Blind Command Injection - It hurts

Summary :

Command Injection is a type of attack that executes arbitrary commands on the host operating system. Command injection happens when an application passes an unsafe user supplied data to a system shell. Command injection is possible due to insufficient input validation.

Generally it is tough to find command injection but luckily I found one few months ago. I noticed something weird with the GET parameter /?search= when I was testing for command injection. I tested so many payloads but nothing worked.

When I checked the response in burp suite it said “this object will store some %symbols% in the javascript space, so that libs can read them” so I thought it might be a blind command injection so I used tcpdump to find it out. Tcpdump comes pre-installed in kali linux.

How to find this vulnerability ?

  1. Go to your target website and check for some common parameters (in my case it was /?search=)

2. I tried injecting a payload by simply using a pipe operator but I didn’t get any response, it was a normal 200 OK

Pipe Operator

3. I used so many payloads for testing but only one worked which was a bypass using null byte character


4. I started tcpdump on kali because I knew that it was a blind command injection


You can use payloads from here :

My custom payload that worked :{.exec|ping <MyIP>

You can also use wireshark instead of tcpdump for checking blind command injection

Though I found this command injection after a lot of efforts it was a duplicate of another report on a private program :( .

Some Common Parameters For Testing Command Injection :


There is a good tool on github for detecting command injection vulnerabilities automatically.

Link :

Commix is an automated tool written by Anastasios Stasinopoulos that can be used from web developers, penetration testers or even security researchers in order to test web-based applications with the view to find bugs, errors or vulnerabilities related to command injection attacks. By using this tool, it is very easy to find and exploit a command injection vulnerability in a certain vulnerable parameter or HTTP header.

Mitigation : To prevent Command Injections, never call out to OS commands from application-layer code.



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Jerry Shah (Jerry)

Jerry Shah (Jerry)


|Penetration Tester| |Hack The Box| |Digital Forensics| |Malware Analysis|