We covered the first part of Zico2 VulnHub CTF Walkthrough where we demonstrated command injection in an old version of PhpMyAdmin database that allowed us to execute remote system commands.
Command Injection
An attack known as “command injection” aims to use a weak application to execute arbitrary commands on the host operating system. When an application sends a system shell with sensitive user input (such as forms, cookies, HTTP headers, etc.), command injection attacks may be conceivable. The operating system commands supplied by the attacker in this attack are typically run with the privileges of the susceptible program. A major factor in the possibility of command injection attacks is inadequate input validation.
This attack is distinct from code injection because the latter enables the attacker to insert custom code that the application will then run. By using command injection, an attacker can increase an application’s default functionality—namely, the ability to execute system commands—without actually inserting code.
The Complete Practical Web Application Penetration Testing Course
Video Walkthrough | Part 1