Skip to main content
CTF Support
Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Back to homepage
  1. CTF Support
  2. /
  3. Web Exploitation
  4. /
  5. Command Injection
Edit page

Command Injection

Introduction

Command Injection occurs when user input is concatenated into system commands executed by the application. In CTF challenges, this often grants full control over the server environment.

Example (Python) 

import subprocess

def process_file(filename):
    return subprocess.check_output(['cat', filename])

filename = input('Enter a filename: ')
print(process_file(filename))

Exploit 

filename = "file.txt; ls"

Resulting command:

cat file.txt; ls

Tips

  • Chain commands with ;, &&, or |.
  • Use blind command injection (e.g., ping -c 1 <collaborator>) to confirm execution.
  • Try OS-specific payloads if Linux/Windows detection is uncertain.