OS Command Injection Vulnerability

1
Command Injection

Command Injection attack is also known as Arbitrary Code Execution. In Command Injection an attacker generally injects a malicious user input to the system functions which executes system shell commands based on the attacker’s input.

The Command Injection vulnerability occurs when the web applications supplies vulnerable (unsafe) input fields to the malicious users to input harmful (malicious) data such as forms, cookies or HTTP header data.

This attack differs from Code Injection as code injection allows the attacker to add his own code that is then executed by the application. In Code Injection, the attacker extends the default functionality of the application without the necessity of executing system commands.

Crafting the attack parameters

This attack is similar to SQL Injection where user could craft the attack by passing defined commands into the user input fields. Shell commands are generally delimited with a semi-colon, that could make easy to chain multiple commands for attack.

Symbol Hash (#) is anything that can be used after a specific word or term to make that phrase as a comment (not readable by the compiler).

Example of Vulnerable Code

<?php echo "Enter the file to be deleted."
$file = $_GET[' filename '];
system(" $file "); ?>

Request:

http://example.com/deletefile.php?filename=file.txt;ls

Response

Enter the file to be deleted.
Hello.txt
Word.txt
Serverone.exe
System.exe
asd.awk
File.l

In the above example we discovered that if the web application is vulnerable to Command Injection, the application will show all the present files in the server after putting semi-colon that ends one command and gives ls command.

Functions leading to Command Injection

After getting in this, we have the following commands that leads to Command Injection attacks:

  • exec()
  • passthru()
  • system()
  • shell_exec()
  • Backtict Operators

Beside all this, /e flag in preg_replace() function also allows for Commands Injection vulnerability. This is the least expected place for Command Injection vulnerability to be detected.

dd

Mitigations

To eliminate the Command Injection vulnerability in any PHP web application, use proper input validation fields that is very necessary, with this the input fields should be sanitized against vulnerable code attempts.

PHP provides two possible commands that can make any web application secure. These commands could be used to sanitize input before passing it to any shell command.

  • Escapeshellarg()

This is used to escape any internal quotes by adding the quotes around the input.

  • Escapeshellcmd()

This is used to interrupt or override execution by escaping all the special characters.


Must read some other hacking techniques.

1 COMMENT

  1. 台灣運彩

    Simply wish to say your article is as astonishing. The clearness in your post is simply excellent and i can assume you are an expert on this subject. Well with your permission let me to grab your RSS feed to keep up to date with forthcoming post. Thank…

Leave a Reply