-
-
Notifications
You must be signed in to change notification settings - Fork 875
Command injection testbeds
Anastasios Stasinopoulos edited this page May 25, 2025
·
1 revision
This is a curated collection of deliberately vulnerable web applications and virtual machines (VMs) specifically designed to simulate real-world command injection attack scenarios. It serves as a practical, hands-on resource for:
- Security professionals looking to sharpen exploitation techniques
- Penetration testers seeking realistic lab environments
- Developers aiming to understand and mitigate command injection vulnerabilities
Each entry in this list contains known command injection flaws—some standalone, others part of broader vulnerability suites—allowing users to explore:
- Detection of command injection vectors
- Filter bypass and obfuscation techniques
- Reverse and bind shell payloads
- Mitigation and patching strategies
| Application | Description |
|---|---|
| Damn Vulnerable Web App (DVWA) | A PHP/MySQL app with classic vulnerabilities like command injection, SQLi, XSS, and CSRF. Highly configurable security levels. |
| Damn Vulnerable Web Services (DVWS) | A RESTful API testing ground for classic web service vulnerabilities including command injection. |
| Damn Small Vulnerable Web (DSVW) | Lightweight Python-based vulnerable web application with minimal setup for fast testing. |
| Damn Vulnerable GraphQL Application (DVGA) | Targets GraphQL-specific vulnerabilities including potential command injection vectors via resolvers. |
| Damn Vulnerable Web Sockets (DVWS) | Focuses on insecure WebSocket implementations; includes injection flaws and bypass challenges. |
| Xtreme Vulnerable Web Application (XVWA) | Covers multiple OWASP Top 10 categories with injection-prone modules in a modern UI. |
| Mutillidae (OWASP) | A feature-rich app with server-side command injection lessons under both HTTP GET and POST. |
| VulnerableApp (OWASP) | A modern OWASP-backed tool with detailed vulnerability simulations, including CI. |
| bWAPP: bee-box (v1.6) | A VM-based environment with a wide range of bugs, including OS command injection. |
| VM / CTF Name | Description |
|---|---|
| Persistence | Realistic OS command injection scenario via custom admin panels. |
| Pentester Lab: Web For Pentester | Classic web app security lab with command injection exercises. |
| Pentester Lab: CVE-2014-6271/Shellshock | Focused on exploiting Bash-based command injection using Shellshock. |
| Pentester Lab: Rack Cookies and Commands injection | Demonstrates command injection through HTTP cookies in a Ruby-based app. |
| Command Injection ISO: 1 (Pentester Academy) | Dedicated ISO for mastering command injection via multiple endpoints. |
| SpiderLabs MCIR: ShelLOL | Vulnerable mini environment with shell injection bugs designed for automation testing. |
| Kioptrix: Level 1.1 (#2) | Classic Linux-based CTF challenge VM with web-based command injection paths. |
| Kioptrix: 2014 (#5) | Exploitation includes privilege escalation and web-based injection flaws. |
| Acid Server: 1 | Includes hidden command injection in upload and diagnostics features. |
| Flick: 2 | Vulnerability-rich CTF box with web injection and misconfigurations. |
| SickOS: 1.1 | Focused on realistic enumeration and injection vectors via command execution. |
| GracefulSecurity VulnVM | Clean beginner-friendly vulnerable VM designed for various web exploits. |
| SecuriCTF | Modern lab focusing on bypass techniques for common input filtering and injection. |
| Bulldog | Includes a vulnerable admin dashboard with injectable command parameters. |
| Tool / Lab | Description |
|---|---|
| w3af-moth | A vulnerability and exploitation testbed used with w3af; includes CI vectors. |
| commix-testbed | Official testbed for Commix, a tool for automating command injection attacks. |
| command-line-security-300 (CTF) | A challenge focused specifically on bypassing command-line restrictions and injection vectors. |
| lfi-labs | While focused on LFI, several exercises tie into command execution via LFI-to-RCE chains. |
| Testsparker | Online PHP-based vulnerable testbed with command injection and file upload vulnerabilities. |
| Extreme Vulnerable Node Application (XVNA) | Node.js-based app that includes vulnerable API routes and shell execution scenarios. |
Use these environments responsibly and only in isolated or authorized settings. They are intended for ethical hacking, education, and security research.
At the right side panel, you can find detailed information about Commix Project.
- Usage - Exhaustive breakdown of all options and switches together with examples
- Techniques - Techniques supported by commix
- Download and update - Keep it up-to-date
- Module development - Comprehensive guide for extending commix by developing custom modules
- Third party libraries - Breakdown of third-party components utilized in commix
- License - Copyright information
- Usage examples - Real-world examples of using commix across vulnerable applications
- Filters bypass examples - Payloads and techniques used to evade input filters
- Getting shells - Examples of using commix to gain shell
- Presentations - Conference talks, demos, and public presentations where commix has been featured or discussed.
- Screenshots - Visual examples of commix in action
- Third party references - References to commix in books, articles, research papers, blog posts, etc
- Command injection testbeds - A curated list of intentionally vulnerable web applications and platforms for safely testing commix