Command Injection is an attack that allows an attacker to run system commands to a computer via a vulnerable application (e.g. a website). This happens when the application fails to encode/escape user input that goes into a system shell. It is very common to see this vulnerability when a developer uses the
system() command or its equivalent in the programming language of the application.
import os domain = user_input() # User controlled input (e.g. example.com) os.system('ping ' + domain)
The above code when used normally will ping the
But what would happen if the
user_input() function returned data that was more complicated than just a domain name? For example what if the input contained semicolons?
import os domain = user_input() # ; ls os.system('ping ' + domain)
Because of the additional semicolon, the
os.system() function is instructed to run two commands.
It looks to the program as:
ping ; ls
The semicolon terminates a command in bash and allows you to put another command after it.
ping command is being terminated and the
ls command is being added on, the
ls command will be run in addition to the empty ping command!
This is the core concept behind command injection. The
ls command could of course be switched with another command (e.g. wget, curl, bash, etc.)
Command injection is a very common means of privelege escalation within web applications and applications that interface with system commands. Many kinds of home routers take user input and directly append it to a system command. For this reason, many of those home router models are vulnerable to command injection.