Simple Command Injection


Command injection is a vuln that allows you to submit sys commands to a computer running a website. This happens when the app fails to encode user input that goes to a system shell. This vuln is common when the developer uses the system() command or the same in the lang of its app.


import os

domain = user_input() #Input:

os.system(‘ping” + domain)


This is would ping the hackingarise website as the user has inputted it but what happens if they put in something else to return different data? Say they put in “; ls” without quotes ofc, then the command before the semicolon(ping) would be terminated and forced to run ‘ls’

What is the use of this?

Well command injection can be a good way to use privilege escalation with web apps and apps that use system commands. Many home routers are vuln to this as they commit user input directly to a system command.

Some Command Injection Payloads



system(‘cat /etc/passwd’);

$(`cat /etc/passwd`)


These payloads can be basically anything that helps you gain a shell, user, root, admin etc. Or any command you may want to try!


Thanks for reading my post and be sure to check out more on the site! See ya next time!



Leave a Reply