> For the complete documentation index, see [llms.txt](https://heinosass.gitbook.io/leet-sheet/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://heinosass.gitbook.io/leet-sheet/web-app-hacking/server-attacks/page-1.md). # Command Injection ## Command Substitution Command substitution can often prove to be a useful tool for exploiting command injection. For example, the following commands are equal to the `ping 127.0.0.1` command: * `` ping `echo 127.0.0.1` `` * `ping $(echo 127.0.0.1)` The `sleep` command is often useful for discovery. Payload example: `$(sleep 5)`. *Note: Command substitution only works when your injection is in double-quotes (`echo "$INJECTION_HERE"`) or not in quotes at all (`echo $INJECTION_HERE`). If your injection is in single quotes (`echo '$INJECTION_HERE'`), then command substitutions are not done, and you will **need to break out of the single quotes first**.* ## Automated Exploitation You can use Commix for automated command injection testing: {% embed url="" %} ## Bypassing Mitigations ### Escaping Functions If there is a function that escapes arguments, such as PHP's `escapeshellarg`, then you can still have your input be some flag. This might lead to unexpected behaviour. PHP's `escapeshellcmd` is even looser. It allows you to specify any number of parameters, but only one command. So you can't chain commands, but depending on the program, you might be able to get the program to behave in interesting ways by submitting certain flags and parameters as input. ### Symbol Alternatives There are often alternatives to common symbols: * `$IFS` is a replacement for a SPACE character. * `$SHELL` expands to the user’s preferred shell. * `$@` expands to positional arguments, if there are any. * You may be able to use newlines (`%0a` after URL encoding) instead of semicolons and tabs instead of spaces. ### Piping and Redirection Look at the list of bash redirection and command operators for ideas to pipe and redirect output: {% embed url="" %} ### Edge Cases If you know what command they're using inside a shell command execution function (such as `exec()`), make sure to experiment with edge cases on the command line. For example,`exec(ping blah 127.0.0.1)` is equal to `exec(ping 127.0.0.1)`. --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter: ``` GET https://heinosass.gitbook.io/leet-sheet/web-app-hacking/server-attacks/page-1.md?ask=&goal= ``` `ask` is the immediate question: it should be specific, self-contained, and written in natural language. `goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.