Command Injection ================= Command Injection is an attack that allows an attacker to run system commands to a computer via a vulnerable application (e.g. a website). This happens when the application fails to encode/escape user input that goes into a system shell. It is very common to see this vulnerability when a developer uses the ``system()`` command or its equivalent in the programming language of the application. .. code-block:: python import os domain = user_input() # User controlled input (e.g. example.com) os.system('ping ' + domain) The above code when used normally will ping the ``example.com`` domain. But what would happen if the ``user_input()`` function returned data that was more complicated than just a domain name? For example what if the input contained semicolons? .. code-block:: python import os domain = user_input() # ; ls os.system('ping ' + domain) Because of the additional semicolon, the ``os.system()`` function is instructed to run two commands. It looks to the program as: .. code-block:: bash ping ; ls .. note:: The semicolon terminates a command in bash and allows you to put another command after it. Because the ``ping`` command is being terminated and the ``ls`` command is being added on, the ``ls`` command will be run in addition to the empty ping command! This is the core concept behind command injection. The ``ls`` command could of course be switched with another command (e.g. wget, curl, bash, etc.) Command injection is a very common means of privelege escalation within web applications and applications that interface with system commands. Many kinds of home routers take user input and directly append it to a system command. For this reason, many of those home router models are vulnerable to command injection. Example Payloads ---------------- - ``;ls`` - ``$(ls)`` - ```ls\```