Sunday , April 28 2019
Home / Hacking / Attack Preventions / OS Command Injection Vulnerability
Command Injection

OS Command Injection Vulnerability

Command Injection attack is also known as Arbitrary Code Execution. In Command Injection an attacker generally injects a malicious user input to the system functions which executes system shell commands based on the attacker’s input.

The Command Injection vulnerability occurs when the web applications supplies vulnerable (unsafe) input fields to the malicious users to input harmful (malicious) data such as forms, cookies or HTTP header data.

This attack differs from Code Injection as code injection allows the attacker to add his own code that is then executed by the application. In Code Injection, the attacker extends the default functionality of the application without the necessity of executing system commands.

Crafting the attack parameters

This attack is similar to SQL Injection where user could craft the attack by passing defined commands into the user input fields. Shell commands are generally delimited with a semi-colon, that could make easy to chain multiple commands for attack.

Symbol Hash (#) is anything that can be used after a specific word or term to make that phrase as a comment (not readable by the compiler).

Example of Vulnerable Code

<?php echo "Enter the file to be deleted."
$file = $_GET[' filename '];
system(" $file "); ?>

Request:

http://example.com/deletefile.php?filename=file.txt;ls

Response

Enter the file to be deleted.
Hello.txt
Word.txt
Serverone.exe
System.exe
asd.awk
File.l

In the above example we discovered that if the web application is vulnerable to Command Injection, the application will show all the present files in the server after putting semi-colon that ends one command and gives ls command.

Functions leading to Command Injection

After getting in this, we have the following commands that leads to Command Injection attacks:

  • exec()
  • passthru()
  • system()
  • shell_exec()
  • Backtict Operators

Beside all this, /e flag in preg_replace() function also allows for Commands Injection vulnerability. This is the least expected place for Command Injection vulnerability to be detected.

dd

Mitigations

To eliminate the Command Injection vulnerability in any PHP web application, use proper input validation fields that is very necessary, with this the input fields should be sanitized against vulnerable code attempts.

PHP provides two possible commands that can make any web application secure. These commands could be used to sanitize input before passing it to any shell command.

  • Escapeshellarg()

This is used to escape any internal quotes by adding the quotes around the input.

  • Escapeshellcmd()

This is used to interrupt or override execution by escaping all the special characters.


Must read some other hacking techniques.

About Kamran Mohsin

Kamran Mohsin
Kamran Mohsin is a Certified Ethical Hacker. Currently working as a Penetration Tester within a private company in Pakistan. He is also doing Masters in information Security. He worked in web development (front-back-end) from recent back years. With the passage of time he took interest in Hacking and started to write blogs on IS from late 2015.

Check Also

SSH Key-Based Authentication

How To Configure SSH Key-Based Authentication on a Linux Server

Introduction to SSH Secure Shell (SSH) is a cryptographic network protocol for operating network services …

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: