We covered command injection vulnerability and how input sanitisation and validation are critical in preventing exploiting this vulnerability.

To begin with, let’s first understand what command injection is. Command injection is the abuse of an application’s behaviour to execute commands on the operating system, using the same privileges that the application on a device is running with. For example, achieving command injection on a web server running as a user named joe will execute commands under this joe user – and therefore obtain any permissions that joe has.

A command injection vulnerability is also known as a “Remote Code Execution” (RCE) because an attacker can trick the application into executing a series of payloads that they provide, without direct access to the machine itself (i.e. an interactive shell). The webserver will process this code and execute it under the privileges and access controls of the user who is running that application.

Command injection is also often known as “Remote Code Execution” (RCE) because of the ability to remotely execute code within an application. These vulnerabilities are often the most lucrative to an attacker because it means that the attacker can directly interact with the vulnerable system. For example, an attacker may read system or user files, data, and things of that nature.

For example, being able to abuse an application to perform the command whoami to list what user account the application is running will be an example of command injection.

Command injection was one of the top ten vulnerabilities reported by Contrast Security’s AppSec intelligence report in 2019. (Contrast Security AppSec., 2019). Moreover, the OWASP framework constantly proposes vulnerabilities of this nature as one of the top ten vulnerabilities of a web application (OWASP framework).

Challenge Questions and Answers

What variable stores the user’s input in the PHP code snippet in this task?

What HTTP method is used to retrieve data submitted by a user in the PHP code snippet?

If I wanted to execute the id command in the Python code snippet, what route would I need to visit?

What payload would I use if I wanted to determine what user the application is running as?

What popular network tool would I use to test for blind command injection on a Linux machine?

What payload would I use to test a Windows machine for blind command injection?

What is the term for the process of “cleaning” user input that is provided to an application?
What user is this application running as?

What are the contents of the flag located in /home/tryhackme/flag.txt?

Video Walk-through

About the Author

Cybersecurity Trainer MS in Cybersecurity Expertise in Healthcare and Finance Industries Penetration tester and compliance auditor

View Articles