Command Injection is an attack that allows an attacker to run system commands to a computer via a vulnerable application (e.g. a website). This happens when the application fails to encode/escape user input that goes into a system shell. It is very common to see this vulnerability when a developer uses the system()
command or its equivalent in the programming language of the application.
import os
domain = user_input() # User controlled input (e.g. example.com)
os.system('ping ' + domain)
The above code when used normally will ping the example.com
domain.
But what would happen if the user_input()
function returned data that was more complicated than just a domain name? For example what if the input contained semicolons?
import os
domain = user_input() # ; ls
os.system('ping ' + domain)
Because of the additional semicolon, the os.system()
function is instructed to run two commands.
It looks to the program as:
ping ; ls
Note
The semicolon terminates a command in bash and allows you to put another command after it.
Because the ping
command is being terminated and the ls
command is being added on, the ls
command will be run in addition to the empty ping command!
This is the core concept behind command injection. The ls
command could of course be switched with another command (e.g. wget, curl, bash, etc.)
Command injection is a very common means of privelege escalation within web applications and applications that interface with system commands. Many kinds of home routers take user input and directly append it to a system command. For this reason, many of those home router models are vulnerable to command injection.
;ls
$(ls)
`ls\`