We covered the first part of Zico2 VulnHub CTF Walkthrough where we demonstrated command injection in an old version of PhpMyAdmin database that allowed us to execute remote system commands.

Command Injection

An attack known as “command injection” aims to use a weak application to execute arbitrary commands on the host operating system. When an application sends a system shell with sensitive user input (such as forms, cookies, HTTP headers, etc.), command injection attacks may be conceivable. The operating system commands supplied by the attacker in this attack are typically run with the privileges of the susceptible program. A major factor in the possibility of command injection attacks is inadequate input validation.

This attack is distinct from code injection because the latter enables the attacker to insert custom code that the application will then run. By using command injection, an attacker can increase an application’s default functionality—namely, the ability to execute system commands—without actually inserting code.

Get OSCP Certificate Notes

The Complete Practical Web Application Penetration Testing Course

Video Walkthrough | Part 1

In the second part, we demonstrated Linux privilege escalation through the unzip command.
About the Author

I create cybersecurity notes, digital marketing notes and online courses. I also provide digital marketing consulting including but not limited to SEO, Google & Meta ads and CRM administration.

View Articles