> For the complete documentation index, see [llms.txt](https://viperone.gitbook.io/pentest-everything/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://viperone.gitbook.io/pentest-everything/everything/everything-web/command-injection.md). # Command Injection ## Description Command injection is an attack in which the goal is execution of arbitrary commands on the host operating system via a vulnerable application. Command injection attacks are possible when an application passes unsafe user supplied data (forms, cookies, HTTP headers etc.) to a system shell. In this attack, the attacker-supplied operating system commands are usually executed with the privileges of the vulnerable application. Command injection attacks are possible largely due to insufficient input validation. This attack differs from [Code Injection](https://owasp.org/www-community/attacks/Code_Injection), in that code injection allows the attacker to add their own code that is then executed by the application. In Command Injection, the attacker extends the default functionality of the application, which execute system commands, without the necessity of injecting code. Source: ## Simple Injection As shown below the input field takes a value for an IP address in which it will ping. Below the value '127.0.0.1' was entered and the results has been shown below. ![](/files/-Mg6rXc97It5rOqOr9Ci) The semicolon in Linux / Unix is used to run a command directly after another. Command injection can potentially be abused to run the required input then a semicolon can be used to execute a trailing command. Below the IP was pinged then a semicolon used to execute two commands one after another. ![](/files/-Mg6uXb1wbIR0BRZ6pj2) ## Injeciton fuzzing We can also fuzz for injection parameters. Taking the same example as above we capture the injection request in Burpsuite leaving the IP address first then fuzzing the posistion 'F' using a wordlist of commands. ![](/files/-Mg6yOm3xwPjQDjZXU_W) The Command Injection fuzzing list has been attached below. {% file src="/files/-Mg6zA0TIpE0cUDvR6Yz" %} Command Injection.txt {% endfile %} A short snippet from the list: {% tabs %} {% tab title="Command Injection.txt" %} ``` a);id a;id a);id; a;id; a);id| a;id| a)|id a|id a)|id; a|id |/bin/ls -al a);/usr/bin/id a;/usr/bin/id ``` {% endtab %} {% endtabs %} After running we can view the results in intruder to see which payloads have been successful. ![](/files/-Mg7-yCoZUR8gdN0iVrR) --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter: ``` GET https://viperone.gitbook.io/pentest-everything/everything/everything-web/command-injection.md?ask=&goal= ``` `ask` is the immediate question: it should be specific, self-contained, and written in natural language. `goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.