Command Injection
Check List
Methodology
Reflected Command Injection In an Embedded Cloud Shell
When a web application includes a terminal, shell, or IDE interface (e.g., Cloud Shell, Dev Console, Admin Terminal), test URL parameters (project, env, config) for command injection.
Access the cloud console or developer environment and identify a terminal or shell interface (via ?show=ide,terminal, ?mode=console, or a "Terminal" tab)
Locate a configurable parameter (project, env, workspace, config) in the URL that influences the terminal session or backend configuration and Change ?project=test and observe the terminal prompt or project name update
Switch to a minimal or IDE-only view (show=ide, view=code) where the parameter is likely processed in a script (Python, Node.js, etc.)
inject a single quote (') into the parameter and reload; if a script syntax error appears in the terminal (SyntaxError, unexpected token), it confirms direct reflection without encoding
Use syntax closure to neutralize the original code
If reflection is in
if 'value':, close with':#to comment out the restIf multi-line, use triple quotes:
''';to close strings. Setproject=asd':#orproject=asd''';print(''to fix syntax and gain control
inject project=asd''';import os;os.system("id");print('' , Reload and check terminal output for uid=....
Language Parameter
Log in to the target site
Then use the burp suite tool to inspect the requests and identify the endpoints
Then, check in the identified endpoints whether there is a parameter called language= or a parameter that specifies the language
Then send the request to the repeater and replace the language parameter value with the following content and if the send method was GET, change it to POST
{${system("cat+/etc/passwd"J)}}Send the request and then check whether the server's response shows the sensitive file content
White Box
Cheat Sheet
Last updated