Skip to main content

Command injection

The command injection attack, known as "Command Injection", represents a serious security threat. This type of vulnerability allows an attacker to execute unauthorized commands on an operating system through a security-flawed application. It occurs when a web application or program executes operating system commands without properly validating user-supplied input, which can compromise the integrity and confidentiality of the system.

Next, we will explore how this injection technique can manifest itself in different levels of security.

Low

At this level, there is no user input validation or filtering. If we enter the command injection section, we find an input to perform pings, to which we introduce an IP and performs the ping.

Normal user input commands

It is essential to recognize that if the programmer has not implemented measures to validate user input, users can concatenate commands as they would in a terminal. Below are some common combinations of commands and their actions:

CommandsActionexample
|The output of the first is the input of the secondcat xxx | grep yyy
||The second command will be executed if the first command is unsuccessfulping 18.2.2 || cat xxxx
&Executing two or more commands simultaneouslyls xxx & cat yyyy
&&The second command will be executed only if the first command is successfulping 8.8.8.8 && cat ggggg
;The second command will be executed regardless of the result of the first command.ls tttt; cat yyyy

These combinations, if not properly validated, can be exploited by an attacker to execute malicious commands, since the code directly executes what the user enters.

Thanks to this, we can start playing with our input and, if we try any of the above combinations, the attack will work, because the code directly executes what the user enters.

Input Command low attack

As a result, the files are listed, leaving to our imagination what to do on the target machine.

Medium

We change level and try the same command with which we have succeeded in the previous level, but in this case it does not work.

Input Command Injection medium attack

At this level, the &&& and ; options are filtered in the application code:

    $substitutions = array( '&&' => '', ';'  => '', );

Since these options are locked, we must explore other alternatives in the available command tables. By testing the execution of commands in parallel, we again achieved successful injection.

This highlights the importance of implementing multiple layers of security and not relying solely on the filtering of certain characters. Developers should take a proactive approach to mitigating these types of vulnerabilities, using techniques such as strict input validation, the use of whitelists instead of blacklists, and the implementation of appropriate access control mechanisms.

Input Command Injection other medium attack

High

We end with the high level of security. In this case, we have tried all the cases in the table above without obtaining a valid result.

Input Command Injection fail high attack

If we look at the code, all the options of the previous levels are in the blacklist:

    $substitutions = array( '&'  => '', ';'  => '', '| ' => '', '-'  => '', '$'  => '', '('  => '', ')'  => '', '`'  => '', '||' => '', );

However, upon closer inspection, we notice that the | operator has a space after it. This means that we can try to execute the command without a space after the operator, which allows us to evade the blacklist and achieve injection.

Input Command Injection high attack

In short, operating system command injection is a dangerous technique that allows attackers to execute arbitrary commands on a web server. To prevent such attacks, it is important to follow secure programming practices, such as proper validation of user input and the use of whitelists instead of blacklists to filter out unwanted commands and characters.