We covered the first part of Zico2 VulnHub CTF Walkthrough where we demonstrated command injection in an old version of PhpMyAdmin database that allowed us to execute remote system commands.

Command Injection

An attack known as “command injection” aims to use a weak application to execute arbitrary commands on the host operating system. When an application sends a system shell with sensitive user input (such as forms, cookies, HTTP headers, etc.), command injection attacks may be conceivable. The operating system commands supplied by the attacker in this attack are typically run with the privileges of the susceptible program. A major factor in the possibility of command injection attacks is inadequate input validation.

This attack is distinct from code injection because the latter enables the attacker to insert custom code that the application will then run. By using command injection, an attacker can increase an application’s default functionality—namely, the ability to execute system commands—without actually inserting code.

Get OSCP Certificate Notes

The Complete Practical Web Application Penetration Testing Course

Video Walkthrough | Part 1

In the second part, we demonstrated Linux privilege escalation through the unzip command.
, , , ,
Show Comments

The MasterMinds Notes

About the Author

Mastermind Study Notes is a group of talented authors and writers who are experienced and well-versed across different fields. The group is led by, Motasem Hamdan, who is a Cybersecurity content creator and YouTuber.

View Articles