# Command Injection

Command Injection is a critical vulnerability that results in attackers being able to inject commands on a machine form the website.

<figure><img src="/files/43Z5myFQstMNEUqd0dt2" alt=""><figcaption><p><em>Taken from PortSwigger Web Security Academy</em></p></figcaption></figure>

## Exploitation

First, one has to understand how special characters are processed by websites and shells:

{% code overflow="wrap" %}

```bash
# -> comment
$() -> subshell expression in bash that evaluates the text inside bracket as commands 
; -> used to chain commands together e.g. id ; whoami would execute 2 commands at once
| -> pipe used to pass output from one command to another e.g. whoami | echo
& -> Bitwise AND Operator
&& -> Logical AND Operator
|| -> Logical OR Operator
%0a -> URI encoded newline character (\n)
> -> redirect standard output to a file # ./find_users > users.txt
< -> redirect file contents to an executable # ./echo_name < names.txt
${IFS} -> means " " or space character, useful when there is strict WAF checking
```

{% endcode %}

There are tons of payload cheatsheets online, and the one at Hacktricks is very good.

This vulnerability is quite easy confirm:

<figure><img src="/files/EeaDE2rHgoLIZiIp9imR" alt=""><figcaption><p><em>Look at Cmd parameter</em></p></figcaption></figure>

## Blind Injection

Sometimes, the output of commands is not displayed. One can use the `ping` command to send a packet to our machine, and `tcpdump` can be used to listen for ICMP packets.

```bash
ping -c 1 10.10.10.10
# sends 1 ICMP packet
sudo tcpdump -i <INTERFACE> icmp
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://rouvin.gitbook.io/ibreakstuff/websec/command-injection.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.