Let’s say in a hypothetical world of the Great Asuras, you get a hold of executing any command of his wish on the web application server, wouldn’t it be fascinating executing the following commands:
cat /etc/passwdpasswdrm -rf /- Adding a new SSH key on the server
- and so much endless possibility. Have some suggestions of quirky commands to execute. Connect to us on our Discord channel.
Keep the breathe, this world is not hypothetical but a reality with the Command Injection vulnerability, present in various of the web applications.
A command injection vulnerability is a type of vulnerability where an attacker can maliciously craft the input provided within the web application with the intended command to execute as the payload.
Let’s take an example to understand the situation. We have a web application vulnerable to command injection intends to fetch the /etc/passwd file from the server hosting the web application. The malicious user will use the command injection vulnerability to execute the cat /etc/passwd command.
In general, command injection is a type of Code Injection, where any type of code can be made executed by the application, whereas in Command Injection, only commands are executed in the application’s environment.
Note
Sometimes the application’s environment restricts execution of all the available OS commands. So, the attacker needs to figure out his ways to execute the relevant operations from the set of available commands by the web application. One way to check the available commands is by executing
compgen -A function -abckcommand or by listing the/bin,/usr/bin,/sbin,/usr/local/binetc directories.
There are various different methods for triggering Command Injection vulnerability:
- Arbitrary Command Injection: An application runs a command internally to perform some valid tasks, but the malicious user can change the command to execute any arbitrary command on the server.
- Arbitrary File Upload: A file containing a shell can be uploaded on the file server and the same be used to execute the commands.
- Deserialization Attacks: Sometimes, the input is provided as a serialized object which is deserialized by the Server-Side. Due to malicious serialized object, the application can trigger a command to be executed on server-side.
- XML external entity injection (XXE): XXE vulnerability occurs due to poorly configured XML parser which parsed an XML input, like Deserialization attack.
In this guide, we will learn about Arbitrary Command Injection and Arbitrary File Upload only. And the later two attacks we will learn in a separate blog post.
Firstly, we will learn about Arbitrary Command Injection vulnerability in the next section.