Command injection is a type of vulnerability that occurs when an application executes system commands (also known as shell commands) in response to user input without proper validation or sanitization.
This vulnerability allows attackers to inject malicious commands into the input fields of the application, leading to unauthorized execution of arbitrary commands on the underlying operating system.
Here’s how command injection typically works:
The application takes user input, often through form fields, URL parameters, or any other input mechanism.
Instead of providing legitimate input, an attacker injects malicious commands into these input fields. These commands are designed to exploit vulnerabilities in the application.
The application processes the input without proper validation, concatenating it with a system command and executing it.
The injected command is executed with the privileges of the application, potentially allowing attackers to perform a variety of malicious actions, such as:
Code injection and command injection are vulnerabilities that allow attackers to execute arbitrary code on a system. While there are similarities, significant differences set them apart:
Command Injection | Code Injection | |
Definition | Command injection involves injecting and executing arbitrary system commands through vulnerable input fields in an application. | Code injection involves injecting and executing arbitrary code within the context of a programming language or application runtime environment. |
Execution | Command injection typically occurs within the context of shell commands. These commands are executed by the operating system’s shell (e.g., bash, PowerShell) and can perform various system-level operations. | Code injection can occur in various runtime environments, including interpreted languages (e.g., PHP, Python), compiled languages (e.g., Java, C++), and web frameworks (e.g., ASP.NET, Ruby on Rails). |
Examples; | Injecting commands into a web application’s parameter that is then passed to a shell command without proper validation. Exploiting a system command executed by a server-side script that dynamically constructs shell commands using user-supplied input. | Injecting PHP code into a vulnerable web application to execute server-side scripting commands. Exploiting a deserialization vulnerability in a Java application to execute arbitrary Java code. |
Impacts | Command Injection can lead to data breaches, server compromise, or other forms of system manipulation. | Code Injection can result in various consequences, such as data manipulation, privilege escalation, remote code execution, or complete system compromise. |
Command injection vulnerabilities can arise from various weaknesses in web applications. Here are some common vulnerabilities that can lead to command injection:
Improper Input Validation
Untrusted Data in System Commands
Shell Metacharacters and Command Separators
Insufficient Access Controls
Dynamic Construction of Command Strings
Unsafe File Operations
Insecure APIs or Interfaces
Deserialization Vulnerabilities
XXE (XML External Entity)
In result-based command injection, the output of the executed command is visible in the response of the application.
Attackers can directly observe the results of the injected command, determining whether the execution was successful or not.
Example:
Scenario: An application executes a shell command containing user-supplied product and store IDs and returns the raw output from the command in its response.
Vulnerable Parameter: The user-supplied product and store IDs.
Example Command: `whoami`
The command `whoami` displays the name of the current user. If the output of this command is reflected in the application’s response, it indicates a result-based command injection vulnerability.
In blind command injection, the output of the executed command is not directly visible in the application’s response.
Attackers cannot directly observe the results of the injected command but may infer success or failure through various techniques.
There are two types of blind command injection:
This technique relies on time delays to indirectly determine the success or failure of the injected command.
Attackers inject commands that cause noticeable delays in the application’s response time, allowing them to infer execution success.
Example
Scenario: The application executes a shell command containing user-supplied details, but the output from the command is not returned in the response.
Vulnerable Parameter: Email address
Example Command: `ping -c 10 127.0.0.1`
The `ping` command with a specified count causes a delay in the application’s response. By observing the delay, attackers can infer whether the injected command was executed successfully.
Image 1: The screenshot displays a standard request and response
Image 2: The screenshot shows exploitation of vulnerable email parameter through blind command injection
This technique is used when attackers cannot directly view the results of the injected command, but they can write it to a file accessible by them.
Output redirection is often used to capture the output from the command into a file.
Example:
The online image gallery application allows users to view details of images by providing the image’s filename as a parameter.
The application runs a system command to fetch image details, but it doesn’t display the output from the command in the response.
The email address parameter is identified as vulnerable to command injection.
A writable folder, /var/www/images/, is available for storing files.
The attacker injects a command into the email address parameter to write sensitive data to a file accessible by them.
For example, the attacker injects the command ls > /var/www/images/output.txt, which redirects the output of the ls command (list files) to a file named output.txt in the writable folder.
They replace the original value of the filename parameter with the one containing the output of the injected command, i.e., output.txt.
This allows the attacker to store sensitive data, such as directory listings, in a location accessible to them.
The attacker can then access the output.txt file through the web application and retrieve the data, potentially revealing sensitive information or aiding further exploitation.
Detecting command injection vulnerabilities involves thorough testing and analysis of the application’s input validation mechanisms, as well as examining how user-supplied data is handled and processed by the application.
Here are some methods and techniques to detect command injection vulnerabilities:
Manual Code Review
Static Analysis Tools
Dynamic Analysis
Input Validation Testing
Web Application Scanners
Third-Party Services
Commix is a command injection exploitation tool designed to assist web developers, penetration testers, and security researchers in identifying vulnerabilities in web applications.
Written in Python, it supports Linux, Mac OS X, and Windows platforms (experimental). Commix is open-source and available as a plugin on penetration testing frameworks like PTF and PentestBox.
Exploiting Command Injection via Commix :
Image 1: Here the IP field is vulnerable to command injection.
Image 2: python commix.py –url=”http://192.168.32.130/vulnerabilities/exec/” –cookie=”PHPSESSID=63pq1tou816hc3tncbkhhpdj40; >
Image 3: As observed, commix gives us all the details from the hostname till the user privileges
Input Validation and Sanitization
Parameterized Queries and Prepared Statements
Safe APIs and Libraries
Least Privilege Principle
Enable OS-level Protections
Content Security Policy (CSP)
AppTrana WAAP is a powerful solution designed to prevent command injection attacks and protect web applications from various cyber threats.
By effectively monitoring and filtering HTTP traffic, the platform identifies, and blocks known attack patterns, including command injection payloads.
Leveraging both core and custom rules ensures that requests containing suspicious or malicious input are either blocked or sanitized.
The core rules provide immediate protection against common attack vectors, while the custom-built rules are meticulously crafted to address specific threats relevant to the application. The platform stays ahead of emerging security risks, offering comprehensive visibility and zero false positives.
This post was last modified on March 26, 2024 11:47
File inclusion refers to including external files within a web application. These files can be… Read More
The Open Systems Interconnection (OSI) model is a conceptual framework for understanding and standardizing how… Read More
What is Gray Box Pen Testing? Gray box penetration testing is an application security testing… Read More