What are Command Injection Vulnerabilities?

Introduction

Command injection vulnerabilities are one of the most dangerous web vulnerabilities. Many security testers and bounty hunters aim to find command injection vulnerabilities due to the impact they can create on the target application. 

This article will provide an overview of command injection vulnerabilities, along with an introduction to various vulnerabilities that can eventually lead to command injection.

What is command injection?

Command injection is a type of web vulnerability that allows attackers to execute arbitrary operating system commands on the server, where the application is running. Command injection vulnerabilities occur when the applications make use of shell commands or scripts that execute shell commands in the background. 

Let’s consider the following URL of an application, which performs base64-encoding of user input.

http://target-site.com/encode.php?text=helloworld

This user input is passed as a get parameter to the encode.php file.

The following is the source code of encode.php:

<?php

$input=$_GET[‘text’];

system(“echo -n”. $input.” | base64″);

?>

As we can notice from the preceding code snippet, the user input is passed to the php system() function, which is used to execute operating system commands in PHP. 

If a user appends a system command to the input, it will be executed as an operating system command, which looks like this:

http://target-site.com/encode.php?text=test;id

The following is the response returned to the user:

testdWlkPTMzKHd3dy1kYXRhKSBnaWQ9MzMod3d3LWRhdGEpIGdyb3Vwcz0zMyh3d3ctZGF0YSkK

As we can see, the word test is not encoded but there is a long encoded text returned in response. Decoding this text looks like this:

$ echo -n “dWlkPTMzKHd3dy1kYXRhKSBnaWQ9MzMod3d3LWRhdGEpIGdyb3Vwcz0zMyh3d3ctZGF0YSkK” | base64 -d

uid=33(www-data) gid=33(www-data) groups=33(www-data)

$

As you can see, the encoded text is the output of the id command passed to the application. 

Why are command injection vulnerabilities dangerous? 

The command injection class of (Read more…)

*** This is a Security Bloggers Network syndicated blog from Infosec Resources authored by Srinivas. Read the original post at: https://resources.infosecinstitute.com/what-are-command-injection-vulnerabilities/