Introduction
We covered command injection vulnerability and how input sanitisation and validation are critical in preventing exploiting this vulnerability.
To begin with, let’s first understand what command injection is. Command injection is the abuse of an application’s behaviour to execute commands on the operating system, using the same privileges that the application on a device is running with. For example, achieving command injection on a web server running as a user named joe
will execute commands under this joe
user – and therefore obtain any permissions that joe
has.
A command injection vulnerability is also known as a “Remote Code Execution” (RCE) because an attacker can trick the application into executing a series of payloads that they provide, without direct access to the machine itself (i.e. an interactive shell). The webserver will process this code and execute it under the privileges and access controls of the user who is running that application.
Command injection is also often known as “Remote Code Execution” (RCE) because of the ability to remotely execute code within an application. These vulnerabilities are often the most lucrative to an attacker because it means that the attacker can directly interact with the vulnerable system. For example, an attacker may read system or user files, data, and things of that nature.
For example, being able to abuse an application to perform the command whoami
to list what user account the application is running will be an example of command injection.
Command injection was one of the top ten vulnerabilities reported by Contrast Security’s AppSec intelligence report in 2019. (Contrast Security AppSec., 2019). Moreover, the OWASP framework constantly proposes vulnerabilities of this nature as one of the top ten vulnerabilities of a web application (OWASP framework).
Challenge Questions and Answers
What HTTP method is used to retrieve data submitted by a user in the PHP code snippet?
If I wanted to execute the id
command in the Python code snippet, what route would I need to visit?
What popular network tool would I use to test for blind command injection on a Linux machine?
What payload would I use to test a Windows machine for blind command injection?
What are the contents of the flag located in /home/tryhackme/flag.txt?