&

Detecting Blind Command Injection

  • Time Delay: This Commands are significant Payloads to test with. Using ping the Application will hang for X (Seconds).
ping
sleep

  • Force Output: This can be done by using Redirection Operators such as >. Example: We can tell the Web Application to Execute Commands such as whoami and redirect that to a file. We can then use a command such as cat to read this newly created file’s contents.
>

  • Detecting Verbose Command Injection:
    • If the Output of this Commands is directly displayed on the Web Application.
ping
whoami