Command Injection

Command injection occurs when applications pass unsanitized user input to system shell commands. This vulnerability grants attackers the ability to execute arbitrary commands on the server, potentially leading to complete system compromise.

How Command Injection Works

Applications sometimes need to interact with the operating system for running commands, processing files, or managing services. When user input becomes part of these commands without proper sanitization, injection becomes possible.

Command Separators

Different operating systems support various command separators:

Unix/Linux:

• Semicolon separates commands


• Pipe uses output of first command


• Double pipe runs second if first fails


• Ampersand runs in background


• Double ampersand runs second if first succeeds

• Ampersand separates commands


• Pipe chains output


• Double operators work similar to Unix

Basic Exploitation

Testing for command injection involves appending command separators followed by test commands like whoami or id. Response timing with sleep commands helps detect blind injection.

Blind Command Injection

When output is not visible, use alternative detection methods such as time-based detection using sleep or ping commands, and out-of-band detection using DNS exfiltration or HTTP callbacks.

Prevention

Secure applications avoid shell commands entirely when possible. When necessary, use language-native libraries instead of shell commands, implement strict input validation with whitelists, and use parameterized APIs that do not invoke shells.