Command Injection

Command Injection is an attack that allows an attacker to run system commands to a computer via a vulnerable application (e.g. a website). This happens when the application fails to encode/escape user input that goes into a system shell. It is very common to see this vulnerability when a developer uses the system() command or its equivalent in the programming language of the application.

import os

domain = user_input() # User controlled input (e.g. example.com)

os.system('ping ' + domain)

The above code when used normally will ping the example.com domain.

But what would happen if the user_input() function returned data that was more complicated than just a domain name? For example what if the input contained semicolons?

import os

domain = user_input() # ; ls

os.system('ping ' + domain)

Because of the additional semicolon, the os.system() function is instructed to run two commands.

It looks to the program as:

ping ; ls

Note

The semicolon terminates a command in bash and allows you to put another command after it.

Because the ping command is being terminated and the ls command is being added on, the ls command will be run in addition to the empty ping command!

This is the core concept behind command injection. The ls command could of course be switched with another command (e.g. wget, curl, bash, etc.)

Command injection is a very common means of privelege escalation within web applications and applications that interface with system commands. Many kinds of home routers take user input and directly append it to a system command. For this reason, many of those home router models are vulnerable to command injection.

Example Payloads

  • ;ls

  • $(ls)

  • `ls\`