Command Injection

What is Command Injection?

Command Injection which is also known as OS Command Injection or Shell Injection is a vulnerability with very high severity arise when untrusted user input is used in the shell. An attacker can exploit the vulnerability to execute malicious commands on hosting the operating system shell.

How does Command Injection work?

When user inputs are used to execute any particular command on the shell, it may be vulnerable to Command Injection if user inputs are un-sanitized or not validated. An attacker can apply arbitrary commands as payload to the user input and it will be executed on the shell.

What attacker can do by exploiting Command Injection?

On successful exploitation, the application server can be compromised which can lead to a DoS attack. An attacker can also access the data, source code and other sensitive information. An attacker can also access other hosts in the internal network of the server on which the application is hosted. 

Example:

Let's take an example of an application which has the feature of deleting a file from the file name and the file name is accepted via user input from the following request

https://www.victimsite.com/deletefile?filename=myfile.txt

consider that the file is being removed by the following code:

$file=$_GET['filename'];
system("rm $file");

This situation is vulnerable to Command Injection. An attacker can apply payload to filename parameter and an attacker can pass arbitrary commands with filename parameter like:

https://www.victimsite.com/deletefile?filename=myfile.txt && cat /etc/passwd > myfile.txt

The above payload will be executed on the shell and myfile.txt will be deleted first and in the next command contents of the passwd file will be saved to myfile.txt again. 

How to prevent Command Injection?

A developer can use a proper validation structure, encoding and escaping to avoid Command Injection. Moreover, whitelisting of accepted commands and allow only whitelisted commands is the best workaround.