Saturday , September 23 2017
Home / Hacking / Attack Preventions / OS Command Injection Vulnerability
Command Injection

OS Command Injection Vulnerability

Command Injection attack is also known as Arbitrary Code Execution. In Command Injection an attacker generally injects a malicious user input to the system functions which executes system shell commands based on the attacker’s input.

The Command Injection vulnerability occurs when the web applications supplies vulnerable (unsafe) input fields to the malicious users to input harmful (malicious) data such as forms, cookies or HTTP header data.

This attack differs from Code Injection as code injection allows the attacker to add his own code that is then executed by the application. In Code Injection, the attacker extends the default functionality of the application without the necessity of executing system commands.

Crafting the attack parameters

This attack is similar to SQL Injection where user could craft the attack by passing defined commands into the user input fields. Shell commands are generally delimited with a semi-colon, that could make easy to chain multiple commands for attack.

Symbol Hash (#) is anything that can be used after a specific word or term to make that phrase as a comment (not readable by the compiler).

Example of Vulnerable Code

<?php echo "Enter the file to be deleted."
$file = $_GET[' filename '];
system(" $file "); ?>

Request:

http://example.com/deletefile.php?filename=file.txt;ls

Response

Enter the file to be deleted.
Hello.txt
Word.txt
Serverone.exe
System.exe
asd.awk
File.l

In the above example we discovered that if the web application is vulnerable to Command Injection, the application will show all the present files in the server after putting semi-colon that ends one command and gives ls command.

Functions leading to Command Injection

After getting in this, we have the following commands that leads to Command Injection attacks:

  • exec()
  • passthru()
  • system()
  • shell_exec()
  • Backtict Operators

Beside all this, /e flag in preg_replace() function also allows for Commands Injection vulnerability. This is the least expected place for Command Injection vulnerability to be detected.

dd

Mitigations

To eliminate the Command Injection vulnerability in any PHP web application, use proper input validation fields that is very necessary, with this the input fields should be sanitized against vulnerable code attempts.

PHP provides two possible commands that can make any web application secure. These commands could be used to sanitize input before passing it to any shell command.

  • Escapeshellarg()

This is used to escape any internal quotes by adding the quotes around the input.

  • Escapeshellcmd()

This is used to interrupt or override execution by escaping all the special characters.


Must read some other hacking techniques.

About Kamran Mohsin

Kamran Mohsin
I'm a software engineer by profession, a passionate and experienced web designer, developer and blogger. I use to work with programming languages on daily basis and works to get something new into my knowledge prior to what I had before. I write blogs about information security, WordPress, various ways to make money and more.

Check Also

PaperPk 200,000 Users Data At Risk

NadraGate Part 2 – PaperPk 200,000 Users Data At Risk

PaperPk.com is an online Jobs Searching platform like Rozee.pk where the users can find jobs from …

Leave a Reply

Your email address will not be published. Required fields are marked *