Pentesting

Command Injection

What is Command Injection?

  • The abuse of an application's behavior to execute commands on the operating system, using the same privileges that the application on a device is running with

  • Also known as a "Remote Code Execution (RCE)" because an attacker can trick the application into executing a series of payloads that they provide, without direct access to the machine itself

  • Webserver will process this code and execute it under the privileges and access controls of the user who is running the application

Discovering Command Injection

  • The vulnerability exists because applications often use functions in programming languages use functions to pass data to and to make system calls on the OS

Exploiting Command Injection

  • Applications that use user input to populate system commands with data can often be combined in unintended behavior

  • Can be detected in one of two ways:

  1. Blind command injection

  • This type of injection is where there is no direct output from the application when testing payloads.

  • You will have to investigate the behaviors of this application to determine whether or not your payload was successful.

  • Another method of detecting blind command injection is by forcing some output.

  • This can be done by using redirection operators such as >

  1. Verbose command injection

  • The direct feedback from the application once you have tested a payload.

  • The web application will output the username on the page directly.

Useful Payloads

Linux

Payload

Description

whoami

See what user the application is running under.

ls

List the contents of the current directory. You may be able to find files such as configuration files, environment files (tokens and application keys), and many more valuable things.

ping

This command will invoke the application to hang. This will be useful in testing an application for blind command injection.

sleep

This is another useful payload in testing an application for blind command injection, where the machine does not have ping installed.

nc

Netcat can be used to spawn reverse shell onto the vulnerable application. You can use this foothold to navigate around the target machine for other services, files, or potential means of escalating privileges.

Windows

Payload

Description

whoami

See what user the application is running under.

dir

List the contents of the current directory. You may find files such as configuration files, environment files (tokens and application keys), and many more valuable things.

ping

This command will invoke the application to hang. This will be useful in testing an application for blind command injection.

timeout

This command will also invoke the application to hang. Useful for testing an application for blind command injection if the ping command is not installed.

Remediating Command Injection

  • Vulnerable Functions

    • Attempt minimal use of potentially dangerous functions or libraries that interact with the operating system to execute commands via shell, these include:

      • Exec

      • Passthru

      • System

    • Any application that uses these functions without proper checks will be vulnerable to command injection.

  • Input sanitization

    • Sanitizing input from a user that an application uses is a great way to prevent command injection

    • This is a process of specifying the formats or types of data that a user can submit

  • Bypassing Filters

    • Applications employ filtering and sanitizing data that is taken from a user's input.

    • Filters will restrict you to specific payloads; however, we can abuse the logic behind an application to bypass these filters

PreviousInjectionNextLDAP Injection

Last updated