Command Injection

Check List

Methodology

Black Box

s

1

When a web application includes a terminal, shell, or IDE interface (e.g., Cloud Shell, Dev Console, Admin Terminal), test URL parameters (project, env, config) for command injection.

2

Access the cloud console or developer environment and identify a terminal or shell interface (via ?show=ide,terminal, ?mode=console, or a "Terminal" tab)

3

Locate a configurable parameter (project, env, workspace, config) in the URL that influences the terminal session or backend configuration and Change ?project=test and observe the terminal prompt or project name update

4

Switch to a minimal or IDE-only view (show=ide, view=code) where the parameter is likely processed in a script (Python, Node.js, etc.)

5

inject a single quote (') into the parameter and reload; if a script syntax error appears in the terminal (SyntaxError, unexpected token), it confirms direct reflection without encoding

6

Use syntax closure to neutralize the original code

  • If reflection is in if 'value':, close with ':# to comment out the rest

  • If multi-line, use triple quotes: '''; to close strings. Set project=asd':# or project=asd''';print('' to fix syntax and gain control

7

inject project=asd''';import os;os.system("id");print('' , Reload and check terminal output for uid=....

Blind injection

1

When you identify an XML-based API endpoint (processing user data like number, email, or mobile), test fields such as <Number> for Blind OS Command Injection using time-delay payloads to confirm execution without visible output. Focus on common XML processing endpoints across enterprise or government web services

2

Capture a legitimate XML request using Burp Suite when submitting personal data through the web service (profile update, form submission)

3

Locate the target field (<Number>1234567890123</Number>) that accepts user input and is likely passed to a backend shell command

4

Send a baseline request with normal input and record the average response time (~56 ms)

5

Inject a cross-platform time-delay payload into the field using command chaining to force a ~10–15 second delay:

<Number>|ping -n 11 127.0.0.1||ping -c 11 127.0.0.1</Number>
6

Measure the response time; if it increases significantly (~11,876 ms), it confirms blind command execution

White Box

Cheat Sheet

PreviousCode InjectionNextInsecure Deserialization

Last updated