Command Injection
What is Command Injection?
The abuse of an application's behavior to execute commands on the operating system, using the same privileges that the application on a device is running with
Also known as a "Remote Code Execution (RCE)" because an attacker can trick the application into executing a series of payloads that they provide, without direct access to the machine itself
Webserver will process this code and execute it under the privileges and access controls of the user who is running the application
Discovering Command Injection
The vulnerability exists because applications often use functions in programming languages use functions to pass data to and to make system calls on the OS
Exploiting Command Injection
Applications that use user input to populate system commands with data can often be combined in unintended behavior
Can be detected in one of two ways:
Blind command injection
This type of injection is where there is no direct output from the application when testing payloads.
You will have to investigate the behaviors of this application to determine whether or not your payload was successful.
Another method of detecting blind command injection is by forcing some output.
This can be done by using redirection operators such as
>
Verbose command injection
The direct feedback from the application once you have tested a payload.
The web application will output the username on the page directly.
Useful Payloads
Linux
Payload
Description
whoami
See what user the application is running under.
ls
List the contents of the current directory. You may be able to find files such as configuration files, environment files (tokens and application keys), and many more valuable things.
ping
This command will invoke the application to hang. This will be useful in testing an application for blind command injection.
sleep
This is another useful payload in testing an application for blind command injection, where the machine does not have ping installed.
nc
Netcat can be used to spawn reverse shell onto the vulnerable application. You can use this foothold to navigate around the target machine for other services, files, or potential means of escalating privileges.
Windows
Payload
Description
whoami
See what user the application is running under.
dir
List the contents of the current directory. You may find files such as configuration files, environment files (tokens and application keys), and many more valuable things.
ping
This command will invoke the application to hang. This will be useful in testing an application for blind command injection.
timeout
This command will also invoke the application to hang. Useful for testing an application for blind command injection if the ping command is not installed.
Remediating Command Injection
Vulnerable Functions
Attempt minimal use of potentially dangerous functions or libraries that interact with the operating system to execute commands via shell, these include:
ExecPassthruSystem
Any application that uses these functions without proper checks will be vulnerable to command injection.
Input sanitization
Sanitizing input from a user that an application uses is a great way to prevent command injection
This is a process of specifying the formats or types of data that a user can submit
Bypassing Filters
Applications employ filtering and sanitizing data that is taken from a user's input.
Filters will restrict you to specific payloads; however, we can abuse the logic behind an application to bypass these filters
Last updated