SHELLING – a comprehensive OS command injection payload generator
SHELLING – a comprehensive OS command injection payload generator – now also available as a Burp Plugin
What is SHELLING?
This tool is a customizable payload generator, suitable for detecting OS command injection flaws during dynamic testing – which is usually conducted with no access to the source code or the filesystem. Creation of SUCCESSFUL payloads in this kind of assessments requires a lot of guesswork, especially:
- the eventual syntax of the expression we are injecting into (e.g. quoted expressions)
- input sanitizing mechanisms rejecting individual characters (e.g. spaces)
- platform-specific conditions (e.g. there is no “sleep” on windows)
- callback method (e.g. asynchronous execution, no outbound traffic allowed)
The purpose of creating this tool was to reach the non-trivial OS command injection cases, which stay undetected by generally known and used tools and sets of payloads.
Using the plugin
It is recommended to use the Burp plugin along with the Burp Collaborator Client (to take advantage of DNS as a feedback channel and use payload marking):
Our vulnerable code example: 
Our legitimate application request: 
We choose the Command injection payload generator: 
We paste the Collaborator domain to as the argument, following the PAYLOAD_MARK. holder to take advanvtage of payload marking: 
We run the Intruder attack: 
We look at the Collaborator client feedback: 
So we can track down the working payload: 
