← LibraryTechnique entry
W-CMDIExecution
OS Command Injection
User input concatenated into a shell command — separators `;`/`|`/`&&`/backtick-`$()` yield RCE as the web user.
§ Where this technique fits
W-CMDI is catalogued under the Execution tactic of the offensive-security kill-chain. It appears in 3 approved dossiers in the registry, typically at step 5 on average.
§ Dossiers chaining this technique
- step 5 / 6
SSTI (Jinja2) → sandbox escape → RCE
User input rendered as a Jinja2 template instead of escaped. Escape the sandbox via __class__.__mro__ to reach subprocess and execute commands.
- step 5 / 6
LFI → log poisoning → RCE
Local file inclusion that reads the web server's access log. Send a request whose User-Agent contains PHP, then LFI the log file to execute it.
- step 5 / 6
File upload bypass → webshell → RCE
Upload filter checks extension or MIME but not magic bytes / final path. Bypass via double extension, content-type spoof, or polyglot, then call the dropped script.
§ What commonly comes next
- 01Webshell Deploymentseen 2×W-WEBSHELL · Persistence
- 02Command and Scripting Interpreterseen 1×T1059 · Execution