Command Injection
Command injection is when user input lands in a function that spawns a shell or process, letting you append your own commands. You confirm it with a separator (;, \n, &, |, &&, ||, `, $()), then escalate to enumeration, blind exfiltration, or a reverse shell.
Three vulnerability classes get confused - they need different exploitation:
- Command injection - input concatenated into a shell invocation. You inject commands. Sinks: PHP
system/exec/passthru/shell_exec/popen, Nodechild_process.exec/spawn(with shell), Pythonos.system/subprocess.run(..., shell=True), Ruby` `/Kernel#system, JavaRuntime.exec(String)with shell wrapper. - Argument injection - input concatenated into a fixed binary’s argv. The binary is locked, but flags and arguments are yours. See Argument injection.
- Code injection - input passed to a language
eval/exec(PHPeval, Pythonexec, NodeFunction()). You inject code in the host language, not shell. Out of scope for this section.
Decision flow
Section titled “Decision flow”- Suspect a sink? Any feature that pings, converts, archives, resolves DNS, generates PDFs, processes images, runs
git, or invokes external tools is a candidate. → Detection - Output reflected? Use a separator and read the result. → Execution
- No output? Confirm blind via timing or out-of-band callback. → Blind & OOB
- Filters in the way? Spaces, slashes, command names, or operators blocked. → Filter bypass
- Binary fixed but args controlled? Different bug class, same root cause. → Argument injection
- Confirmed RCE, want a shell? → Reverse shells
- In an exam, need a single page? → Cheatsheet
Placeholder legend
Section titled “Placeholder legend”Used throughout this section.
| Placeholder | Meaning |
|---|---|
<TARGET>
| Target host or URL |
<PARAM>
| Vulnerable parameter name |
<ATTACKER>
| Your host for HTTP/DNS exfil and OOB callbacks (no port - protocol-default) |
<LHOST>
| Your listener host for reverse shells |
<LPORT>
| Your listener port for reverse shells |
<CMD>
| Arbitrary command being injected |